Preempt Blog

In the past year, we have seen numerous publicly traded corporations (Marriott and T-Mobile), airlines (Cathay Pacific and Delta), and tech companies (Facebook and Google+) all breached because of some type of insider threat or compromised credentials. So, it’s no surprise that insider threats and preventing credential compromise are growing concerns for organizations.

Today, too many organizations are approaching complex cybersecurity challenges by attempting to hire their way out of the problem while building disjointed and ineffective security implementations. In a recent interview with Security Weekly, Preempt CEO Ajit Sancheti explains what the modern threat landscape means for today’s enterprise security teams. His conversation with Paul Asadoorian, Founder and CEO of Security Weekly, also outlines how CISOs can use a Conditional Access security posture to address the challenges of the cybersecurity talent shortage and the unfortunate reality that most organizations can’t see or respond to malicious network activity in real-time.

….if you don't even know your users and what they are accessing. (Ha - I got you there with the clickbait title)

Enterprises are often forced to implement multiple moving parts as the traditional network perimeter is no longer sufficient to protect against modern threats. These disjointed security solutions rarely talk to each other, causing security silos and an overwhelming number of distracting security alerts, Preempt CEO Ajit Sancheti explains in a podcast this week.

DevOps and cybersecurity are both top priorities for many enterprises, as well as areas that have experienced considerable innovation recently. And even though these are two very different sides of IT, there are lessons to be learned between the two. Both areas are in the midst of major transitions. For application development the shift is from slow, monolithic releases to fast and responsive development cycles. For cybersecurity the shift is from the old perimeter block/allow enforcement model to more adaptive security that continuously looks for threats across the enterprise.

Stolen or compromised credentials pose well-known risks to organizations and their employees. And as hackers and other malicious actors become more advanced and sophisticated in their techniques, the global threat is increasing. At a recent IT security conference, I spoke with a customer about an alert (TA18-276A) that the United States National Cybersecurity and Communications Integration Center (NCCIC) released late last year. The alert, titled “Using Rigorous Credential Control to Mitigate Trusted Network Exploitation,” outlines recommendations on how to overcome these challenges. In this blog, I’ll discuss how Conditional Access and detection of malicious use of tools and protocols can address the NCCIC’s recommendations.  

The alert provides information on how Advanced Persistent Threat (APT) actors are using multiple mechanisms to acquire legitimate user credentials. Once acquired, attackers can use the credentials to exploit trusted network relationships, in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Some of the suggested NCCIC best practices for administrators to mitigate these threats include rigorous credential controls and privileged-access management, as well as remote-access control and audits of legitimate remote-access logs.

How can you secure an organization by using identity, behavior and risk? Preempt CEO Ajit Sancheti recently conducted an interview with Blog Talk Radio on how the enterprise perimeter is eroding - and what to do about it. Identity and Access Threat Prevention is a critical component of an effective enterprise cybersecurity, and as Ajit explains, a strategy that combines holistic visibility and real-time enforcement addresses the complex nature of today’s enterprise IT environments.

Spotting an initial breach of a network is already difficult. New research begs an additional question: can you stop attackers from gaining control of your critical systems and applications in a matter of minutes? According to Crowdstrike, if you can't detect and respond to a breach in under 19 minutes, you may be vulnerable to Russian hackers. In their annual threat report, Crowdstrike found that Russian hackers had a “breakout time” - the time a hacker takes from gaining initial foothold in the network to when they start moving laterally to critical machines - of just 18 minutes and 49 seconds, which is the fastest in the world. North Korea, China, and Iran placed second, third, and fourth, respectively (English-speaking countries were not studied, but we imagine the US and UK would be among the top of the list).

Enabling customers to secure their corporate assets while easily moving to the cloud has always been at the forefront of Preempt’s mission. While Preempt shines in preventing network threats with our unique detection capabilities, such as our ability to detect NTLM relay attacks in real-time, our goal has always been to bring these advanced threat detection and prevention capabilities to the cloud.

A C-suite IT executive recently told us about a nightmare cybersecurity implementation: after extensive network surgery and a seven-figure investment, the platform still wasn’t stood up three years later. This type of story is all too common, and among the many consequences, organizations can find themselves unprotected from common attacks (particularly credential compromise and stealthy admins) despite spending millions on point solutions. In a competitive infosecurity market, vendors are promising the world, yet project implementations can be plagued by delays and uncertainty, and sunk costs can mean security and IT teams’ hands are tied.