-
FINANCE & INSURANCE: THREE USE CASES FOR IDENTITY SECURITY
CrowdStrike White Paper
-
2CrowdStrike White Paper
FINANCE & INSURANCE: THREE USE CASES FOR IDENTITY SECURITY
Whether the local cybersecurity requirements for financial services companies1 operating in
New York State or the larger transparency of information security required by the U.S.
Gramm-Leach-Bliley Act2, Financial Organizations are required to build a secure engineering
and network infrastructure for the transfer of data, money, and customer information.
Whether one of these or ISO 27001 or NIST 800-series drive the need to improve Identity
Security for your institution, Falcon Zero Trust can help you secure your back end and
corporate cybersecurity systems as part of your security program, helping to protect the
confidentiality, integrity and availability of your Information Systems. Whether your growth is
organic or via mergers and acquisitions, the following cases for identity security are a reality.
THE USE CASE FOR IDENTITY STORE SECURITYAll modern regulations have specific mention of access controls and identity management.
This includes not only multi-factor authentication, but the need to monitor for, evaluate,
and respond to risks. With over 80% of all data breaches involving identity, meeting these
requirements in a responsible, auditable fashion requires more care than simply buying a
simple Single-Sign-On (SSO) or Multi-Factor Authentication (MFA) solution to check the box
complete.
Whether an employee is a victim of a phishing attack or other endpoint compromise, or a data
breach occurred through a literal fish tank3 with a service account with network access,
identity store hygiene, and access controls are a key component to best practices in your
identity store. Presenting a small attack surface combined with the ability to stop lateral
movement automatically are core to good security. This concept expands when you consider
the multiple domains, both on premises and cloud, that can happen with a corporate merger.
Cybersecurity visibility and enforcement4 starts with securing identity stores and directories.
The identity store is the nerve center of an enterprise, governing how users and accounts
interact with applications and assets. As highly-regulated financial organizations work
through Business
Transformation initiatives, they need to extend to network and resources that traditionally
cannot be protected as they use legacy protocols that do not integrate with MFA like modern
cloud-based authentication protocols do (e.g. OpenID Connect, SAML.)
From this central point, organizations govern and maintain user credentials and assess
application, network, and behavioral traits, as well as create logical segmentation strategies
based on identity and risk. Any security compromise of identity store undermines the entire
identity management infrastructure, leading to unauthorized access as well as system
corruption, takeover or Ransomware, or even destruction. It all starts with evaluating risk and
assessing the attack surface in the Identity Store within every domain in every branch.
1 https://templatelab.com/cybersecurity-regulations-23-nycrr-500/
2 https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
3 https://money.cnn.com/2017/07/19/technology/fish-tank-hack-darktrace/index.html
4 https://www.darkreading.com/active-directory-mismanagement-exposes-90--of-businesses-to-breaches/d/d-id/1328101
-
3CrowdStrike White Paper
How do you reduce your identity attack surface? You find out your areas of weakness. Falcon
Zero Trust immediately discovers all users and user types in your extended network (regular,
executives, privileged, service accounts) and delivers continuous insights and behavioral
analytics to detect and respond to risk and threats in real time.
Falcon Zero Trust realizes enterprise security infrastructures are not one-size-fits-all, and
most networks are increasingly both on-premises and cloud and moving virtual as businesses
adjust to mobile and work from home initiatives. As you get started on your journey to real-
time threat prevention, Falcon Zero Trust adapts with your organization as it grows and
changes, whether it be on-premises or into the cloud. Best of all, you can get started with the
benefits of Zero Trust in as little as two hours and gain immediate and ongoing benefits.
HOW TO HARDEN ACTIVE DIRECTORY DEFENSESActive Directory defense starts with hygiene and discovery, as you look at the identity attack
surface of your environment and discover how many accounts you have total, and which of
those credentials are users, privileged users, shadow admins, and service accounts in any
branch, any domain. From there, Falcon Zero Trust presents you with a prioritized plan of
action with a list of which credentials are out of compliance with your security plan, and
impose additional security measures when those credentials used. You will also see which
services have dated or vulnerable authentication protocols and set up rules increasing
security specific to users accessing those servers.
Organizations need to understand their own security posture so they know what they are
dealing with and can prioritize the work into actionable operations which will help them
tighten their security posture. There are constant questions about identity and access that
security needs to know, risks which affect the cybersecurity program’s total vulnerability just
as surely as unpatched servers and outdated frameworks:
Are your domains all visible in one location, to see weakness and risk across your organization?
Is a server using a less secure protocol like NTLM or clear LDAP?
Are your configurations in Group Policy Object (GPO) intact and secure?
