-
FINANCE & INSURANCE: THREE USE CASES FOR IDENTITY
SECURITY
CrowdStrike White Paper
-
2CrowdStrike White Paper
FINANCE & INSURANCE: THREE USE CASES FOR IDENTITY
SECURITY
Whether the local cybersecurity requirements for financial
services companies1 operating in
New York State or the larger transparency of information
security required by the U.S.
Gramm-Leach-Bliley Act2, Financial Organizations are required to
build a secure engineering
and network infrastructure for the transfer of data, money, and
customer information.
Whether one of these or ISO 27001 or NIST 800-series drive the
need to improve Identity
Security for your institution, Falcon Zero Trust can help you
secure your back end and
corporate cybersecurity systems as part of your security
program, helping to protect the
confidentiality, integrity and availability of your Information
Systems. Whether your growth is
organic or via mergers and acquisitions, the following cases for
identity security are a reality.
THE USE CASE FOR IDENTITY STORE SECURITYAll modern regulations
have specific mention of access controls and identity
management.
This includes not only multi-factor authentication, but the need
to monitor for, evaluate,
and respond to risks. With over 80% of all data breaches
involving identity, meeting these
requirements in a responsible, auditable fashion requires more
care than simply buying a
simple Single-Sign-On (SSO) or Multi-Factor Authentication (MFA)
solution to check the box
complete.
Whether an employee is a victim of a phishing attack or other
endpoint compromise, or a data
breach occurred through a literal fish tank3 with a service
account with network access,
identity store hygiene, and access controls are a key component
to best practices in your
identity store. Presenting a small attack surface combined with
the ability to stop lateral
movement automatically are core to good security. This concept
expands when you consider
the multiple domains, both on premises and cloud, that can
happen with a corporate merger.
Cybersecurity visibility and enforcement4 starts with securing
identity stores and directories.
The identity store is the nerve center of an enterprise,
governing how users and accounts
interact with applications and assets. As highly-regulated
financial organizations work
through Business
Transformation initiatives, they need to extend to network and
resources that traditionally
cannot be protected as they use legacy protocols that do not
integrate with MFA like modern
cloud-based authentication protocols do (e.g. OpenID Connect,
SAML.)
From this central point, organizations govern and maintain user
credentials and assess
application, network, and behavioral traits, as well as create
logical segmentation strategies
based on identity and risk. Any security compromise of identity
store undermines the entire
identity management infrastructure, leading to unauthorized
access as well as system
corruption, takeover or Ransomware, or even destruction. It all
starts with evaluating risk and
assessing the attack surface in the Identity Store within every
domain in every branch.
1
https://templatelab.com/cybersecurity-regulations-23-nycrr-500/
2
https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
3
https://money.cnn.com/2017/07/19/technology/fish-tank-hack-darktrace/index.html
4
https://www.darkreading.com/active-directory-mismanagement-exposes-90--of-businesses-to-breaches/d/d-id/1328101
-
3CrowdStrike White Paper
How do you reduce your identity attack surface? You find out
your areas of weakness. Falcon
Zero Trust immediately discovers all users and user types in
your extended network (regular,
executives, privileged, service accounts) and delivers
continuous insights and behavioral
analytics to detect and respond to risk and threats in real
time.
Falcon Zero Trust realizes enterprise security infrastructures
are not one-size-fits-all, and
most networks are increasingly both on-premises and cloud and
moving virtual as businesses
adjust to mobile and work from home initiatives. As you get
started on your journey to real-
time threat prevention, Falcon Zero Trust adapts with your
organization as it grows and
changes, whether it be on-premises or into the cloud. Best of
all, you can get started with the
benefits of Zero Trust in as little as two hours and gain
immediate and ongoing benefits.
HOW TO HARDEN ACTIVE DIRECTORY DEFENSESActive Directory defense
starts with hygiene and discovery, as you look at the identity
attack
surface of your environment and discover how many accounts you
have total, and which of
those credentials are users, privileged users, shadow admins,
and service accounts in any
branch, any domain. From there, Falcon Zero Trust presents you
with a prioritized plan of
action with a list of which credentials are out of compliance
with your security plan, and
impose additional security measures when those credentials used.
You will also see which
services have dated or vulnerable authentication protocols and
set up rules increasing
security specific to users accessing those servers.
Organizations need to understand their own security posture so
they know what they are
dealing with and can prioritize the work into actionable
operations which will help them
tighten their security posture. There are constant questions
about identity and access that
security needs to know, risks which affect the cybersecurity
program’s total vulnerability just
as surely as unpatched servers and outdated frameworks:
Are your domains all visible in one location, to see weakness
and risk across your organization?
Is a server using a less secure protocol like NTLM or clear
LDAP?
Are your configurations in Group Policy Object (GPO) intact and
secure?
