Defending modern business networks continues to rise in complexity seemingly minute by minute. Perimeter defenses are woefully inadequate, and traditional tactics, like blacklisting and malware detection, are proving to be increasingly ineffective.
Protecting business networks today requires a framework of defenses. Leading tech research firm Gartner has even contrived a new buzz phrase for the required approach: “Continuous Adaptive Risk and Trust Assessment,” or CARTA.
Related article: The threat of ‘shadow admins’
I had the chance to visit recently with Ajit Sancheti, co-founder and CEO of a startup called Preempt, which has positioned itself in the vanguard of CARTA system suppliers. For a full drill down on our conversation please listen to the accompanying podcast. Here are excerpts edited for clarity and length:
LW: You’ve described Preempt as taking an identity-centric approach to security and threat prevention. Please explain.
Sancheti: Identity is the new perimeter. Think about how we now have a mix of enterprise networks being on cloud, non-cloud in enterprise data centers, and cloud hybrids. The only entity you can control is the user. If you can figure out the risk profile of users at a given time and continue to build on those profiles over time, then based on their identity, their behavior, and the importance of the asset they are trying to access, then you can actually take real-time security actions to ensure that the person who’s getting the access is who they say they are.
LW: Can you frame the problem of threat actors using legit Windows tools to wreak havoc?
Sancheti: Tools like Mimikatz, PowerShell and PsExec have very legitimate uses in the enterprise. But these tools are so powerful that in the hands of hackers they can be damaging. The challenge for enterprises is to figure out when these tools are being used, and if it is somebody who’s maliciously using it. And that can only be done by focusing on identity and behavior.
LW: To what extent is this actually happening in the business environment?
Sancheti: We hear a lot about how many identities have been compromised. What we hear less about is how they were compromised. Usually when they’re compromised it’s some sort of credential theft or privilege escalation, someone gaining access to things that they should not have had access to. You can only find out if you know when the tools are being used, how they are being used and is this something that has been seen before.
These are things that haven’t been easy to do in real time. Hackers know that overworked system administrators and security analysts have tuned them out as false positives. But they’re not false positives . . . Solutions of the future need to not only help you understand and identify threats, but also respond to those threats as they are happening.
LW: Can that be done without undermining agility?
Sancheti: Yes. A simple way to do it is, when that tool is being used, you could do a multi-factor authentication challenge to the user. The hacker may have the account logon, but do they have the phone of that system administrator? So you need to get to that level of control because you don’t want to stop people from using these tools.
LW: You’ve described your services as offering “multi-dimensional data analysis and adaptive response.” Please explain.’
Sancheti: Let’s parse it into three main components: identity, behavior and risk. Identity is very static. You’re an admin or you’re a contractor or you’re an executive. That changes very infrequently. Your behavior is dynamic, and that is where the dimensional analysis comes in. Do you use weak passwords? Do you use multiple IP addresses at work? Do you keep random working hours?
And then there’s risk, which has dimensions that are pretty well described. Is it a sensitive application you’re going to? Are you coming from a malicious IP address? Are you showing up from Europe and US in a span of five hours? So you combine these three together and now you get a good profile of the user and the potential risk of their access transactions. And that’s one part of the dimensional analysis that we’re talking about
LW: And what about the response component?
Sancheti: The second side is, now that we know all of this about the user, how do you respond to a suspicious activity or threat? Do you always block the threat or always allow it? The answer is probably in between. It has to be a grayscale. Sometimes you block it, other times you trigger multi-factor authentication. Or you could send an e-mail or SMS notification, or you could have network access control. There could be a whole set of responses.
LW: An adaptive response?
Sancheti: That’s exactly right. And you allow a very flexible policy to tie the two together. Every enterprise is unique, and one might say, ‘If a privileged user accesses a server that they’ve never accessed before, I may force a multifactor authentication’ . . . you need to have a flexible and attribute-based policy to tie the behavior to the response.
LW: How does this fall in line with CARTA?
Sancheti:: CARTA speaks to the fact that every digital transaction has risk. So how do you minimize that risk in real time, while allowing people to get access to what they want to do, without having to say the policy is black or white. That’s one way to think about it. This goes along with the fact that our tolerance for friction has gone up. Five years ago, if you stopped someone from doing a job inside the enterprise network you’d be fired. But so many breaches have happened, and executives have lost their jobs, and now it’s OK to preempt actions that look suspicious or have high risk and challenge people. So the mindset has changed.
(Editor’s note: Last Watchdog has provided consulting services to Preempt.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/preempt-stakes-out-turf-as-supplier-of-continuous-adaptive-risk-and-trust-assessment-technology/