What are your users up to?
It’s a question that bedevils security and IT teams. It’s particularly problematic when it comes to privileged accounts with legitimate access to critical systems, because these accounts can be used to steal intellectual property.
Companies can tackle this problem with a variety of approaches, from database monitoring that keeps an eye on DBA activity, to DLP gateways that sniff for exfiltration of sensitive info, to network anomaly detection that looks for unusual network activity.
A Behavioral Firewall
Preempt, a security startup, offers its own take on the problem with a so-called behavioral firewall that targets user activity. The firewall is designed to spot anomalous behavior (Hey, why is Fred from IT logging into an HR system at midnight on Saturday?) and then enable a variety of responses.
These responses include blocking the action, forcing the user to reauthenticate, requiring two-factor authentication, notifying a third party, or simply logging the event.
The firewall sits in front of Active Directory domain controllers and learns the patterns of users and end points. It collects who does what on the network, what system privileges they have, what services are accessed, the time of day, and other data points.
The firewall can sit on a span port or be deployed inline. If you want the blocking capability, the firewall has to be deployed inline.
Data gathered by firewalls are sent to a central manager that collects, stores, and analyzes the information. The central manager builds user profiles, and can assign risk scores to help analysts and administrators identify potential trouble spots.
A feature called Preempt Insights provides snapshots and dashboards to help the organization identify privileged users, check password strength, and spot stale accounts that can be revoked.
Both the firewalls and central manager are virtual appliances that run on off-the-shelf hardware.
The company prices its software based on the number of users, but it didn’t provide any specifics.
No Easy Answers
Preempt has its positives and negatives. On the plus side, it provides visibility into actual user activity, and puts a second set of eyes on the domain controllers outside of the Active Directory admins. Those are useful features.
And if you implement automated policy responses, including blocking, you just might end up preventing a breach. That’s also a good thing.
On the downside, the firewalls create new attack surfaces that have to be monitored and maintained. The firewalls also require domain controller credentials, which creates its own set of risks. Finally, the firewalls have to be deployed inline to block activity, and inline deployment is touchy because it can block legitimate activity or impact performance. I don’t think performance will be an issue with this product, but false positives are a potential problem.
As you weigh the upsides and downsides, keep in mind there’s no easy way to address the risks that come with user access to business systems–it’s always going to be a pain to balance access and protection.
So the question becomes, How much pain are you willing to accept? To maximize the value of this system you’ll need people to monitor and respond to the system, follow up on alerts and notifications, clear false positives, tune policies, integrate third-party tools, update the software, and all the other tedious diet-and-exercise practices that are necessary for a healthy IT environment.
This isn’t a knock against Preempt. You’ll get the same list with pretty much any monitoring or security product. It’s a necessary evil of risk management.
Preempt was founded in 2014, and has raised $10 million to date, including an $8 million Series A round from General Catalyst Partners. It has offices in the U.S. and Israel.
The company’s founders are IT and security veterans. CEO and co-founder Ajit Sancheti cofounded Mu Dynamics, which was acquired by Spirent, and was part of the team that created OneSecure, an early IPS acquired by NetScreen.
CTO and co-founder Roman Blachman was a researcher at Lacoon Mobile Security. He also served in the Israeli Defence Forces with a focus on cyber security.