Enterprises are often forced to implement multiple moving parts as the traditional network perimeter is no longer sufficient to protect against modern threats. These disjointed security solutions rarely talk to each other, causing security silos and an overwhelming number of distracting security alerts, Preempt CEO Ajit Sancheti explains in a podcast this week.
Stolen or compromised credentials pose well-known risks to organizations and their employees. And as hackers and other malicious actors become more advanced and sophisticated in their techniques, the global threat is increasing. At a recent IT security conference, I spoke with a customer about an alert (TA18-276A) that the United States National Cybersecurity and Communications Integration Center (NCCIC) released late last year. The alert, titled “Using Rigorous Credential Control to Mitigate Trusted Network Exploitation,” outlines recommendations on how to overcome these challenges. In this blog, I’ll discuss how Conditional Access and detection of malicious use of tools and protocols can address the NCCIC’s recommendations.
The alert provides information on how Advanced Persistent Threat (APT) actors are using multiple mechanisms to acquire legitimate user credentials. Once acquired, attackers can use the credentials to exploit trusted network relationships, in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Some of the suggested NCCIC best practices for administrators to mitigate these threats include rigorous credential controls and privileged-access management, as well as remote-access control and audits of legitimate remote-access logs.
UPDATE (Jan. 25): Recent news reports state a deal has been reached to re-open the federal government through Feb 15. The issues outlined in this blog continue to apply to public and private sector organizations.
As many of you may have read in the news recently, the government shutdown has had a negative impact on both federal and enterprise security. Krebs on Security has reported possible consequences of the government shutdown on the talent pool, such as federal employees actively being recruited by the private sector, as well as delays on security clearances. Duo Security’s news arm, Decipher, has also done a great job laying out potential government shutdown impacts on enterprise security, including delays on NIST guidelines and standards, and closure of FIPS validation sites.
The 2010 discovery of the Stuxnet worm was one of the truly seminal moments in the world of cybersecurity. The world saw firsthand how malicious code could cause crippling damage to physical assets. Virtually every industry had to stop and take notice, and none more so than the energy sector.
NTLM (NT LAN Manager) is Microsoft's old authentication protocol that was replaced with Kerberos starting Windows 2000. It was designed and implemented by Microsoft engineers for the purpose of authenticating accounts between Microsoft Windows machines and servers. Even though it has not been the default for Windows deployments for more than 17 years, it is still very much in use, and I have not yet seen a network where it has been completely abandoned. In fact, it also supported by the latest version of Active Directory.
After an organization has been breached, one of the most critical steps to take is to determine the root cause and to take active steps to more proactively protect the business. Recently, Preempt was brought in to help a Fortune 500 company with a critical internal threat situation. A malicious actor was able to move laterally within the company’s environment, threatening its international brand, financials and customer relationships. Capitalizing on lessons learned during and after incident response provides immediate and long-term benefits to prevent future breaches. These takeaways can also provide valuable advice for other companies who are looking to improve their security posture and prevent business critical attacks. Here, we’ll share the story and outline the top three lessons.
Preempt began with a basic premise: Effective security within an enterprise should combine threat detection and real time response within a single solution. As enterprises transition to the cloud and the perimeter disappears, identity is the new perimeter. If identity is the new perimeter, access management from a security standpoint can lead to effective threat prevention. That simple but powerful idea was the genesis of Preempt and has given us the opportunity to solve challenging security problems for our customers.
Cyber security is a complex animal that requires many disciplines and a diverse toolkit. Typically, resources are limited, and incident response and security staff are overloaded with noise, irrelevant alerts and incomplete static information. With so many diverse systems its difficult to utilize them in a coordinated and timely way.
At the recent Gartner Security & Risk Management Summit, analysts presented their findings on the top technologies for information security and their implications for security organizations in 2018. At the event Neil MacDonald highlighted Top 10 Security Projects for Security and Risk Management Organizations. He continues by emphasizing that these are projects with real supporting technologies that CISOs should be exploring.