Event Recording

Identity is the New Perimeter: How to Discover, Mitigate and Protect Identity Risks


Log in and watch the full video!

Two decades of digital transformation and cloud migration have been slowly eroding the traditional network perimeter and with the past two years of transition to more remote work, the walls have come tumbling down. Privileged credentials from access tools (like VPN and RDP) that have been left on endpoints are a valuable target for attack. SAAS applications and Cloud access further expand the proliferation of potentially exposed identities. Once an attacker establishes initial access it becomes trivial for lateral attack movement to take control over critical systems or the entire network. The network perimeter is obsolete. Identity is the new perimeter. Organizations must discover, mitigate and protect their identity risks.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Hello together also hello to everybody that is on the live stream. So thanks for listening. Thanks for joining. And thanks for spelling my name correctly. It's not easy even in my country. So yeah, my name is Wolfgang. Let's keep it simple. I'm with elusive two and a half years, I'm responsible for sales engineering in EMEA. We changed the title already from the new per and also we'll speak about could also be the new vulnerability. And yeah, also my mayor can introduce you also to yen director of central Europe sales staff and Eastern Europe Johan. So if you want to visit us, go to our booth, you're welcome there. Mayor short introduction into elusive and where we are from and what we are doing. So elusive was founded in 2014 and we started with endpoint based deception technology. So, and it's all about to get, let's say early detection of an attacker as early as possible in a network on endpoints within the tech cycle.
So that's where we are coming from. And based on that, we also see that identity is the main role for every attack. So may lets just briefly over there again. So what we want to do today in the short session, I want to focus on why this is still happening. Why still we can see all these kind of breaches and attacks. If we all have great security solutions in place, that's one of the point, then we will also reveal a secret about my t-shirt. Some of us, you know, we spoke about that. So there's a reason for this shirt. We, we will reel it. And I also want to show you how elusive with this risk management solution, how we can solve this problem for you and in the end last but not least. We'll also introduce your elusive identity risk assessment. Okay. Let's look why still attacks are successful and why identities the number one here.
So first of all, we will walk through the lab breach bridge. I guess everybody's aware of that. And one thing I want to mention here, there was full control in only five days, just rethink that. So there was the access from the Techer and five days later, the Techer had full control over the infrastructure. That's pretty amazing. And why can't this happen? So first, the first axis was on the beachhead through R P and you can see it was in January 19th and when you're on the beachhead, what's the first thing an attacker will do. He wants to stay undetected. He doesn't want to play around to be too, let's say, invasive on the endpoint and get detected by EDR or something else. So what he's doing, he's trying first of all, to get local admin privileges and may there are some unmanaged local admins on that machine that are may covered or not covered by privileged access management, or it could also be that there is an option for zero D exploits.
So we also have seen like, there's an agent on this machine. This agent is not updated correctly. Then there is a zero D and you can wait to local admin permissions. Once you have low club permissions, you can completely disable DDR system, the endpoint detection response. And that's pretty easy. I've done it myself several times and tried it out. And once you have that, because you know, it's running with a permanent agent, it's running as a service, it's running as a permanent process. And every agent that is on a system, that's another attack surface that you can just disable. And if you disable ADR, then you can search for credentials and for identities. And we are doing a lot of risk assessments with our customers and that's the next slide. Then we will talk about use cases and what we can find there. And it's crazy.
Hell, you can get everything you want. And that's also the reason why you can do it in five days. So they download Mimi cuts this tool and they looked into the cash of the endpoint, grab cashes, grab passwords. Sometimes you just easily get it in clear text. And then if you have these credentials, you are trying to start to move in environment. So you are grabbing a global local admin. You are grabbing if you're lucky, domain admin on the first endpoint. Yeah. That could happen still. And then you can just move undetected in these environments. And until you reach your goal, in that case, they jump even from on-prem into the cloud and took over the full infrastructure.
So we have a lot of identity security solutions in place, and I just want to get a feeling so I will ask you a question. So who is using Palm already? Who has implemented Palm? Okay. Should be more, to be honest, what's about MFA. It looks a little bit better singles sign on. Okay. And IHA and this kind of stuff. Okay. Interesting. First of all, you should use these tools more. So we are not a pump solution, but I can still tell you. And that's my opinion. Palm is key. It's important to have Palm in place, but also to be honest, it's not enough and why it's not enough. We have to prove for that. So we run for around about 30. It was 27 organizations. Yeah. We run different risk assessments and we were able to identify that one in six endpoints has privileged identity risk.
So that's quite interesting. And now it's time for the t-shirt, who knows Steve Rogers, who is Steve Rogers. It's not me, but it's kept in America. And imagine I got a call from my colleague from UK and he was doing a risk assessment and Tim called me and said, Hey, Wolfgang, do you know Steve Rogers? And I was for sure, I know Steve Rogers is captain America, but you want to talk me with me about the risk assessment? And he told me, Hey, listen, I had a client. And we found a user named Steve Rogers. And that's a real story. And Dave were like then, okay, do we really have Steve Rogers in our company? And the issue with this user was this user was so high privileged that it was able to take over the global domain in two steps or the domain admin group in one step.