Is an account using a password previously compromised in another breach?
Is an account shared between multiple employees?
Is the user connecting from an unmanaged or insecure device? From what geolocation?
Was a user credential set up but never used? Was it recently promoted to a Privileged
account? (These can be warning signs of a compromised endpoint or active persistent threat.)
Is Onboarding/Offboarding a closed and ready-for-audit process in terms of Identities?
Did you know?
On average of 27% of the credentials in your network system are Service Accounts? This means these credentials are hard coded into the applications on that server. Unmonitored and over-permissive service accounts are often involved in data
-
4CrowdStrike White Paper
Your Solution
Do you have real-time identity verification and the ability to detect lateral movement?
Can you do it across any domain from one GUI?
Can you assign a dynamic risk score to every entity based on real activity and
authentication patterns, then use that risk scoring to make decisions about what
activity is allowed or prohibited?
Falcon Zero Trust Screenshot: Sample view of overall risk score domain by domain
THE USE CASE FOR PREVENTING LATERAL MOVEMENTFalcon Zero Trust platform helps the customer to identify lateral movement attack path and
then protects that both in the form of active alerts and optionally with a policy in place. Lateral
movement inside an organization by authenticated identities is nearly impossible to detect
by most security vendors and tools that rely on off line log analysis, especially those who
focus on perimeter or endpoint security alone. Even application security focuses on the
behavior of the application, rather than the initial authentication and too often no lateral
movement can be seen or halted as it happens.
Enforcement at the authentication infrastructure offers more flexible enforcement options
than trying to control at the application or share level. Active Directory (AD) and the Domain
Controller together govern authentication and authorization – but the world is more complex
than the standard allow/ deny settings that many hacks and toolkits have learned to work
around.
-
5CrowdStrike White Paper
Automated security to prevent lateral movement is key. Consider the following scenarios:
1. A service account exists on a banking web site. That service account should only have
access to the specified server. Any other movement or authorization attempts on from
that service account to new locations should be automatically refused, preventing a
compromised website from becoming a compromised domain.
2. Abnormal access. An IT Administrator may have a dedicated login for their
workstation. That credential should not be attempting any brute force or dictionary
login attempts, or through division of duties there should be machines or micro
segmentations in the network which they cannot access. .
3. Consider the scenario of a developer working on your back-end systems at once
branch. After six months, she moves to another branch and domain, handling QA or the
SWIFT APIs. In most organizations, her credential rights wouldn’t change; however, her
actual rights needed (QA work) and granted rights (Admin work) are very different, and
the principle of least privilege was not applied during the transition.
Organizations need to be able to automatically and interactively challenge suspicious or risky
behavior in real time. For example, a user behaving suspiciously could be required to pass a
multi-factor authentication (MFA) or two factor authentication (2FA) challenge before access
is granted to a critical server. This also helps in users auto-resolving security incidents without
involving the security team or leading to false positives.
The adaptive capabilities of Falcon Zero Trust allow you to automate responses with the right
type of enforcement or notification of activity based on the entity, behavior, and risk. This
conditional access ensures the right level of security is delivered to either stop a threat or
validate the credential to let users get on with their work…wherever they happen to be.
Hackers want to land and expand. Rules and policies should be automated to prevent this.
-
6CrowdStrike White Paper
Attackers also use a variety of reconnaissance techniques such as account
enumeration, credential spraying, and brute force in order to find new targets
or credentials, while methods such as Golden Ticket attacks can allow an
attacker to achieve near-permanent persistence within a network followed by
lateral movement. As an example, attackers are using tools like Mimikatz to steal
credentials and gain a foothold on the network. Attackers then move laterally
within a network by using techniques such Pass-the-Hash, Pass-the-Ticket, relay
attacks, use of Remote Desktop Protocol (RDP) or even threats like Maze
Ransomware.
These techniques are the difference between a threat that is limited to a single
host, and a persistent threat which can expose the entire enterprise and its
assets. However, these progressive multi-step attacks also provide multiple
opportunities for security to detect the threat and halt the progress before major
damage is done. By monitoring authentication behavior on the network and
infrastructure, security can detect the behaviors of Pass-the-Hash or other attack
methodologies. By detecting these lateral movement techniques, the use of risky
protocols and abnormal behavior, Falcon Zero Trust can identify devices and
accounts that are likely compromised. These accounts can then be challenged
via MFA/2FA or blocked based on policy to halt the progress of an attack.
