Event Recording

Jonathan Sander - Starting Real Cybersecurity Means Protecting Credentials

Log in and watch the full video!

An Expert Stage presentation at the European Identity and Cloud Conference 2018

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Welcome everyone. The topic for today is exploring how, if you wanna start on the journey to cybersecurity, the first thing you need to think about is protecting credentials. A lot of words packed into the title. We're gonna unpack them all by the time we're done first, just a, a little bit about stealth bits. We're a cybersecurity software company. So we deliver all our solutions as software. We're focused on protecting data and credentials, but today we're gonna focus on the credentials. Part of that. We've been around since 2001, we're still private. And we have a growing team in Europe, actually, that has been a big focus for the company this last year. So with that said, how we're gonna explore this is essentially first talking about what the challenges are facing. You protecting credentials, where you're gonna find these things that I'm calling credentials. I'm not gonna assume that we all have the same definition for that word.
I'm gonna get into that. We're gonna talk about how they're being attacked. And then finally a last little bit about how our products can help. Okay. So how many people here familiar with the Verizon data breach investigation report? Some heads are nodding. Some are not. If you don't know anything about it, I can tell you this. It's a free resource that has a ton of information. Essentially. Verizon's hosting division that sees a ton of attacks on the companies that they work with. Pull out a lot of data and make that data available to the entire industry. As you can see, you can pull out nice little statistics and make some pretty graphics out of them. I actually prefer them in their original form when they came in the graphs, cuz you can see some interesting things there. Now, first of all, they break down things based on outside attackers and inside attackers.
But if we all are thinking about protecting credentials, what we know is that the outside attacker is really trying to gain inside access thereafter, a credential. That's gonna allow them to go through lateral movement and compromise things. We also see that they break down how these attacks are happening. And if we look at that right now, first of all, it says attacks featuring hacking, which they do actually define a bit, but almost all of those are again targeting credentials. Clearly, if you're looking at things like malware, right? What are malware? What is malware designed to do? Take advantage of weak credentials, steal credentials. Maybe you see the theme forming here, right? And the last of course is going after privilege privilege, of course is again, just another moniker for a type of credential. Now the report goes further into this and actually breaks down information on an industry basis.
The first is the financial and insurance industry. Everything else category at the top, that's all about credentials, right? You also see privileged misuse popping up here. They also go medical and here they actually start using the word credentials. They start saying, it's about stolen credentials here. And again, privilege pops up and last but not least, they go into these services industries. And again, misused and stolen credentials are the top, right? So if we had any doubt that credentials are something we need to protect, hopefully we've dispelled that. Now I've said the word credentials a whole lot. Let's actually explore what at least. I mean, when I say that, now I'm in an identity conference of course today, and I will make a distinction. A credential is not an identity or at least that's what I will posit. Rather. It's something that is associated with an identity, but it is something that is incredibly important from a security standpoint, right?
The credential is what establishes trust in most cases for a session. And therefore as an attacker, this is what I want. I wanna steal the trust so I can do something nefarious along the way. Now I'll make another claim here. I'm gonna claim that regardless of the projects that you might be working on, where credentials are involved, a great number of them will actually use an active directory credential as the bootstrap for that, right? Maybe you're working on a privilege, proj that project. What do people use to log into the privilege platform? Right? I'll leave as an open question, single sign on what are people using to log to the single sign on platform, the cloud login. What is that going to be right now? If your answer was something other than active directory, then you're probably an unusual company. Cuz most companies are using active directory to do this.
So when we talk about protecting credentials, I'm going after protecting what is the most common root of most of the sessions that are happening on most of the platforms all over the world, right? I wanna protect ad. And by the way, a lot of times ADA's got the reputation for just being about the user level of things. This is rapidly changing. We see the server side also picking up ad credentials. We talked about the privilege use case. We also see a lot of ad bridging going on, right? Where even Unix and Linux systems are picking up ad as the credential provider for their sessions as well. Right? So this begs the question. If we're trying to protect credentials and the credentials are inactive directory, how is active directory being compromised? Where are those compromises coming from? So this picture is not my solution. Okay. What we're looking at is something called bloodhound.
How many people out there have heard this before? A couple? Well of course he has. Bloodhound is a tool built by the bad guys for the bad guys. What this does is takes very basic information that you can get with scripts. So now imagine a malware dropped onto a system somewhere in your environment, runs simple scripts that do not require elevated permissions at all, which then allows the bad guy to take information out of your environment and put it into this tool. Now what you see here at the top is this little icon. This is we're using something called Pathfinder right now. Your ad probably looks a lot more complex than this picture, right? If we did a graph of your active directory, it would be immense and complicated. Pathfinder says, if I have this credential, how can I get to the easiest credential that gets me domain admin say this is a built in query that you could build in the system.
And that's what we're looking at, right? This is going from a credential I've captured to a credential that would give me domain admin. And along the way, what it does is takes advantage of things like policies that allow me to change the password from one account to the next weird complicated rules that live in the bowels of ad that most people don't really even understand or have a map to, but the bad guys have the map right now I could go through and detail, lots and lots of different attacks, but frankly, we don't have the time today. What we have done at stealth bits is giving you a resource for that, right? So if you go to attack dot stealth, bits.com, we've actually gone through and detailed all the most common attacks that we've seen. And we're gonna keep building on this. And only after two levels of links, by the way, do you get any information about our products?
