High Fidelity Alerting Leveraging Adaptive Authentication

Adaptive Authentication
Back to Blog
August 28, 2016
Stephen Cox

In the past few years, organizations have been experiencing monumental shifts. The headaches of in-house server rooms are waning in favor of the low-cost and flexible resources of the elastic cloud. Company-owned and company-managed personal devices are long gone, replaced by increasingly powerful and rapidly changing consumer devices. These shifts have shaken the concept of the traditional network perimeter to its very core. The edge of your network is increasingly difficult to define, as identities may carry it to data centers far beyond your control.
 
Traditional perimeter protection (firewalls, intrusion detection systems, anti-virus software, and so on) remains pertinent, but is clearly no longer sufficient to keep attackers from gaining access to corporate networks. Therefore, to protect themselves, organizations need a new paradigm: stop treating the edge of an organization’s network as the only perimeter, and expand our definition of perimeter to include identity.
 
What does it mean for an organization to treat identity as a perimeter? Given that attackers will inevitably breach outer defenses and gain a foothold, organizations need to shift their focus to the later phases of the attack lifecycle: they need to focus on detecting the use of stolen credentials and lateral movement. This is currently a significant blind spot for organizations, since most security products focus on the early phases of keeping attackers out of the network. It is difficult to detect attackers moving laterally because a skilled attacker knows how to blend in with normal user activity. According to incident response firm Mandiant, the mean time to detection today now sits at around 205 days, a staggeringly long amount of time for an attacker to go unchallenged inside your organization. However attackers breach an organization’s perimeter, they need one critical thing to successfully complete their mission: credentials.
 
Attackers can steal credentials from unsuspecting users through vulnerabilities in software, through brute force method, or they can obtain the password hash and pass it when required (a pass-the-hash attack). Any method enables attackers to masquerade as real users, blending in with the day-to-day noise of legitimate activity so they can move laterally without detection. In some case, attackers have the audacity to escalate their privileges — often by exploiting a vulnerability — and create their own credentials within the organization’s identity store.
 
Adaptive Authentication can help fill this blind spot. Adaptive Authentication gives you the perfect vantage point to observe and disrupt the credential seeking and lateral movement phases of the attack lifecycle. Moreover, by joining Adaptive Authentication information with other alerts in a security information and event management (SIEM) system, security practitioners can obtain a more complete view of an attack and write appropriate correlation rules to improve the organization’s security posture.
 
Correlation is key. One security event raises suspicion, but when that event is correlated with other security events, you have an incident. For example, an email threat detection device may alert you that a malicious binary was sent to a particular user in your organization. That alert, combined with an Adaptive Authentication alert attached to the credentials of that user, paints an increasingly likely image of a breach in its early stages. The fidelity of these security alerts can be further increased through the use of real-time threat intelligence, helping identify activity that is being launched from known malicious criminal infrastructure or anonymous proxy networks.
 
In addition, the rich data collected and analyzed by an Adaptive Authentication solution is extremely valuable during a security investigation and incident response. This data may include:
 
• The username associated with the identity
• The group membership associated with the identity 
• The IP address associated with the identity as it was presented in the authentication
• Attribution data associated with that IP address, such as its geographical location or classification (for example, an anonymous proxy or known malicious IP)
• The system that the identity was attempting to access
• The behavior profile(s) of the physical user associated with the identity
• The biometric profile(s) of the physical user associated with the identity
 
A timeline of this data can paint a clearer picture of the lifecycle of an attack. Forensic investigators can utilize it to analyze the attempted movement of attackers in order to scope the intrusion and determine motive. In addition, because this data is a window into user behavior, it can be analyzed by behavioral analysis products for anomalies.
 
Adaptive Authentication should fit into your security ecosystem, not only issuing alerts to your SIEM solution, but also enabling you to act upon those alerts in a meaningful way during an attack. Specifically, an authentication system should support a rich API allowing for rapid updates to an authentication policy specific to identities and systems being protected.
 
Identity has become a perimeter of its own, and should be treated like one. Defense of that perimeter is an absolute necessity in our evolving security landscape. Monitoring that perimeter provides valuable context to attacks as they unfold. To learn more about Adaptive Authentication and how it can improve your perimeter defenses, as well as how SecureAuth IdP can help you easily implement improved access control we suggest you read this whitepaper:  Defending Against Advanced Threats at the Identity Perimeter

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

SecureAuth Authenticate App

Passwordless MFA client with
Symbol-to-Accept. Stronger security.

The Value of Deploying Multi-Factor Authentication in a Digital World

Value of Deploying Multi-Factor Authentication in a Digital World

Read this white paper to gain insights and understanding of why passwords create risk and blind spots for organizations and their users.

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Analyst Reports

Documentation

Events

Recorded Webinars

Innovation Labs

Support Portal

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Careers

Contact