There are many ways of inserting conditional access into the identity repository
and no two networks are ever identical. Whether you use AD with Kerberos (or
even NTLM), or Azure with Windows Virtual Desktop
(WVD) as a gateway to your domain services, the principles of conditional
access and MFA/2FA remain the same. Adding a layer of protection in front of
the authentication infrastructure, including the domain controller, improves your
existing infrastructure while improving security and removes the need to enforce
authentication at the endpoint via agents. The ability to integrate, share, and
extend identity information and risk information across point solutions already
existing in your network is key to securing your active directory wherever it lives.
Instead of making decisions based on individual sessions or incidents, Falcon
Zero Trust uses the combined intelligence of all an organization’s security
investments providing true conditional access control based on identity and risk.
Falcon Zero Trust takes that risk score, or evaluates risky behavior, and enforces
conditional access for the user. For example, consider a relay attack which
intercepts and relays valid challenges and responses in NTLM, SMB, and other
protocols. Whether the enterprise uses Okta, PingFederate, RSA, or another
MFA/2FA tool, when Falcon Zero Trust senses the attack it enforces step-up
multi factor authentication to challenge the user and prevent lateral movement
through a network.
-
7CrowdStrike White Paper
Conditional access principles open the door to new types of segmentation based not simply
on network boundaries, but on policies touching the context of identity, behavior, and risk of
the user credential. We can break them down via the MITRE Att&ck Framework6 definitions:
Default settings and weak/insufficient passwords (Recon)
Inappropriate access for roles and employees (Recon & Exploit)
Lack of visibility into elevation of privilege (Exploit & Weaponization)
Lateral movement in the environment (Lateral Movement)
Virtually all modern attacks rely on compromising a victim’s identity in order to spread within
the network and access forbidden data. Privileged users such as network administrators are
the ultimate target in this regard as their credentials can give an attacker nearly full control
and access over the network, and elevation of privilege attacks or pass-the-hash are ways
attackers attempt to secure administration-level access.
Falcon Zero Trust's real-time sensors continuously monitor all credentials as they are
created, evaluating their risks and vulnerabilities, including the relative security of their
source device in every session. Areas known to be at risk, (i.e. legacy systems with known
vulnerabilities, etc.) should have regular reviews for strange activity.
Screenshot: Threat Hunter’s standard list of predefined searches
6 https://attack.mitre.org/
-
8CrowdStrike White Paper
CONTAINMENT PART 1 – THREAT DETECTION AND POLICY ENABLEMENTIn traditional network log review, the systems network traffic is investigated post event in
logs through correlation efforts and rules creating events of interest. Falcon Zero Trust User
Behavior Analytics is traffic- based rather than log-based, performing deep packet
inspection on authentication and authorization interactions. This approach sees events
which can be masked from logs, such as encryption types that can indicate improper
protocol usage by attack tools, or even to evaluate if an authentication is interactive or non-
interactive. You'll be able to see cross-domain activity by user and by the services accessed.
The behavior models learn the behavior of entities and their devices and develop a risk
score for every user and device/service on the network. Trusted and untrusted access is
baselined through analysis of live authentication traffic combined with SSO, Cloud
Directories, VPN, supervised and unsupervised learning and more. Once behaviors are
understood – and even earlier, in the cases of general policy and compliance - you can begin
to write rules within Falcon Zero Trust.
For example, if you wanted to block RDP from Programmatic accounts via Kerberos and
NTLM generally, then create a rule within Falcon Zero Trust’s flexible rules platform that
begins as below.
Screenshot: Falcon Zero Trust Policy – adding a rule
-
9CrowdStrike White Paper
Many policies like this one for RDP control are available out of the box and can be customized
by granular details appropriate to your network. By combining analytics focused on identity,
behavior and risk with real-time traffic, there is an increased fidelity in future attack detection
as well as reducing the IT team response time in reviewing access requests, while keeping to
the least-access security model via risk- based conditional response.
CONTAINMENT PART 2 – AUTOMATED RESPONSES TO THREATSWhen suspicious or risky behavior is detected, Falcon Zero Trust offers an option for
Conditional Access capabilities. This security automation steps in to respond to threats
without disrupting valid use and before a signal or API is ever sent to a Security Operations
Analyst or SIEM.
Preempt’s adaptive step-up authentication policies combine with your own SSO/MFA
tools and progressively interact with users to verify legitimate access and block untrusted
authentications in real-time. Fine-grained conditions and actions allow you to match the level
of response to the risk and automatically adapt based on changing context.