This is literally just about the attacks themselves. This is an educational site that we put out there for you. But if you're trying to understand how to protect the credentials that protect everything else, this would be a good resource to start understanding exactly how that works. So last but not least, what is it that stealth bits can do to help? Right? So we have a lot of solutions that can help you dig into these problems. First of all, we're gonna help you tighten the security of the directory itself. So those weird policies and those strange things that live in the directory that secure the objects, object to object, we can expose those and give you ways to understand where essentially you have issues and even offer solutions to those issues as well, automate the fixes. We can also help you lock down the common things that people think about, right?
So when you think about ad, most people think about accounts. They think about passwords. And of course there are a lot of weaknesses that can exist in the way the accounts are configured. And of course, week passwords are always a problem. Wherever humans are gonna be logging into things we can help expose and help you fix that as well. Last but not least. We can also probe all the systems, servers and desktops that are connected to ad. And the thing is, again, if you're trying to protect credentials and you're trying to protect specifically, even active directory credentials, it's not just about the directory itself. These credentials get used and abused on systems all the time. We've posited. The simple idea that malware can capture these credentials. Do we believe the malware is landing directly on our domain controllers? No, of course not. Right. This is landing at a desktop.
And the idea is that the desktop configuration and the things that happen there expose the initial weaknesses that allow the things to be captured and then used to take advantage of the whole environment, right? So we can bring that into the picture and help you use that to secure it, harden your active directory credentials as well. Right? If you're interested in getting started on this right away, if you wanna skip right to the part where you have a look at the product side right now, or probably when you get back to the office, you can download our security best practice assessment. I put the URL in here. These slides will be made available. So you'll be able to get to the URL if you like, but if you just Google stealth bits, security, best practice assessment, you'll get there just as easily. And from there essentially you get a free trial with which you can then take advantage of looking at all of these conditions and hopefully getting a piece of the puzzle solved very quickly. Okay. So thank you for listening to our talk about credentials. Do we have any questions? Oh boy. Here we go. I,
Yeah, good
Question. I will repeat the questions or he will give you mics. There you go. Thank you.
Thank you very much. It's very tell me something about you put Azure in it. How different, first of all, you cover Azure. Hopefully
We do cover Azure. Yes.
And what is the big difference? You see what happened when a company moves from active directory to Azure from the security and credential standpoint. Thank you.
So the question was what's the big difference we see when a company moves from an on-premises active directory to an Azure active directory, right? Well, first of all, there was a sub-question do we cover Azure active directory? We do. So that question, I have to answer it in three flavors, right? The least common flavor is the born in the cloud flavor, right? So companies who literally have never had active directory anywhere else, except in Azure. Right? And they have most of the same issues in their active directories. Now, of course, those also tend to be younger organizations. So they don't have as much buildup of problems with policies that have been put there over the years that can end up in conflict causing weakness from just age. But essentially Azure active directory has all of the same. Well it's called them features that you can use to set these policies and have some of the same exposure.
Right? The difference that you do see is that in these born, in the cloud companies, they don't tend to have the system level vulnerabilities because they're not doing things where a laptop is talking directly to a domain controller and caching a credential locally. They might be using it just through a web browser say now of course, that causes other kind of caching and other kind of problems, but it's a, it's a different set of vectors. The other least common one is where you have no Azure at all, but that's not your question. The third flavor is the most common and that's the hybrid organization, right? Where what's going on is essentially, they've probably adopted office 365, right? This is, this is the most common scenario you see. Therefore they have gotten Azure active directory by default. And all that they've done is essentially forklifted all the problems they might had on prem into the cloud. And in those situations, I, I find it, we can be very helpful because they're very unaware typically of the fact that they've taken these problems there. And given that some people treat the cloud stuff as being more default secure, it can be very surprising them to see that they've actually, you know, tripped themselves up. Right. Other questions going once? Oh, we got a question here
Speaking again about active directory in the cloud. Like how do you go about securing it? Like, do you have enough control from Microsoft? Say to actually do anything security related?
So that's an interesting question. Right? So there is in fact, a whole new set of controls that Microsoft has provided for active directory in the cloud for Azure active directory. And a lot of those are focused on trying to protect it as essentially a, you know, as a service platform, right? And generally I'll say this, Microsoft's done a good job of giving you a good set of defaults and a good set of help essentially to get those levers turned correctly, right? Knobs turned correctly. The thing that I think is more common when you have again, Azure active directory is in the hybrid organization, the security issues you have are the ones you bring there yourself, right? So it's not that there is some unique quality to Azure active directory that exposes it in some way, but rather that you essentially bring insecure configurations of objects and policies into the cloud with you based on what you already had on prem.
The question is, will we, will we just detect them or will we fix them for you? So that's your choice. We have the capability, we have what we call action, action modules. And those will take action and fix them. But you can also just detect, right? That's the default mode is just look and report. And then from there you can choose to have us fix things often with the action modules, organizations find that they want to adjust them a bit, which is totally plausible and possible because they might have some ideas about how we're gonna go about it. Right? The most common example there we have what we call our resource based group transformation. And this is aimed at solving the active directory group problem where, you know, you've had an organic organization create hundreds of thousands of groups and they're being used for access, but they don't map to the actual access thing.
They map to the third floor of a building say, and that's how the finance group gets access to some share. That's not a very good way to do things. We can find detect all of that flatten and figure it out and show you what your access should look like and give you a model for those groups. A lot of organizations wanna adjust that before they hit the big red button and have us do it automatically because they have to make organizational changes that would reflect political necessities to actually changing those groups. Right. So for example, other questions with the last two minutes going once going twice. All right. Thank you, everyone. Please stay tuned for somebody a lot smarter than me, Joe Carson, from the.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00