Adaptive Identity Control for Fluid Infrastructure

The saying goes, “On the internet, no one knows if you’re a dog.” And while dogs lack the manual dexterity to use a keyboard effectively, the basic premise applies: it’s hard to determine if a person is who or what they say they are based solely on their presentation of valid credentials. In the physical world, it’s easier to prove your identity and have it verified by a gatekeeper, though identity spoofing has been around forever.

Let’s consider an example: before online banking (and even ATM usage) was commonplace, to withdraw money from your bank account you generally had to walk into your bank with two forms of identification: your bank card (or at least the account number) and personal identification, like a driver’s license or passport. A human being on the other side of the counter would cross-refence and verify these pieces of “evidence” before handing over the cash. Could a thief have stolen your account number and create a fake driver’s license with your name and their picture? Absolutely. Fake IDs have been working for students since the dawn of “minimum drinking age” laws. But impersonating another person in this way would take a lot of effort and time, and unless the thief was relatively confident the effort would result in a hefty payout, the risk was avoided in favor of an easier criminal action.

The internet and application-everything has lowered the bar for identity theft. Every day we read and hear about credential dumps—the most common form of identity verification used for digital access management today—and most of our personally identifiable information (PII) can be found online with the right tools and searching techniques. It’s just not hard for even a casual internet user to piece together information about another individual. Mostly that information is harmless, but in the wrong hands, and with deeper discovery, cyber criminals are finding ways into corporate systems.

Identity does not equal access

This is the quandary corporations are facing today: how to keep cyber criminals off their private networks, especially in the age of network sprawl, yet allow users easy access to everything they need to do their jobs. Identity at its most basic level isn’t enough, which is why we’ve seen the emergence and rapid adoption of privileged access management (PAM) companies like Ping Identity and Okta. Ajit Sancheti, Co-founder and CEO of Preempt, watched how these tools were being built and used and wanted to take identity security to the next level.

Speaking with Sancheti last week, he explained to me why he helped found the company: “Historically, identity has been seen as an access management problem for enterprises. As companies move from on-premises infrastructures to the cloud, and accept more unmanaged devices and remote employees, the most important security control they have is identity. To ensure security in a fluid world, you need to combine identity with behavior and risk.”

Maintaining the integrity of users’ identities is important, yet still a challenge for many enterprises. The first step is getting an accurate grip on which users are active and have authorized access to what resources. This is typically accomplished through Active Directory, but any AD admin will tell you that managing constantly changing users, privileges, roles, and resources isn’t easy. And that’s only the beginning. Once that visibility is established, the next step is looking at behavior and risk. Preempt uses the concept of conditional access, a term popularized by Microsoft, to verify and authorize users based on “if/then” policies in the solution.

How it works

When deployed, Preempt first scrapes data from AD to see account information and activity. Next, agents installed on domain controllers monitor traffic and authentication protocols like Kerberos, LDAP, NTLM, and traffic from SSO providers such as Okta and Ping. It can also request data from the customer’s SIEM, NAC, and VPN. This monitoring builds a profile of users and the devices they’re using, access requests, authorizations, etc. and starts to create a baseline of behavior. Is a user requesting similar services from the same devices at consistent times? Are there outliers in the user’s behavior, like changing location, excessive usage (e.g., unusually frequent access requests), or new application access? How risky are these behaviors? For instance, if a user's location changes constantly but their credentials, behavior, and devices all remain relatively consistent, it likely means that user travels a lot or is a remote worker, thus the risk is low.

“The combination of traffic and log monitoring provides a user profile that is actionable,” said Sancheti. The aggregated data allows Preempt to form a risk score, which administrators/operators can view in their console. Through the console, admins can dig into the data in various ways: by all users, privileged users, endpoints, risk, events, or with a custom filter. When the system sees anomalous behavior or scores an action “high risk,” admins can take action on that user and device by posing a challenge, like requesting another form factor for authentication. They can also reduce the user’s/device’s privileges, quarantine the user/device, or block the user/device entirely. “Enforcement,” said Sancheti, “should be a grey scale of responses,” noting that blocking might be the safest way to protect an organization’s environment from a cyber security standpoint, but it’s not always the right decision in terms of business strategy.

Adaptive policies for fluid work environments

The ability to create adaptive policies is the most compelling thing about Preempt; any cyber security program or individual tool must focus on the reduction of risk as a mean of allowing the business to grow, increase revenue, deliver new product and services—just like any other risk factor, be it financial risk, product risk, reputational risk, etc. While a security practitioner’s gut response to a potential incident might be, “block it,” creating an adaptive policy based on risk scoring (which has been deduced from aggregated telemetry) is more in line with how executives view cyber security in relation to the greater organization.

Sancheti showed me a brief demo during our conversation and noted that the company offers a free version of the product called Preempt Lite, which allows companies to deploy the product on one domain. I was impressed with how much the Lite version offers and can’t see any reason to not give it a try. There’s no hardware or software to deploy (it starts with a VM), and immediately you can see what’s going on in your network from an identity point of view. If this sounds compelling, I invite you to give Preempt a call or simply download the free version from their website and see what it can do. Then, as always, let us know what you think.