ADMIN UI
ATTACK PATH REPORTING THREAT HUNTER INSIGHTS MFA CONTROLS
REAL-TIME ENGINE & POLICY MODULE
ATTACK CORRELATION
100+ ML BEHAVIORAL ANALYTICS
REAL-TIME RISK SCORE
POLICY TEMPLATES
IDENTITY & DATA ANALYSIS
API
Optional Data Sources
50+ Pre-Built Integrations
Falcon Zero Trust Domain Controller Sensors
SSO
VPN SIEM
CLOUD APPS
DC SENSORSIDENTITY STORE
-
10CrowdStrike White Paper
USE CASE 3 – THE ZERO TRUST INITIATIVEThe key pillars of Zero Trust (as defined by its creator Forrester) include security technology
for users, devices, networks, applications, automation, and analysis. Fundamentally what this
means is that every resource accessing another resource must have continuous assessment
and action of risk and policy implementation for every transaction.
A typical approach to Zero Trust (ZT) involves acquiring vendor solutions in each of these
pillar areas and assembling a security stack. This stack, with the complexity in integration and
management, creates friction for both IT and the end-user. In addition, the migration to a ZT
approach itself takes time, effort, and capital. Deployment of software, conversion of current
policies into a ZT solution stack, and finally the operational effort in getting everything working
and running continually.
Zero Trust Pillars: Users (Identities) I Devices (Endpoints) I Network I Applications I Automation I Analytics
ENFORCEMENT ANALYTICS & POLICY AUTOMATION
MFA FEDERATION/SSO
ATTACK CORRELATION
100+ ML ANALYTICS
REAL-TIME RISK SCORE
MANUAL ML TEMPLATES
IDENTITY &OTHER
DATA ANALYSIS
Intelligent Conditional Access
IDENTITY STORE
UNMANAGED ENDPOINTS
MANAGED ENDPOINTS
LATERAL MOVEMENT
IP REPUTATION
IDENTITIES
ON-PREM/CLOUD APPLICATIONS
DATA ANALYSIS & CORRELATION
BEHAVIORAL ANALYSIS
RISK SCORING
POLICY CREATOR
CORRELATION ENGINE
NETWORK
Co
ntinuo
us Un
ified V
isibility &
Co
ntrol
-
11CrowdStrike White Paper
THE THREE CORE BEST PRACTICES FOR ZERO TRUST HOLD IDENTITY STORE SECURITY AT THE CORE:
BEST PRACTICE PRINCIPLE
COMMENTS FALCON ZERO TRUST, ZERO FRICTION
Micro-segmentation
Several approaches are encouraged, including identity-based segmentation. Since 80% of threats involve identity, this is the most effective method to do micro-segmentation.
Identity-based segmentation deploys very quickly without infrastructure changes, works in real-time, and covers on premises and cloud deployments.
Enforce Policy Everywhere
Policy creation must be automated (one of the key pillars) and dynamic. This includes legacy systems that may have their own policy systems.
The policy can be system-defined via ML or user definition. Attributes are collected from static and 100+ dynamic analytics. This approach reduces the resources required for changes and maintenance.
Identity Beyond Identity and Access Management (IAM)
Identity must provide the risk of both human and application (service) accounts to provide the complete context.
Provides real-time, continuous risk analysis. Can be deployed with or without an end-point user agent when connected to SSO.
-
12CrowdStrike White Paper
FALCON ZERO TRUST BENEFITS FOR ALL USE CASES
• Continuous Unified Visibility across the Enterprise
• Automatic Security assessment (audit) of security posture
• Real-time threat mitigation through step-up authentication based on risk and abnormal activity
• User analytics that examine changes in behavior and enforce policies automatically
• Continuous threat detection and automated responses
• Full incident response capabilities, including historic notes and human analyst decisions
• Custom reporting from high-level executive risk down to AD admin level daily or weekly checks
• Full integration with every major MFA/SSO vendors, as well as many PAM and SOARs
© 2020 CrowdStrike, Inc. All rights reserved. https://www.crowdstrike.com/products/identity-protection
Falcon Identity Protection secures all workforce identities to accelerate digital transformation. Since 80% of all breaches involve compromised credentials, Falcon Identity Protection unifies identity threat detection and conditional access for on-premises and cloud identities. Threats are preempted and IT policy enforced in real-time using identity, behavioral, and risk analytics, protecting 4M+ identities across 400+ enterprises.
CONCLUSIONFinance and Investment industries often have the largest security tech stacks of any industry,
and the largest IT security teams. All of these teams and technologies are working together
trying to stay ahead of the latest attack, and protect their intellectual property, client data and
assets, and finally prevent fraud. Some enterprises explore Identity Store security because
of a failed audit or red team success. Others have initiatives to harden the Active Directory,
Prevent Lateral Movement, or examine the identity protections needed as part of Zero Trust
initiative. Whatever the impetus, Falcon Zero Trust benefits can support your goals with
fewer headcount needed to administer AD security, break the key parts of the Attack chain,
and extend lower-friction security across your environment.