On this article, we’ll present a quick overview of Silverfort’s platform, the primary (and presently solely) unified id safety platform in the marketplace. Silverfort’s patented know-how goals to guard organizations from identity-based assaults by integrating with current id and entry administration options, resembling AD (Lively Listing) and cloud-based providers, and lengthening safe entry controls like Danger-Based mostly Authentication and MFA (Multi-Issue Authentication) to all their assets. This contains on-prem and cloud assets, legacy methods, command-line instruments and repair accounts.
A current report by Silverfort and Osterman Analysis revealed that 83% of organizations worldwide have skilled data breaches as a result of compromised credentials. Many organizations admit that they’re underprotected in opposition to identity-based assaults, resembling lateral motion and ransomware. Sources like command-line entry instruments and legacy methods, that are broadly used, are significantly difficult to guard.
Getting Began: Utilizing the Dashboard
Beneath is a screenshot of Silverfort’s dashboard (determine 1). Total, it has a really intuitive consumer interface. On the left is a listing of consumer sorts: privileged customers, customary customers, and repair accounts, and the way they entry assets: via on-prem and cloud-based directories (AD, Azure AD, Okta), federation servers (Ping, ADFS), and VPN connections (RADIUS). The correct facet of the display screen shows a listing of the completely different useful resource sorts customers try and entry. The entry makes an attempt are represented by glowing dots.
This show showcases the platform’s distinctive differentiator – it is the one resolution right this moment that is able to integrating with the whole id infrastructure within the hybrid setting. With this integration in place, the completely different on-prem and cloud directories ahead each authentication and entry try and Silverfort for evaluation and verdict whether or not to permit entry or deny. In that method, actual time safety for any consumer and useful resource is achieved, as we’ll quickly see in additional element.
The dashboard additionally reveals aggregations of precious identity-related knowledge: variety of authentication makes an attempt by protocols and directories, proportion of verified authentications, variety of customers and repair accounts efficiently protected, and a breakdown of customers by danger stage (medium, excessive, vital).
The platform contains numerous modules with each addressing a distinct id safety subject. We’ll now discover two of them: Superior MFA and Service Account Safety.
Defending Sources with Superior MFA
MFA has confirmed to be probably the most efficient methods to guard in opposition to identity-based assaults. Nevertheless, having MFA safety on all community belongings is fairly onerous.
MFA historically depends on brokers and proxies, which implies some computer systems won’t ever be coated by it. Both as a result of your community is simply too giant to have proxies on each single pc, or as a result of not all computer systems are able to putting in brokers.
Wish to see Silverfort in motion? Schedule a free demo with our staff of specialists right this moment!
Furthermore, command-line entry instruments, resembling PsExec, PowerShell, and WMI, regardless of being broadly utilized by community admins, don’t natively assist MFA. These and different on-prem authentications are managed by AD, however AD authentication protocols (Kerberos, NTLM) had been merely not designed for MFA, and attackers know that. AD solely checks whether or not usernames and passwords match, so attackers utilizing official credentials (which can or is probably not compromised) can entry the community and launch lateral motion and ransomware assaults with out AD figuring out. Silverfort’s main benefit is that it might truly implement MFA on all of those, one thing different options cannot.
On the coverage display screen (determine 2) you possibly can view current insurance policies or create new ones.
 |
| Determine 2: Coverage display screen |
Creating a brand new coverage appears fairly intuitive, as seen in determine 3. We have to decide the authentication sort, the related protocols, what customers, sources, and locations the coverage covers, and the motion required. What occurs right here is definitely fairly easy, however surprisingly intelligent. AD sends all authentication and entry requests to Silverfort. For every request, Silverfort analyzes its danger and related insurance policies to find out whether or not MFA is required or not. Relying on the decision, the consumer is granted entry, blocked, or requested to supply MFA. In different phrases, the coverage principally bypasses the inherent limitations of older protocols and enforces MFA on them.
 |
| Determine 3: Making a coverage |
Discovering and Securing Service Accounts
Service accounts are a vital security problem as a result of their excessive entry privileges and low to zero visibility. Furthermore, service accounts aren’t people, so MFA is not an choice, and so is password rotation with PAM, which can crash vital processes if their logins fail. Actually, all organizations have a number of service accounts, typically as many as 50% of their total customers, and plenty of of them go unmonitored. That is why attackers love compromised service accounts- they’ll use them for lateral motion beneath the radar and achieve entry to a lot of machines with out being observed.
Determine 4 reveals the Service Accounts display screen. As Silverfort receives all authentication and entry requests, it is ready to determine service accounts by analyzing repetitive machine behaviors.
 |
| Determine 4: Service Accounts display screen |
It seems like we now have 162 accounts beneath machine-to-machine. We will filter them based mostly on a wide range of parameters. Predictability, for instance, measures repeated entry to the identical supply or vacation spot. Deviations from this sample can point out malicious exercise.
In determine 5, we will see further details about our service accounts, resembling sources, locations, danger indicators, privilege ranges, and utilization.
 |
| Determine 5: Service account Investigation display screen |
For every service account, insurance policies are robotically created based mostly on its conduct. All we now have to do is select between ‘alert’, ‘block’ and ‘alert to SIEM’, and allow the coverage (determine 6).
 |
| Determine 6: Service account insurance policies |
Ultimate Ideas
Silverfort’s platform actually achieves its aim of unified id safety. Its capability to implement MFA on virtually any useful resource (resembling command-line instruments, legacy apps, file shares, and plenty of others) and create insurance policies in seconds is unparalleled. Having full visibility into all service accounts and at last with the ability to defend them is extraordinarily precious. To conclude, Silverfort’s platform gives modern id safety capabilities which might be changing into more and more needed every day.
