On this article, we’ll present a short overview of Silverfort’s platform, the primary (and presently solely) unified id safety platform available on the market. Silverfort’s patented know-how goals to guard organizations from identity-based assaults by integrating with current id and entry administration options, equivalent to AD (Lively Listing) and cloud-based companies, and increasing safe entry controls like Danger-Based mostly Authentication and MFA (Multi-Issue Authentication) to all their assets. This consists of on-prem and cloud assets, legacy methods, command-line instruments and repair accounts.
A latest report by Silverfort and Osterman Analysis revealed that 83% of organizations worldwide have skilled information breaches as a result of compromised credentials. Many organizations admit that they’re underprotected in opposition to identity-based assaults, equivalent to lateral motion and ransomware. Assets like command-line entry instruments and legacy methods, that are broadly used, are significantly difficult to guard.
Getting Began: Utilizing the Dashboard
Under is a screenshot of Silverfort’s dashboard (determine 1). General, it has a really intuitive person interface. On the left is a listing of person sorts: privileged customers, normal customers, and repair accounts, and the way they entry assets: by on-prem and cloud-based directories (AD, Azure AD, Okta), federation servers (Ping, ADFS), and VPN connections (RADIUS). The best facet of the display screen shows a listing of the totally different useful resource sorts customers try to entry. The entry makes an attempt are represented by glowing dots.
This show showcases the platform’s distinctive differentiator – it is the one answer right this moment that is able to integrating with all the id infrastructure within the hybrid setting. With this integration in place, the totally different on-prem and cloud directories ahead each authentication and entry try to Silverfort for evaluation and verdict whether or not to permit entry or deny. In that method, actual time safety for any person and useful resource is achieved, as we’ll quickly see in additional element.
The dashboard additionally reveals aggregations of beneficial identity-related information: variety of authentication makes an attempt by protocols and directories, proportion of verified authentications, variety of customers and repair accounts efficiently protected, and a breakdown of customers by threat stage (medium, excessive, vital).
The platform consists of numerous modules with each addressing a distinct id safety concern. We’ll now discover two of them: Superior MFA and Service Account Safety.
Defending Assets with Superior MFA
MFA has confirmed to be some of the efficient methods to guard in opposition to identity-based assaults. Nevertheless, having MFA safety on all community belongings is fairly onerous.
MFA historically depends on brokers and proxies, which implies some computer systems won’t ever be coated by it. Both as a result of your community is simply too giant to have proxies on each single pc, or as a result of not all computer systems are able to putting in brokers.
Wish to see Silverfort in motion? Schedule a free demo with our staff of specialists right this moment!
Furthermore, command-line entry instruments, equivalent to PsExec, PowerShell, and WMI, regardless of being broadly utilized by community admins, don’t natively assist MFA. These and different on-prem authentications are managed by AD, however AD authentication protocols (Kerberos, NTLM) had been merely not designed for MFA, and attackers know that. AD solely checks whether or not usernames and passwords match, so attackers utilizing reliable credentials (which can or might not be compromised) can entry the community and launch lateral motion and ransomware assaults with out AD figuring out. Silverfort’s main benefit is that it may really implement MFA on all of those, one thing different options cannot.
On the coverage display screen (determine 2) you possibly can view current insurance policies or create new ones.
|Determine 2: Coverage display screen|
Creating a brand new coverage appears fairly intuitive, as seen in determine 3. We have to decide the authentication kind, the related protocols, what customers, sources, and locations the coverage covers, and the motion required. What occurs right here is definitely fairly easy, however surprisingly intelligent. AD sends all authentication and entry requests to Silverfort. For every request, Silverfort analyzes its threat and related insurance policies to find out whether or not MFA is required or not. Relying on the decision, the person is granted entry, blocked, or requested to supply MFA. In different phrases, the coverage principally bypasses the inherent limitations of older protocols and enforces MFA on them.
|Determine 3: Making a coverage|
Discovering and Securing Service Accounts
Service accounts are a vital safety problem as a result of their excessive entry privileges and low to zero visibility. Furthermore, service accounts aren’t people, so MFA is not an possibility, and so is password rotation with PAM, which can crash vital processes if their logins fail. In reality, all organizations have a number of service accounts, generally as many as 50% of their general customers, and lots of of them go unmonitored. That is why attackers love compromised service accounts- they’ll use them for lateral motion underneath the radar and achieve entry to a lot of machines with out being seen.
Determine 4 reveals the Service Accounts display screen. As Silverfort receives all authentication and entry requests, it is ready to establish service accounts by analyzing repetitive machine behaviors.
|Determine 4: Service Accounts display screen|
It seems like we’ve got 162 accounts underneath machine-to-machine. We are able to filter them primarily based on quite a lot of parameters. Predictability, for instance, measures repeated entry to the identical supply or vacation spot. Deviations from this sample can point out malicious exercise.
In determine 5, we will see further details about our service accounts, equivalent to sources, locations, threat indicators, privilege ranges, and utilization.
|Determine 5: Service account Investigation display screen|
For every service account, insurance policies are mechanically created primarily based on its conduct. All we’ve got to do is select between ‘alert’, ‘block’ and ‘alert to SIEM’, and allow the coverage (determine 6).
|Determine 6: Service account insurance policies|
Silverfort’s platform really achieves its purpose of unified id safety. Its skill to implement MFA on virtually any useful resource (equivalent to command-line instruments, legacy apps, file shares, and lots of others) and create insurance policies in seconds is unparalleled. Having full visibility into all service accounts and eventually having the ability to defend them is extraordinarily beneficial. To conclude, Silverfort’s platform presents progressive id safety capabilities which might be changing into more and more obligatory every day.