How SentinelOne is securing enterprises with identity security

According to recent security research, stolen credentials caused nearly 50% of all attacks and credential attacks have increased by 30% since 2017. These stolen credentials leave enterprises vulnerable and remain one of the most sought-after pieces of information for cyber-criminals.

Gartner states 50% of cloud security failures are a result of inadequate management of identities, access and privileges, and they project that this number will climb to 75% by 2023.

When cyber criminals manage to steal user credentials or infiltrate a network through attack vectors like social engineering attacks, identity access management solutions themselves will only provide limited protection for identity-based threats.

CISOs and IT professionals responsible for security strategy should make securing credentials and detecting when attackers have compromised them a central part of their cybersecurity strategy, regardless of their organisation’s size or maturity.

Being responsive to business needs while maintaining security is a constant battle that often leads to protection gaps or accounts being over-privileged.

Credentials increasingly transcend traditional security boundaries, and now commonly cover cloud entitlements, and directory systems that manage both human and machine access.

However, securing credentials and avoiding identity-related system misconfigurations can be a challenging task and many organisations struggle with this.

Tips for channel partners

Singularity Identity would be better presented as part of a bigger solution as it compliments and enriches other security solutions within an Extended Detection and Response platform.

It can also be positioned in isolation as part of an enterprises’ cybersecurity transformational journey since it also has capabilities to detect and prevent attacks early on in the kill chain cycle.

SentinelOne will be showcasing the complete Singularity Platform that encompasses our Extended Detection and Response and Identity Threat detection and Response solution.

What is identity security

Identity security begins with basic security hygiene like strong password policies including periodic rotation, not reusing passwords and implementation of Identity Access Management.

In today’s threat landscape, a robust identity security programme must now go beyond granting proper access with identity access management and multi factor authentication to also include mechanisms to defend against identity misuse.

Although solutions such single sign on, multi-factor authentication can add another layer of security to an enterprise’s authentication process, only 22% of organisations today use multi-factor authentication for additional security in the authentication process.

While Identity Access Management focuses on enabling employees, services and machine identities to access applications in a secure manner through conditional and adaptive access and the use of multi-factor authentication, it does not address credential misuse.

When cyber criminals manage to steal user credentials or infiltrate a network through attack vectors like social engineering attacks, identity access management solutions themselves will only provide limited protection for identity-based threats.

Singularity identity

“In May 2022, SentinelOne became the first Extended Detection and Response provider to natively include identity security for endpoints, Active Directory identity infrastructure, and cloud environments with its acquisition of Attivo Networks,” says Tamer Odeh, Regional Sales Director, SentinelOne.

“Singularity Identity is a suite of security capabilities installed onto endpoints and Active Directory domain controllers that prevents credential theft and covert movement throughout the environment,” continues Odeh.

Amongst SentinelOne’s products, Singularity Hologram is a network-based threat deception that lures in-network adversaries and insider threat actors into revealing themselves as they engage with the operating system and application decoys that mimic production assets.

Another product, Ranger Active Directory Assessor makes it harder for adversaries to target exposures in a customer’s identity attack surface by uncovering misconfigurations and vulnerabilities in their Active Directory and Azure Active Directory infrastructure. Ranger Active Directory provides highly specific recommendations on how to harden the Active Directory and reduce its attack surface.

The extra intelligence that modern Extended Detection and Response solutions provide can make a significant difference in helping defenders identify and respond to suspicious or attack-related activity quickly before adversaries can significantly infiltrate the network. However, as Peter Firstbrook from Gartner has stated, Extended Detection and Response is not complete without Identity Threat Detection and Response.

Augmenting Extended Detection and Response with identity security and cyber deception can further enhance the effectiveness of this critical modern cybersecurity tool, improving the efficiency and capabilities of an already indispensable resource.

“As time goes on and attackers continue to grow more sophisticated, Extended Detection and Response, Identity Threat Detection and Response, and the adversary intelligence that deception technology provides will go a long way in preventing attackers from completing their mission successfully,” says Odeh.

Shifting left

Attackers are shifting left. What does this mean? If an attacker can shift left, it means that they can simply steal your credentials, gain some sort of access, and then move laterally to other systems, skipping the age-old step of sending you malware or tricking you with an exploit. If an attacker has your credentials, they already have everything they need.

Using one set of stolen credentials, a malicious actor performs reconnaissance to exploit these weaknesses to access assets. By getting hold of privileged credentials and further compromising the Active Directory, bad actors can launch larger-scale cyber-attacks to exfiltrate sensitive data and cause damage across endpoints, networks and clouds.

Therefore, as attackers shift-left and focus on using identities to attack an organisation, security teams need to adapt as well. Today’s comprehensive defenders, complement identity governance with Attack Surface Management controls designed to identify and fix Active Directory misconfigurations and excessive credentialing as well as real-time identity threat detection and response security to gain visibility into misuse. Both of the latter are designed to address the attacker shift-left issue.