Both cases are not a good option. So they investigated including HR, everybody to search for a guy called Steve Rogers. And they were not able to find it. Yeah, because made captain in America. But in real, we've gathered out with them that they had a pen test, the red team event, the red team exercise two and a half years ago. And the pen tester were like a marble fan and they used different marble characters and names. So they had a red team that you're doing for security purpose. And they left credentials and spread these type of credentials in your environment with this high privileged user. So that's, that's one of the Steve R stories for this captain America stuff. There results another story. I want to point out. We starting these risk assessments scans with one endpoint in the beginning. And it's like, you started on one endpoint, you do the scan, you get the results. And we were able to see on the first endpoint, a service user that was able to take over the whole domain in one step. And it was just the normal windows work extension. We were able to see that the service was found to an agent stuff. And this agent was for software distribution. So passport was set by the way was if I remember correctly, it was September, 2009 in that case. So quite okay.
And yeah, and then we like investigated that and were also able to see that there is a cash session on this end point. So it's not that there is, is just a service. There was also a cash session. And if you remember this attack stuff, it's like, they run Mimi cut and they just take it over and they, they can do everything. So it was just on one endpoint and then we, okay, let's do it on another one, another one, another one. It was every endpoint with the software distribution agent. And it was like a hundred percent of the machines. We did the risk assessment. And if you imagine that, no matter whether Tager is doing the first breach, he can take over the domain in one step. And the customer was not aware because this was a buck from the software distribution agent. They just left the credential, open the session, open and left that on every endpoint that should not happen.
So I have to look on a time if I can talk about this third use case. No, but you can come to our booth and I can explain more. So by the way, this report is available on our website. Or if you come to our booth, there is a QR code that you can scan and you will be redirected to the website and it's not betting. You can trust me. So what elusive is doing here, first of all, you need to get the visibility. So we discover it. We discover your whole infrastructure. So every workstation server gets scanned in combination with your active directory, with your issue, active directory. And we put all this information together and then we can give you this kind of picture. And we can tell you how your tech surface, how your infrastructure look likes from a Techer point of view, which identities are used for how they are used, in which context they're used, how they point to critical assets.
Maybe we will show you that in the first step. And then the second step will be, we can clean that. So if there is an open session like this software agent, we can close the session for you. If their domain admin is stored in a windows credential manager where it shouldn't be, we can clean it for you. If somebody has, let's say the default admin to your voice away, pieces them spread it on 30% of his machines in Google, Chrome, Firefox, and so on. We can clean it for you. That was another use by the way.
But for sure, to be honest, we cannot clean everything. So you never, ever can clean a hundred percent. Yeah. You can switch off your network, but yeah, that's not, that's not a good idea, maybe. So in real, we can clean something around 18 90% of the vulnerabilities based on identities for you automatically, but there is still something left and now our deception comes into place. So if you cannot delete it, we can do a deception layer around this identity that we still needs to protect. So what does it mean? We will roll out on each machine, fake identities, fake passwords, and additional fake pathways bounded to these identities. And now you can imagine if there is an attacker on a clean environment that is full up with endpoint deceptions, there is no way to move undetected anymore. And I can say that because we've never lost the red team. I was not believing that either. And then I joined elusive and I did my first red team exercises with the product, with the company. And we've never lost the red team. So how does this lab breach now look with elusive. So the cool thing is, you know, we talked about agents and agents mean agents are attackable. You can bypass them. Elusive is agent less, or let's call it not a permanent agent. If you want to know more, come to APO book a one to one with captain America. And I will tell you how it's working.
We are cleaning. We do the remediation automatically. So we are cleaning domain admin spreaded. We are cleaning the browsers. We are cleaning credential managers. So we take away the stuff that Techer will use against you. And for sure, we will also mislead. So if the tech or touches a fake identity or a fake credential, it gets alerted. You will get an incident. You will get forensic why this incident happened, which commanded tech are used, how the tech or disable DDR, you, you will find everything.
Yeah.
And for sure is also supported. We can not only let's say trigger incidents there, we can also do like monitoring stuff. If there are new users coming up, if new subscriptions, application keys are use and these type of stuff, and we will link it in a hybrid world. So it will be linked between yeah. Classic on-prem and the cloud environment. So just to recap, all of this stuff is done automated and continuously. And that's really important. I had several discussions today with customers and partners, and they told me if they have, let's say, pump projects, the, the start with a discovery, then they're implementing processes and then installing and rolling out the software. But they are not doing that continuously discovery. And that's an issue because people find a way to, let's say, overcome these protestors. They used to service users to jump around from one machine to another, even your own means because you want to avoid MFA. So the continuously discovery that's really, really important. And for sure, also the remediation. And if you think about that, that it could be done daily automated, and you can do it for 80, 90% of your identity vulnerabilities. That's pretty cool. And for sure, we also plant and adopt the deception layer every time we, we run on the end points.
So that's made the last slide I want to invite you. So if you say, okay, no, I'm safe. I'm good with that. I have my policies. Let's prove it. Mostly the customers that telling me upfront, I'm safe. I have this, I have that let's diverse results ever. Mostly. So come to us, let's do this easy 1, 2, 3 exercise. So we need one end point. We connect to your ad. We need two hours of your time and you will get three compelling insights. And now I want to use my last slide. So yeah, that's also often and me and we enjoy here the easy conference. So you can see, we have fun. And my boss, my manager near is now part of the pump panel session one floor lower. So if you want to join that and listen to my manager, feel free. And I just have to say, thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00