Is an account using a password previously compromised in another
breach?
Is an account shared between multiple employees?
Is the user connecting from an unmanaged or insecure device?
From what geolocation?
Was a user credential set up but never used? Was it recently
promoted to a Privileged
account? (These can be warning signs of a compromised endpoint
or active persistent threat.)
Is Onboarding/Offboarding a closed and ready-for-audit process
in terms of Identities?
Did you know?
On average of 27% of the credentials in your network system are
Service Accounts? This means these credentials are hard coded into
the applications on that server. Unmonitored and over-permissive
service accounts are often involved in data
-
4CrowdStrike White Paper
Your Solution
Do you have real-time identity verification and the ability to
detect lateral movement?
Can you do it across any domain from one GUI?
Can you assign a dynamic risk score to every entity based on
real activity and
authentication patterns, then use that risk scoring to make
decisions about what
activity is allowed or prohibited?
Falcon Zero Trust Screenshot: Sample view of overall risk score
domain by domain
THE USE CASE FOR PREVENTING LATERAL MOVEMENTFalcon Zero Trust
platform helps the customer to identify lateral movement attack
path and
then protects that both in the form of active alerts and
optionally with a policy in place. Lateral
movement inside an organization by authenticated identities is
nearly impossible to detect
by most security vendors and tools that rely on off line log
analysis, especially those who
focus on perimeter or endpoint security alone. Even application
security focuses on the
behavior of the application, rather than the initial
authentication and too often no lateral
movement can be seen or halted as it happens.
Enforcement at the authentication infrastructure offers more
flexible enforcement options
than trying to control at the application or share level. Active
Directory (AD) and the Domain
Controller together govern authentication and authorization –
but the world is more complex
than the standard allow/ deny settings that many hacks and
toolkits have learned to work
around.
-
5CrowdStrike White Paper
Automated security to prevent lateral movement is key. Consider
the following scenarios:
1. A service account exists on a banking web site. That service
account should only have
access to the specified server. Any other movement or
authorization attempts on from
that service account to new locations should be automatically
refused, preventing a
compromised website from becoming a compromised domain.
2. Abnormal access. An IT Administrator may have a dedicated
login for their
workstation. That credential should not be attempting any brute
force or dictionary
login attempts, or through division of duties there should be
machines or micro
segmentations in the network which they cannot access. .
3. Consider the scenario of a developer working on your back-end
systems at once
branch. After six months, she moves to another branch and
domain, handling QA or the
SWIFT APIs. In most organizations, her credential rights
wouldn’t change; however, her
actual rights needed (QA work) and granted rights (Admin work)
are very different, and
the principle of least privilege was not applied during the
transition.
Organizations need to be able to automatically and interactively
challenge suspicious or risky
behavior in real time. For example, a user behaving suspiciously
could be required to pass a
multi-factor authentication (MFA) or two factor authentication
(2FA) challenge before access
is granted to a critical server. This also helps in users
auto-resolving security incidents without
involving the security team or leading to false positives.
The adaptive capabilities of Falcon Zero Trust allow you to
automate responses with the right
type of enforcement or notification of activity based on the
entity, behavior, and risk. This
conditional access ensures the right level of security is
delivered to either stop a threat or
validate the credential to let users get on with their
work…wherever they happen to be.
Hackers want to land and expand. Rules and policies should be
automated to prevent this.
-
6CrowdStrike White Paper
Attackers also use a variety of reconnaissance techniques such
as account
enumeration, credential spraying, and brute force in order to
find new targets
or credentials, while methods such as Golden Ticket attacks can
allow an
attacker to achieve near-permanent persistence within a network
followed by
lateral movement. As an example, attackers are using tools like
Mimikatz to steal
credentials and gain a foothold on the network. Attackers then
move laterally
within a network by using techniques such Pass-the-Hash,
Pass-the-Ticket, relay
attacks, use of Remote Desktop Protocol (RDP) or even threats
like Maze
Ransomware.
These techniques are the difference between a threat that is
limited to a single
host, and a persistent threat which can expose the entire
enterprise and its
assets. However, these progressive multi-step attacks also
provide multiple
opportunities for security to detect the threat and halt the
progress before major
damage is done. By monitoring authentication behavior on the
network and
infrastructure, security can detect the behaviors of
Pass-the-Hash or other attack
methodologies. By detecting these lateral movement techniques,
the use of risky
protocols and abnormal behavior, Falcon Zero Trust can identify
devices and
accounts that are likely compromised. These accounts can then be
challenged
via MFA/2FA or blocked based on policy to halt the progress of
an attack.