“A mature Identity Threat Detection and Response solution helps teams detect attacks earlier, that is further left in the attack chain,” says Odeh.

Identity Threat Detection and Response provides visibility when a bad actor attempts to steal credentials or mine Active Directory for data with unauthorised queries. It protects sensitive or privileged local and Active Directory credentials and objects by hiding them from the attacker and responds by presenting decoy credential bait and query results in their place.

The decoy bait misdirects attackers away from production assets, while the disinformation prevents them from accurately mapping Active Directory identities and entitlements. It also identifies activity on the Active Directory domain controllers indicating that an attack is underway. Identity Threat Detection and Response can then respond by initiating quarantine functions to stop the attack or redirect it to decoy systems for further engagement.

Identity security systems play a critical role in Zero Trust architectures. Identities are the first pillar and call out the need for continuous monitoring for exposures and vulnerabilities that attackers could exploit.

Identity security combines with Zero Trust through the following:

• Protection of credentials
• Visibility to exposed credentials and Active Directory objects
• Detection of unauthorised queries to Active Directory
• Insights into indicators of compromise on Active Directory
• Live attack detection on domain controller attacks
• Protection of domain controllers from all endpoints

Ultimately, Identity Threat Detection and Response and Identity Attack Surface Management solutions are key contributors to any enterprise’s Zero Trust eXtended programme, allowing security teams to manage access to their key digital assets and devices, get the behavioural visibility they need to detect and respond to threats inside and outside their ecosystems.

Benefits for CISOs

Organisations run periodic security assessments such as penetration tests and red team engagements. A popular target with these assessments is the enterprise Active Directory, and they almost always generate findings that the organisation’s Active Directory administrators must research and address to reduce their risk of attack.

Identity Attack Surface Management solutions help manage identity-based risks through continuous monitoring as opposed to the annual red team event. Identity Attack Surface Management makes finding Active Directory exposures more efficient and more consistent by identifying new exposures as they arise and providing remediation guidance continuously.

Modern adversaries use advanced identity-based attacks to compromise high-value assets resulting in the crippling loss of intellectual property. Bad actors rely on social engineering and Active Directory reconnaissance to acquire targets and identity-based information for privilege escalation and laterally move.

An Extended Detection and Response platform with Identity Threat Detection and Response capabilities can detect common identity-based attacks, Active Directory reconnaissance aimed at acquiring other high-value targets followed by privilege escalation and subsequent lateral movement to these targets. Identity Threat Detection and Response and Extended Detection and Response together provide coverage for identity infrastructure misuse as well as traditional attack vectors like malware and fileless exploits.

“By combining the two, CISOs gain a wider aperture of protection,” says Odeh.

Identity Threat Detection and Response solutions address these attacks with concealment, misinformation, and misdirection. As a threat actor conducts their reconnaissance, the Identity Threat Detection and Response solution provides decoy identity data to their Active Directory queries while concealing the privileged objects and detecting their attempts to move laterally.

For example, as attackers query for members of the domain administrator group, the Identity Threat Detection and Response solution provides decoy admin accounts, then detects when they attempt to use these results to access a production server.

Benefit of engaging with SentinelOne

Singularity Identity provides essential visibility into credentials stored on endpoints, Active Directory misconfigurations, and cloud entitlement sprawl. Identity Attack Surface Management and Identity Threat Detection and Response, part of the Singularity Identity solution, are new security categories designed to protect identities and the systems that manage them.

These solutions complement and operate in conjunction with Endpoint Detection and Response, Extended Detection and Response, Network Detection and Response, and other similar solutions.

Identity Attack Surface Management looks to reduce the identity attack surface to limit the exposures attackers can exploit. The fewer exposures, the smaller the identity attack surface. For most enterprises, this means Active Directory, whether on-premises or in Azure.

While Endpoint Detection and Response is a robust solution that looks for attacks on endpoints and collects data for analysis, Identity Threat Detection and Response solutions look for attacks targeting identities. Once an Identity Threat Detection and Response solution detects an attack, it adds a layer of defence by providing fake data that redirects the attacker to an authentic-looking decoy and automatically isolates the compromised system conducting the query.

Identity Threat Detection and Response solutions also provide incident response assistance by collecting forensic data and gathering telemetry on the processes used during the attack. The complementary nature of EDR and Identity Threat Detection and Response fit perfectly together to achieve a common goal – thwarting an attacker’s efforts.

Identity Attack Surface Management and Identity Threat Detection and Response solutions provide detection of credential misuse, privilege escalation, and other tactics that attackers exploit or engage in within the network. They close critical gaps between identity access management and endpoint security solutions, stopping cybercriminal attempts to exploit vulnerable credentials to move through networks undetected.

“These continuous assessments will certainly help the organisation remain compliant to any identity-related regulatory or audit requirements and make the auditors themselves happy that the organisation is taking proper, proactive steps to securing the identity infrastructure,” says Odeh.

SentinelOne’s Singularity Identity is helping organisations improve their identity posture while providing real time alerts and deception capabilities.