The new offering already assisted several Fortune 500 companies in recent breaches; complements existing incident response (IR) tools to help teams immediately contain attacks and reduce their blast radius
Boston, Mass. — September 30, 2024 — Silverfort, the leading unified identity security company, announced its Identity-First Incident Response solution, accelerating attack remediation times by complementing existing incident response (IR) tools and optimizing IR processes. Silverfort has the only solution that flips the script on conventional IR playbooks, enabling IR teams to start their investigation by discovering and locking down compromised accounts first, then move on to identify infected machines and malicious network traffic. With this approach, security teams can save valuable time—in some cases, days and nights of non-stop work.
A traditional incident response process starts by searching for infected machines or monitoring network logs to spot anomalous traffic. Pinpointing stolen identities—human users or non-human identities (NHI)—is usually the last piece in the puzzle, giving malicious actors the time and space to continue propagating inside a network during an investigation. In fact, the number of days to identify and contain breaches involving stolen credentials can take upwards of 292 days.
Silverfort Turns the Traditional IR Process Upside Down
For the first time, IR teams can start an investigation by identifying and containing compromised accounts, effectively freezing malicious activity. Using a combination of machine learning (ML) and artificial intelligence (AI), IR practitioners have access to highly actionable telemetry providing the evidence of what accounts and users need to be blocked, and what accounts can remain operational while they run down the source of an incident.
“Responding to large incidents where lateral movement has taken place, can be difficult to identify the impacted assets. Often, practitioners have to make difficult decisions with incomplete information when deploying containment actions, balancing attacker damage against business disruption. Having the ability to immediately challenge all authentication events while still allowing business operations to continue is like a surgeon having the ability to slow a patient’s heartbeat in order to perform surgery. You can effectively put an entire company ‘under,’ without stopping productivity, while you investigate the source of the issue,” said Eric Haller, Silverfort Advisor and former VP of Sec Ops & GRC at Palo Alto Networks. “With Silverfort, teams have a partner who gives them actionable telemetry about what needs to be contained so they can keep their businesses operational—and not kill productivity—while they investigate and figure out the best path towards recovery and remediation.”
Identity-First Approach Stops Threat Actors in their Tracks
Silverfort’s Identity-First IR Solution brings identity to the forefront, freezing stolen accounts and stopping lateral movement to reduce the impact of an incident and accelerate remediation time. It can be rapidly deployed mid-breach (within less than 12 hours for an organization with 50,000 users, as demonstrated recently) to detect and contain compromised accounts and identify which systems, users, or other assets within the environment have been compromised. An identity-first approach to incident response relieves the burden of sifting through logs and network activity to identify compromised users and makes the overall IR process more efficient.
“Incident response is a race against the clock. In today’s rapidly changing threat landscape and sophisticated AI-backed threat actors, security teams can’t afford to be hunting for an anomaly when potential attacks occur or systems go down,” said Ron Rasin, Chief Strategy Officer at Silverfort. “While there’s an established IR playbook to handle malware and network aspects of cyberattacks, the identity aspect is still a challenge. Silverfort’s IR solution complements existing tools by instantly blocking compromised identities and adjacent machines and offering immediate visibility into those machines. We stanch the bleeding to ensure a safe recovery.”
Instantly Activate an “Authentication Firewall” for Domain Controllers for IAM Infrastructure
Silverfort integrates with an existing IR strategy in a crisis scenario and is the only identity security platform that can activate a firewall for the identity infrastructure, including Active Directory Domain Controllers. Once deployed, Silverfort identifies compromised user accounts and can activate its Authentication Firewall to block and contain the breach. Essentially, the Authentication Firewall acts as a freeze button or “kill switch,” analyzing every authentication and access attempt and denying requests to critical resources until IR teams have the upper hand. Silverfort will broadly deploy multi-factor authentication (MFA) to every identity and resource, and configure “block access” policies for suspected user accounts or groups. Once these policies are activated, any additional malicious authentication attempts will be blocked. Silverfort has proven this approach can reduce remediation times to days rather than weeks, and dramatically reduce the potential damage from a breach.
“Silverfort immediately helped in the mitigation of compromised users, and was key in tracking down compromised identities as we brought our Domain Controllers back online,” said an identity leader from a Fortune 100 financial services company that recently went through a breach. “We worked quickly with the IR team to immediately put blocking policies in place for the compromised identities.”
Key benefits of Silverfort’s Identity-First Incident Response Solution include:
- Block a compromised user account in real time: Trigger MFA or block access instantly to stop an attack as it happens, providing security teams with actionable forensic data.
- Automatically flag risky users and computers: Investigate threats and gain visibility into what compromised users did. Easily cruise through different compromised computers and users in the environment to get a clear picture of what’s been compromised.
- Instantly deny access to any machine or resource: With Silverfort’s Authentication Firewall, IR teams can automatically restrict access to limit an incident’s blast radius.
- Highest-precision risk analysis and MFA verification: Analyze every login based on the full users’ authentication trail and verify detected threats with MFA to reduce false positives and unburden security teams.
- Seamlessly integrate with existing Security Operations Infrastructure:
- Incorporate identity protection measures (e.g., MFA, service account protection, access block) into an existing SOAR automated playbook.
- Provide XDR with identity-related threat signals and suspected attacks. Ingest endpoint, network, and other telemetries to enrich context and refine the precision of detected threats.
- Exchange data with the SIEM for mutual correlation of risk signals, optimizing and enhancing insights into each user account’s exposure to compromise or involvement in an active attack.
- Comprehensive coverage of the hybrid environment: Every authentication and access attempt—whether by a human or NHI—is monitored, on-prem or in the cloud.
Silverfort has spent years purposely designing its platform to eliminate the silos and blind spots that plague an organization’s identity infrastructure, which no other solution has managed to address so far. The platform extends modern identity security measures to every enterprise resource, on-prem, in the cloud, human or NHI, providing a unified identity security layer that works effortlessly and instantly. By holistically enabling these modern identity security controls, even for previously unprotectable assets, customers can stop the most dangerous identity-based attacks, quickly comply with strict regulations, and meet their cyber insurance requirements.
Learn more about Silverfort’s Unified Identity Security Platform and download our Identity Incident Response Playbook.