There are many ways of inserting conditional access into the
identity repository
and no two networks are ever identical. Whether you use AD with
Kerberos (or
even NTLM), or Azure with Windows Virtual Desktop
(WVD) as a gateway to your domain services, the principles of
conditional
access and MFA/2FA remain the same. Adding a layer of protection
in front of
the authentication infrastructure, including the domain
controller, improves your
existing infrastructure while improving security and removes the
need to enforce
authentication at the endpoint via agents. The ability to
integrate, share, and
extend identity information and risk information across point
solutions already
existing in your network is key to securing your active
directory wherever it lives.
Instead of making decisions based on individual sessions or
incidents, Falcon
Zero Trust uses the combined intelligence of all an
organization’s security
investments providing true conditional access control based on
identity and risk.
Falcon Zero Trust takes that risk score, or evaluates risky
behavior, and enforces
conditional access for the user. For example, consider a relay
attack which
intercepts and relays valid challenges and responses in NTLM,
SMB, and other
protocols. Whether the enterprise uses Okta, PingFederate, RSA,
or another
MFA/2FA tool, when Falcon Zero Trust senses the attack it
enforces step-up
multi factor authentication to challenge the user and prevent
lateral movement
through a network.
-
7CrowdStrike White Paper
Conditional access principles open the door to new types of
segmentation based not simply
on network boundaries, but on policies touching the context of
identity, behavior, and risk of
the user credential. We can break them down via the MITRE
Att&ck Framework6 definitions:
Default settings and weak/insufficient passwords (Recon)
Inappropriate access for roles and employees (Recon &
Exploit)
Lack of visibility into elevation of privilege (Exploit &
Weaponization)
Lateral movement in the environment (Lateral Movement)
Virtually all modern attacks rely on compromising a victim’s
identity in order to spread within
the network and access forbidden data. Privileged users such as
network administrators are
the ultimate target in this regard as their credentials can give
an attacker nearly full control
and access over the network, and elevation of privilege attacks
or pass-the-hash are ways
attackers attempt to secure administration-level access.
Falcon Zero Trust's real-time sensors continuously monitor all
credentials as they are
created, evaluating their risks and vulnerabilities, including
the relative security of their
source device in every session. Areas known to be at risk, (i.e.
legacy systems with known
vulnerabilities, etc.) should have regular reviews for strange
activity.
Screenshot: Threat Hunter’s standard list of predefined
searches
6 https://attack.mitre.org/
-
8CrowdStrike White Paper
CONTAINMENT PART 1 – THREAT DETECTION AND POLICY ENABLEMENTIn
traditional network log review, the systems network traffic is
investigated post event in
logs through correlation efforts and rules creating events of
interest. Falcon Zero Trust User
Behavior Analytics is traffic- based rather than log-based,
performing deep packet
inspection on authentication and authorization interactions.
This approach sees events
which can be masked from logs, such as encryption types that can
indicate improper
protocol usage by attack tools, or even to evaluate if an
authentication is interactive or non-
interactive. You'll be able to see cross-domain activity by user
and by the services accessed.
The behavior models learn the behavior of entities and their
devices and develop a risk
score for every user and device/service on the network. Trusted
and untrusted access is
baselined through analysis of live authentication traffic
combined with SSO, Cloud
Directories, VPN, supervised and unsupervised learning and more.
Once behaviors are
understood – and even earlier, in the cases of general policy
and compliance - you can begin
to write rules within Falcon Zero Trust.
For example, if you wanted to block RDP from Programmatic
accounts via Kerberos and
NTLM generally, then create a rule within Falcon Zero Trust’s
flexible rules platform that
begins as below.
Screenshot: Falcon Zero Trust Policy – adding a rule
-
9CrowdStrike White Paper
Many policies like this one for RDP control are available out of
the box and can be customized
by granular details appropriate to your network. By combining
analytics focused on identity,
behavior and risk with real-time traffic, there is an increased
fidelity in future attack detection
as well as reducing the IT team response time in reviewing
access requests, while keeping to
the least-access security model via risk- based conditional
response.
CONTAINMENT PART 2 – AUTOMATED RESPONSES TO THREATSWhen
suspicious or risky behavior is detected, Falcon Zero Trust offers
an option for
Conditional Access capabilities. This security automation steps
in to respond to threats
without disrupting valid use and before a signal or API is ever
sent to a Security Operations
Analyst or SIEM.
Preempt’s adaptive step-up authentication policies combine with
your own SSO/MFA
tools and progressively interact with users to verify legitimate
access and block untrusted
authentications in real-time. Fine-grained conditions and
actions allow you to match the level
of response to the risk and automatically adapt based on
changing context.
