On this article, we are going to present a quick overview of Silverfort’s platform, the primary (and presently solely) unified identification safety platform available on the market. Silverfort’s patented know-how goals to guard organizations from identity-based assaults by integrating with present identification and entry administration options, similar to AD (Lively Listing) and cloud-based companies, and increasing safe entry controls like Danger-Primarily based Authentication and MFA (Multi-Issue Authentication) to all their sources. This consists of on-prem and cloud sources, legacy programs, command-line instruments and repair accounts.
A current report by Silverfort and Osterman Analysis revealed that 83% of organizations worldwide have skilled knowledge breaches as a result of compromised credentials. Many organizations admit that they’re underprotected in opposition to identity-based assaults, similar to lateral motion and ransomware. Assets like command-line entry instruments and legacy programs, that are extensively used, are significantly difficult to guard.
Getting Began: Utilizing the Dashboard
Beneath is a screenshot of Silverfort’s dashboard (determine 1). General, it has a really intuitive person interface. On the left is an inventory of person varieties: privileged customers, customary customers, and repair accounts, and the way they entry sources: by means of on-prem and cloud-based directories (AD, Azure AD, Okta), federation servers (Ping, ADFS), and VPN connections (RADIUS). The best facet of the display shows an inventory of the completely different useful resource varieties customers try to entry. The entry makes an attempt are represented by glowing dots.
This show showcases the platform’s distinctive differentiator – it is the one resolution as we speak that is able to integrating with your complete identification infrastructure within the hybrid setting. With this integration in place, the completely different on-prem and cloud directories ahead each authentication and entry try to Silverfort for evaluation and verdict whether or not to permit entry or deny. In that method, actual time safety for any person and useful resource is achieved, as we’ll quickly see in additional element.
The dashboard additionally exhibits aggregations of worthwhile identity-related knowledge: variety of authentication makes an attempt by protocols and directories, proportion of verified authentications, variety of customers and repair accounts efficiently protected, and a breakdown of customers by threat degree (medium, excessive, vital).
The platform consists of numerous modules with every one addressing a unique identification safety problem. We’ll now discover two of them: Superior MFA and Service Account Safety.
Defending Assets with Superior MFA
MFA has confirmed to be probably the most efficient methods to guard in opposition to identity-based assaults. Nonetheless, having MFA safety on all community belongings is fairly laborious.
MFA historically depends on brokers and proxies, which suggests some computer systems won’t ever be coated by it. Both as a result of your community is just too massive to have proxies on each single pc, or as a result of not all computer systems are able to putting in brokers.
Need to see Silverfort in motion? Schedule a free demo with our staff of specialists as we speak!
Furthermore, command-line entry instruments, similar to PsExec, PowerShell, and WMI, regardless of being extensively utilized by community admins, don’t natively assist MFA. These and different on-prem authentications are managed by AD, however AD authentication protocols (Kerberos, NTLM) have been merely not designed for MFA, and attackers know that. AD solely checks whether or not usernames and passwords match, so attackers utilizing reputable credentials (which can or might not be compromised) can entry the community and launch lateral motion and ransomware assaults with out AD figuring out. Silverfort’s main benefit is that it may well truly implement MFA on all of those, one thing different options cannot.
On the coverage display (determine 2) you may view present insurance policies or create new ones.
 |
| Determine 2: Coverage display |
Creating a brand new coverage appears fairly intuitive, as seen in determine 3. We have to decide the authentication kind, the related protocols, what customers, sources, and locations the coverage covers, and the motion required. What occurs right here is definitely fairly easy, however surprisingly intelligent. AD sends all authentication and entry requests to Silverfort. For every request, Silverfort analyzes its threat and related insurance policies to find out whether or not MFA is required or not. Relying on the decision, the person is granted entry, blocked, or requested to supply MFA. In different phrases, the coverage mainly bypasses the inherent limitations of older protocols and enforces MFA on them.
 |
| Determine 3: Making a coverage |
Discovering and Securing Service Accounts
Service accounts are a vital safety problem as a result of their excessive entry privileges and low to zero visibility. Furthermore, service accounts aren’t people, so MFA is not an possibility, and so is password rotation with PAM, which can crash vital processes if their logins fail. In actual fact, all organizations have a number of service accounts, typically as many as 50% of their general customers, and lots of of them go unmonitored. That is why attackers love compromised service accounts- they will use them for lateral motion beneath the radar and achieve entry to a lot of machines with out being seen.
Determine 4 exhibits the Service Accounts display. As Silverfort receives all authentication and entry requests, it is ready to determine service accounts by analyzing repetitive machine behaviors.
 |
| Determine 4: Service Accounts display |
It appears to be like like we have now 162 accounts beneath machine-to-machine. We are able to filter them primarily based on a wide range of parameters. Predictability, for instance, measures repeated entry to the identical supply or vacation spot. Deviations from this sample can point out malicious exercise.
In determine 5, we will see further details about our service accounts, similar to sources, locations, threat indicators, privilege ranges, and utilization.
 |
| Determine 5: Service account Investigation display |
For every service account, insurance policies are robotically created primarily based on its conduct. All we have now to do is select between ‘alert’, ‘block’ and ‘alert to SIEM’, and allow the coverage (determine 6).
 |
| Determine 6: Service account insurance policies |
Ultimate Ideas
Silverfort’s platform really achieves its aim of unified identification safety. Its capability to implement MFA on virtually any useful resource (similar to command-line instruments, legacy apps, file shares, and lots of others) and create insurance policies in seconds is unparalleled. Having full visibility into all service accounts and at last with the ability to shield them is extraordinarily worthwhile. To conclude, Silverfort’s platform presents revolutionary identification safety capabilities which might be changing into more and more vital every day.
