Malicious attacks on
behalf of stolen credentials are every CIO, CISO or CxO’s worst nightmare Stolen
credentials are hard to detect, and subsequent malicious acts require deep forensics
to discover and remediate.
Hackers with stolen
credentials are allowed untold amounts of time to exfiltrate massive amounts of
critical data completely undetected.
Below are the most common
methods for credential theft used against global enterprise:
- Spear phishing attacks
& social engineering scams
- Single Sign On (SSO)
or Authentication Service attacks
- DNS alterations
- Certificate database
- Web browser
vulnerabilities, proxy settings etc.
These are just a few of
the many, with more complicated methods like zero day vulnerabilities,
keyloggers, shoulder surfing, and other brute force methods being uncovered every
With so many ways to
acquire credentials, what can really be done to stop attackers from posing as authenticated
Today we’ll explore three
existing solutions, including multi-factor authentication, perimeter enforcement,
and behavioral analysis for data exfiltration attempts.
Multi-factor authentication (MFA) to all critical applications
MFA’s or 2-stage
authentication has become the new standard for login, requiring a user name and
password as well as a personal question, biometrics, generated passcodes, or push
notifications, to name a few.
When diligently implemented,
MFA can provide better authentication and user access controls. However, if not
implemented diligently on every application and every platform, MFA is little
more than a deterrent and can easily be bypassed by clever attacks.
Perimeter scanning for external authentication patterns
scanning along with 2FA/MFA can improve credential security as long as it happens
locally, rather than in-cloud or off-prem. New security capabilities in
perimeter appliances can identify phishing attacks, but does little to prevent attackers
from entering using credentials stolen by other means.
Data exfiltration detection and mitigation
Perhaps the most debated modern
approach is behavioral analysis. Confidence in this method is understandably
low, given the complex nature of application and user dynamics. As with the
other typical methods, little is done at the perimeter to stop data
exfiltration at its core.
Pico-Segmentation & App-Native
Modern threat surfaces
are huge, consisting of on- and off-prem servers, multiple cloud providers,
containers, and more. One new, rather atypical approach is to create extremely small,
automatically-generated zero-trust and positive-reinforced ‘segments’ within
application ecosystems to identify all major breach attempts with extremely
pico-segmentation, apps and databases secure themselves, rather than relying on
perimeter scanning. This includes protection against:
- Zero-day vulnerabilities
- Malware & APT’s
- Session hacking & spoofing
- SQL Injections
- Data exfiltration
by Avocado in 2017, is a rather new concept. Over the last few years, Avocado has
been tested and validated by MongoDB, Oracle, RedHat, Azure, and more.
By identifying and
securing applications in real-time as they’re deployed with no human
intervention, this approach prevents exfiltration completely independent of
Business agility and Time to Market (TTM) often force them to
cut corners on security. Pico-segmentation methods fix the gaping hole of credential
theft without adding complex, expensive appliances.
Adding pico-segmentation capabilities to your system might be
the answer. Avocado allows for fully-granular segmentation and application-native
protection for all platforms and app languages.
If you’d like to see what
we can do for you, give our free 30-day trial a try on your system, and see just
how effective it can be.
that shows how pico-segmentation works or why people should turn to it.