ADMIN UI
ATTACK PATH REPORTING THREAT HUNTER INSIGHTS MFA CONTROLS
REAL-TIME ENGINE & POLICY MODULE
ATTACK CORRELATION
100+ ML BEHAVIORAL ANALYTICS
REAL-TIME RISK SCORE
POLICY TEMPLATES
IDENTITY & DATA ANALYSIS
API
Optional Data Sources
50+ Pre-Built Integrations
Falcon Zero Trust Domain Controller Sensors
SSO
VPN SIEM
CLOUD APPS
DC SENSORSIDENTITY STORE
-
10CrowdStrike White Paper
USE CASE 3 – THE ZERO TRUST INITIATIVEThe key pillars of Zero
Trust (as defined by its creator Forrester) include security
technology
for users, devices, networks, applications, automation, and
analysis. Fundamentally what this
means is that every resource accessing another resource must
have continuous assessment
and action of risk and policy implementation for every
transaction.
A typical approach to Zero Trust (ZT) involves acquiring vendor
solutions in each of these
pillar areas and assembling a security stack. This stack, with
the complexity in integration and
management, creates friction for both IT and the end-user. In
addition, the migration to a ZT
approach itself takes time, effort, and capital. Deployment of
software, conversion of current
policies into a ZT solution stack, and finally the operational
effort in getting everything working
and running continually.
Zero Trust Pillars: Users (Identities) I Devices (Endpoints) I
Network I Applications I Automation I Analytics
ENFORCEMENT ANALYTICS & POLICY AUTOMATION
MFA FEDERATION/SSO
ATTACK CORRELATION
100+ ML ANALYTICS
REAL-TIME RISK SCORE
MANUAL ML TEMPLATES
IDENTITY &OTHER
DATA ANALYSIS
Intelligent Conditional Access
IDENTITY STORE
UNMANAGED ENDPOINTS
MANAGED ENDPOINTS
LATERAL MOVEMENT
IP REPUTATION
IDENTITIES
ON-PREM/CLOUD APPLICATIONS
DATA ANALYSIS & CORRELATION
BEHAVIORAL ANALYSIS
RISK SCORING
POLICY CREATOR
CORRELATION ENGINE
NETWORK
Co
ntinuo
us Un
ified V
isibility &
Co
ntrol
-
11CrowdStrike White Paper
THE THREE CORE BEST PRACTICES FOR ZERO TRUST HOLD IDENTITY STORE
SECURITY AT THE CORE:
BEST PRACTICE PRINCIPLE
COMMENTS FALCON ZERO TRUST, ZERO FRICTION
Micro-segmentation
Several approaches are encouraged, including identity-based
segmentation. Since 80% of threats involve identity, this is the
most effective method to do micro-segmentation.
Identity-based segmentation deploys very quickly without
infrastructure changes, works in real-time, and covers on premises
and cloud deployments.
Enforce Policy Everywhere
Policy creation must be automated (one of the key pillars) and
dynamic. This includes legacy systems that may have their own
policy systems.
The policy can be system-defined via ML or user definition.
Attributes are collected from static and 100+ dynamic analytics.
This approach reduces the resources required for changes and
maintenance.
Identity Beyond Identity and Access Management (IAM)
Identity must provide the risk of both human and application
(service) accounts to provide the complete context.
Provides real-time, continuous risk analysis. Can be deployed
with or without an end-point user agent when connected to SSO.
-
12CrowdStrike White Paper
FALCON ZERO TRUST BENEFITS FOR ALL USE CASES
• Continuous Unified Visibility across the Enterprise
• Automatic Security assessment (audit) of security posture
• Real-time threat mitigation through step-up authentication
based on risk and abnormal activity
• User analytics that examine changes in behavior and enforce
policies automatically
• Continuous threat detection and automated responses
• Full incident response capabilities, including historic notes
and human analyst decisions
• Custom reporting from high-level executive risk down to AD
admin level daily or weekly checks
• Full integration with every major MFA/SSO vendors, as well as
many PAM and SOARs
© 2020 CrowdStrike, Inc. All rights reserved.
https://www.crowdstrike.com/products/identity-protection
Falcon Identity Protection secures all workforce identities to
accelerate digital transformation. Since 80% of all breaches
involve compromised credentials, Falcon Identity Protection unifies
identity threat detection and conditional access for on-premises
and cloud identities. Threats are preempted and IT policy enforced
in real-time using identity, behavioral, and risk analytics,
protecting 4M+ identities across 400+ enterprises.
CONCLUSIONFinance and Investment industries often have the
largest security tech stacks of any industry,
and the largest IT security teams. All of these teams and
technologies are working together
trying to stay ahead of the latest attack, and protect their
intellectual property, client data and
assets, and finally prevent fraud. Some enterprises explore
Identity Store security because
of a failed audit or red team success. Others have initiatives
to harden the Active Directory,
Prevent Lateral Movement, or examine the identity protections
needed as part of Zero Trust
initiative. Whatever the impetus, Falcon Zero Trust benefits can
support your goals with
fewer headcount needed to administer AD security, break the key
parts of the Attack chain,
and extend lower-friction security across your environment.
