Malicious attacks on behalf of stolen credentials are every CIO, CISO or CxO’s worst nightmare Stolen credentials are hard to detect, and subsequent malicious acts require deep forensics to discover and remediate.

Hackers with stolen credentials are allowed untold amounts of time to exfiltrate massive amounts of critical data completely undetected.

Below are the most common methods for credential theft used against global enterprise:

  1. Spear phishing attacks & social engineering scams
  2. Single Sign On (SSO) or Authentication Service attacks
  3. DNS alterations and redirection
  4. Certificate database theft
  5. Web browser vulnerabilities, proxy settings etc.

These are just a few of the many, with more complicated methods like zero day vulnerabilities, keyloggers, shoulder surfing, and other brute force methods being uncovered every day.

With so many ways to acquire credentials, what can really be done to stop attackers from posing as authenticated users?

Today we’ll explore three existing solutions, including multi-factor authentication, perimeter enforcement, and behavioral analysis for data exfiltration attempts.

Multi-factor authentication (MFA) to all critical applications and databases.

MFA’s or 2-stage authentication has become the new standard for login, requiring a user name and password as well as a personal question, biometrics, generated passcodes, or push notifications, to name a few.

When diligently implemented, MFA can provide better authentication and user access controls. However, if not implemented diligently on every application and every platform, MFA is little more than a deterrent and can easily be bypassed by clever attacks.

Perimeter scanning for external authentication patterns

Authentication pattern scanning along with 2FA/MFA can improve credential security as long as it happens locally, rather than in-cloud or off-prem. New security capabilities in perimeter appliances can identify phishing attacks, but does little to prevent attackers from entering using credentials stolen by other means.

Data exfiltration detection and mitigation

Perhaps the most debated modern approach is behavioral analysis. Confidence in this method is understandably low, given the complex nature of application and user dynamics. As with the other typical methods, little is done at the perimeter to stop data exfiltration at its core.

Pico-Segmentation & App-Native Security

Modern threat surfaces are huge, consisting of on- and off-prem servers, multiple cloud providers, containers, and more. One new, rather atypical approach is to create extremely small, automatically-generated zero-trust and positive-reinforced ‘segments’ within application ecosystems to identify all major breach attempts with extremely high confidence.

With proper pico-segmentation, apps and databases secure themselves, rather than relying on perimeter scanning. This includes protection against:

  1. Zero-day vulnerabilities
  2. Malware & APT’s
  3. Session hacking & spoofing
  4. SQL Injections
  5. Data exfiltration

Pico-segmentation, patented by Avocado in 2017, is a rather new concept. Over the last few years, Avocado has been tested and validated by MongoDB, Oracle, RedHat, Azure, and more.  

By identifying and securing applications in real-time as they’re deployed with no human intervention, this approach prevents exfiltration completely independent of credentials.

Business agility and Time to Market (TTM) often force them to cut corners on security. Pico-segmentation methods fix the gaping hole of credential theft without adding complex, expensive appliances.

Adding pico-segmentation capabilities to your system might be the answer. Avocado allows for fully-granular segmentation and application-native protection for all platforms and app languages.

If you’d like to see what we can do for you, give our free 30-day trial a try on your system, and see just how effective it can be.


 [SK1]Somethings that shows how pico-segmentation works or why people should turn to it.

Recommended Posts