In this article, we will provide a brief overview of Silverfort’s platform, the first (and currently only) integrated identity protection platform on the market. Silverfort’s patented technology aims to protect organizations from identity-based attacks by integrating existing identity and access management solutions, such as AD (Active Directory) and cloud -based services, and expanding secure access controls such as Risk-Based Authentication and MFA (Multi-Factor Authentication) to all their resources. This includes on-prem and cloud resources, legacy systems, command-line tools and service accounts.
A recent report by Silverfort and Osterman Research revealed that 83% of organizations worldwide have experienced data breaches due to compromised credentials. Many organizations admit that they lack protection against identity-based attacks, such as lateral movement and ransomware. Resources such as command-line access tools and legacy systems, which are widely used, are especially challenging to protect.
Getting Started: Using the Dashboard
Below is a screenshot of Silverfort’s dashboard (figure 1). Overall, it has a very intuitive user interface. On the left is a list of user types: privileged users, standard users, and service accounts, and how they access resources: through on-prem and cloud-based directory (AD, Azure AD, Okta), federation servers (Ping, ADFS ), and VPN connections (RADIUS). The right side of the screen shows a list of different types of resources that users are trying to access. Access attempts are represented by glowing dots.
This display shows the unique differentiator of the platform – it is the only solution today that is able to integrate the entire identity infrastructure in the hybrid environment. With this integration, various on-prem and cloud directories forward each authentication and access attempt to Silverfort for analysis and decision whether to allow access or deny. That way, real-time protection for any user and resource is achieved, as we will soon see in more detail.
The dashboard also shows aggregations of valuable identity-related data: number of authentication attempts by protocols and directories, proportion of verified authentications, number of users and service accounts that successfully protected, and a breakdown of users by risk level (medium, high, critical) .
The platform includes various modules that each address a different identity protection issue. We will now examine two of them: Advanced MFA and Service Account Protection.
Protecting Resources with an Advanced MFA
MFA has proven to be one of the most effective ways to protect against identity-based attacks. However, having MFA protection on all network assets is quite difficult.
MFA traditionally relies on agents and proxies, which means that some computers cannot be covered by it at all. It may be because your network is too large to have proxies on every single computer, or because not all computers are capable of installing agents.
Want to see Silverfort in action? Schedule a free demo with our team of experts today!
Additionally, command-line access tools, such as PsExec, PowerShell, and WMI, although widely used by network admins, do not natively support MFA. These and other on-prem authentications are handled by AD, but AD authentication protocols (Kerberos, NTLM) are not designed for MFA, and attackers know that. AD only checks if usernames and passwords match, so attackers using legitimate credentials (which may or may not have been compromised) can access the network and launch lateral movement and ransomware attacks which AD is not aware of. The major advantage of Silverfort is that it can actually implement MFA on all of them, something that other solutions cannot.
On the policy screen (figure 2) you can view existing policies or create new ones.
|Figure 2: Policy screen
Creating a new policy seems quite intuitive, as shown in figure 3. We need to determine the type of authentication, the relevant protocols, which users, sources, and destinations are covered by the policy, and the action required. What happens here is actually quite simple, but surprisingly smart. AD sends all authentication and access requests to Silverfort. For each request, Silverfort analyzes its risk and associated policies to determine whether MFA is required or not. Depending on the decision, the user is granted access, blocked, or asked to provide MFA. In other words, the policy basically bypasses the inherent limitations of the old protocols and implements MFA in it.
|Figure 3: Policy making
Discovering and Securing Service Accounts
Service accounts are a critical security challenge because of their elevated access privileges and less than zero visibility. Additionally, service accounts are not people, so MFA is not an option, and neither is PAM password rotation, which can crash critical processes if their logins fail. In fact, all organizations have many service accounts, sometimes as many as 50% of their total users, and many of them are unmonitored. That’s why attackers love compromised service accounts – they can use them for lateral movement under the radar and access multiple machines without being detected.
Figure 4 shows the Service Accounts screen. As Silverfort receives all authentication and access requests, it identifies service accounts by analyzing recurring machine behavior.
|Figure 4: Service Accounts Screen
It looks like we have 162 accounts under machine-to-machine. We can filter it based on different parameters. Predictability, for example, measures repeated access to the same source or destination. Deviations from this pattern may indicate harmful activity.
In figure 5, we can see more information about our service accounts, such as sources, destinations, risk indicators, privilege levels, and usage.
|Figure 5: Service Account Check Screen
For each service account, policies are automatically created based on its behavior. All we have to do is choose between ‘alert’, ‘block’ and ‘SIEM alert’, and enable the policy (number 6).
|Figure 6: Service account policies
Silverfort’s platform truly achieves its goal of unified identity protection. Its ability to implement MFA on almost any resource (such as command-line tools, legacy apps, file shares, etc.) and create policies in seconds is unmatched. Having full visibility of all service accounts and finally being able to protect them is extremely valuable. In conclusion, the Silverfort platform offers new identity protection capabilities that are increasingly needed every day.