Preempt Behavioral Firewall -- Top Use Cases
Security teams today struggle to find practical approaches to dealing
with the threat of cyberattacks, breaches and insider threats without
disrupting their business or overloading analysts. Despite promises,
traditional User and Entity Behavior Analytics (UEBA) tend to generate
many false positives and require manual investigation. On the other
hand, enforcement methods such as a next-generation firewalls lack an
understanding of user behavior, and simple Allow or Deny responses
risk disrupting the business.
The Preempt Behavioral Firewall bridges these two perspectives by
pairing user behavior to detect threats with a contextual automated
response that redirects risky user behavior and proactively stop threats
without disrupting the business. Policies take into account a user or
entity’s role, behavior, and the target of their actions. Flexible response
options can redirect user behavior, confirm a threat, or block once a
threat is verified. This provides enormous flexibility, which lends itself
to a wide variety of use cases.
Use Cases
Active Policy-Based Threat
Prevention
Proactive Visibility and
Management of Risky
Behavior
Increased Operational
Efficiency
Active Policy-Based Threat Prevention
Today many organizations are reluctant to take action based on behavioral analytics. Incidents are often
inconclusive or unreliable and enforcement options are often limited to crude Block or Allow options. This
gives security teams only extreme responses to incomplete information.
The Preempt Behavioral Firewall offers automated responses that continually learn and align with the
needs of the business. Suspicious behavior can force a re-authentication or challenge by multi-factor
authentication to verify identity. Weak or exposed passwords can force a password change. Users can be
demoted, isolated, or ultimately blocked based on risk. All responses can be automated based on policy to
ensure that risks are mitigated with minimal impact to users, and without manual intervention from staff.
Compromised Accounts- Attackers use compromised credentials to spread laterally through the
network turning a small system-level compromise into an enterprise-level compromise. Abnormal
behavior can be automatically challenged via multi-factor authentication and subsequently trigger 3rdparty response orchestration, isolation of the host, or notification to security analysts based on policy.
Compromised Users or Devices- Find signs of malware or an attacker on a device such as abnormal
or unknown protocols in use, attempts to escalate privileges, or the presence of new or unmanaged
devices on the network.
Compromised Privileged Users and Service Accounts- Track privileged users such as
administrators and prioritize their risk scores to drive more aggressive response policies. The same
approach can be applied to service accounts, which are often hard to manage, yet can provide an
attacker with easy access to key servers and data.
Compromised Hashes/Tickets- Techniques such as Pass-the-Hash and Pass-the-Ticket have
long been critical tools for attackers to move laterally within the network. Preempt detects these
techniques and once again can challenge the affected user via multi-factor authentication or by
blocking or isolating the affected host.
Attacks Against Active Directory Infrastructure- Preempt constantly analyzes an organization’s
authentication infrastructure for signs of abuse including brute-force attacks, Golden Ticket attacks,
forged PAC files, or attempts to harvest data from Active Directory.
Insider Access Abuse- The presence of a malicious insider or simply a naive or impatient end-user
can quickly unravel the best laid plans of the security team. By learning normal working hours,
locations, as well as the typical assets and applications of a user, the solution can challenge and
respond to any anomalous behavior.
Proactive Visibility and Management of Risky Behavior
End-users represent the greatest and most unpredictable risk to the security of enterprise data. Whether
due to a simple mistake, a malicious insider, or a determined attacker, the path to a breach almost always
goes through a user.
The Preempt Behavioral Firewall continuously tracks and scores the behavior of every end user, privileged
user, and host in the context of the assets being accessed. This multi-dimensional approach reveals when an
individual user is at risk as well as the impact to the overall risk of the organization. Preempt then provides
the option to turn insight into action that reduces the internal attack surface. Insights include:
Weak Passwords- Weak passwords are easily cracked by attackers to gain access to the network and
its assets. Detect the use of weak passwords in the network to pinpoint insecure users and optionally
force the user to reauthenticate and or change password based on policy.
Stale Accounts- Easily identify accounts of former employees, partners, and contractors in the network.
Detect the use of any stale accounts, challenge suspicious usage, or notify staff based on policy.
Account Sharing- Quickly identify users or devices that are sharing accounts within the network.
Challenge the user to determine the true identity or notify staff based on policy.
Management of Privileged Users- The more privileged a user is, the more valuable they are. Both
rogue admins and privileged account takeovers from an attacker are a big concern for Security teams.
Privileged accounts are automatically recognized and suspicious or risky behavior of a privileged user
can be prioritized.
Protection of High-Value Assets- Easily monitor and prioritize high-value users or assets such as
executives or sensitive servers and databases. Contextual policies ensure higher value assets receive
higher risk scores in response to any malicious or risky behavior.
Additional Insights- There are many other insights that the solution can provide including
identifying and tracking service accounts (as well as whether they should have cloud access or not),
gaining visibility for other data sources and more.
Increased Operational Efficiency
Security operations teams are overloaded and understaffed, and most UEBA products generate far more
alerts than their team can possibly analyze. This often results in mountains of data that is often only analyzed
after a breach.
The Preempt Behavioral Firewall helps overstressed teams by providing a layer of automation to verify and
triage events and resolve false positives. Instead of putting the burden on humans to hunt and investigate,
the solution can verify and validate the threat without manual intervention. This ultimately helps drive faster,
more efficient investigations, alert review, incident response, and forensic analysis.
Event Triage and Prioritization- By cutting through the sea of extraneous events and alerts, security
teams can focus on the few critical items that truly matter. Priority alerts can be triggered when a
suspicious host fails a challenge such as multi-factor authentication, and high value users, key assets,
and privileged accounts can be automatically prioritized based on policy.
Incident Response- Incident responders are constantly measured on metrics of the times to detection,
response, and fix. With Preempt, they can accelerate IR timelines and mitigation of incident damage
with an automated solution that quickly identifies threats, pinpoints the users and devices at the heart
of the problem, and isolates them from the network.
Forensic Analysis- Preempt provides quick, meaningful insight into the behavior of any user, account,
or device. Analysts can dig into a full chronology of the entity’s behavior with insight into how behavior
deviated from previous norms.
Automatic Reduction of Alerts- Adaptive responses not only confirm and stop malicious events, but
also prevents alerts for benign anomalies. For example, If a user is suspected of being compromised
with malware, but completes a second fact of authentication, then the alert can be automatically
resolved based on policy. This reduces the total volume of alerts, but does so with certainty and these
activities are being audited for future reference.
Conclusion
While we have addressed several of the most common use cases of the Preempt Behavioral Firewall, this is
by no means an exhaustive list. At it’s heart, the solution is built on a policy engine that allows you to match
user, behaviors, and assets into policy that meets the needs of your organization. Based on these criteria, you
can invoke a wide range of responses that can escalate based on the situation. This ensures you can always
take action that strikes the appropriate balance between security and enablement.
About Preempt
Preempt protects enterprises from security breaches and malicious insiders with an innovative and patented approach that
couples User and Entity Behavior Analysis and Adaptive Response to provide the most proactive solution for both detecting and
automatically responding to security threats.
Copyright 2017. All Rights Reserved. 020517-UC Learn more about us at www.Preempt.com