Just-In-Time Admin and EDR: Better Together!
by JD Sherry, on Mar 22, 2021
As various strains of ransomware continue to manifest themselves across the world’s networks, next-generation defenses are being procured and deployed rapidly, just to keep pace with today’s “new normal.” Most often, organizations are migrating toward Endpoint Detection and Response (EDR) technologies. They use these in one of two ways: to react to a breach that’s already happened or to proactively deploy a stronger, deeper defense against ransomware. To that end, many enterprise security programs today are prioritizing EDR technologies from leading players like VMware Carbon Black, CrowdStrike, SentinelOne, Palo Alto Networks, and Microsoft.
Although the data shows that these technologies are moving the needle and better protecting customers, the deployments alone aren’t the whole solution. Defense in depth is still critical in today’s modern enterprise. Especially when an attacker only needs a stolen credential or hash to become a digital insider and achieve lateral movement in your network.
Consider this example: suppose an attacker gains access to Jim’s ID, either through phishing or a stolen computer hash (a computer version of the password). Then, that attacker uses that ID to access a server that Jim never accesses. Jim’s company has an EDR solution. That EDR solution sees Jim’s ID knocking on the door to that server. It knows that Jim has never tried to access it before. That EDR solution blocks his access with an MFA request. The attacker pounds his fist on the table because he can’t respond to the MFA request. It went to Jim’s phone. The attacker fails and moves on to find a new victim, preferably one without an EDR solution.
If you want to frustrate your own attackers, an effective way to do that is through an identity-centric approach to security. When you add identity management to your EDR solution, you get improved protection against ransomware and other cyberattacks. They’re better together.
That’s why we’re announcing our new integration with VMware’s Carbon Black today.
Zero Trust’s Place in the EDR Ecosystem
Remediant SecureONE is a privileged access management (PAM) solution, laser-focused on helping you stand up a Zero Trust model for administrator access—quickly, simply, elegantly, and without agents. Our approach removes the threat of lateral movement by removing 24x7 admin rights.
So, where does that fit into your EDR control environment? Simple—Running SecureONE, that attacker wouldn’t be able to leverage Jim’s ID because it would’ve been identified and removed through the Just-in-Time (JIT) administrative access model you put in as part of installing SecureONE.
Through that model, Jim only has that access when he needs it and must go through multi-factor authentication (MFA) to get it. It’s not lying in wait for attackers to find—days, months, or even years later. With a Zero Trust administrative access model, the attackers will never find their way behind the wall at all, because Jim’s ID won’t be there, like a sledgehammer for attackers to use when they beat down your walls and gain lateral movement to your network.
With Zero Trust, you get a truly hardened footprint that protects you from credential theft and lateral movement within the environment. Adding Zero Trust to your EDR solution via Just-In-Time Administration puts your organization on the road to XDR.
What Is EDR? What Is XDR?
EDR, or Endpoint Detection and Response, monitors the endpoints of your system. EDR records and stores endpoint activity and uses algorithms to red-flag anything that looks suspicious. EDR solutions alert your IT security team and can trigger your incident detection and response process when something doesn’t look right. They also block that activity and can mitigate harmful actions as they occur or soon after.
XDR, Extended Detection and Response, takes that one step further. XDR combines the benefits people have come to expect from EDR solutions with other security controls, processes, and methodologies—like Zero Trust. Adopting XDR allows companies to stage a more cohesive, unified defense against would-be attackers. Gartner explains XDR in much greater detail here.
How Does SecureONE Improve EDR?
When you add Remediant SecureONE to a true EDR solution, you still get all of EDR’s core competitive advantages by managing:
- Suspicious activity detection, validation, and alerts
- Incident detection and response
- Threat monitoring
But, you also get Remediant SecureONE’s ability to enforce Zero Standing Privilege across your IT ecosystem. So, while your EDR solution continues to root out suspicious activity at your endpoints and mitigate any damage before it proliferates, Remediant SecureONE enforces a Zero Trust model over administrative access. Removing excess standing privilege from your network takes away a key tool attackers seek out, when your EDR solution fails. Integration allows for automated removal of admin accounts and the proactive locking down of access. It also enables live responses when IOCs (indicators of compromise) and/or IOAs (indicators of attack) are triggered. Together, Remediant SecureONE and your EDR solution perform critical actions during an incident, like the immediate removal of accounts from an asset and the prevention of new accounts being added.
With SecureONE, you get a solution that doesn’t just inform you of the excess standing privilege that’s already enlarging your attack surface, you also get a solution that removes that access, automatically and immediately. Going forward, SecureONE administers the Just-in-Time provision of privileged access, so bad habits and privilege access can’t drift back into the equation.
What Does SecureONE Do?
Segmentation: SecureONE looks across your ecosystem and pulls in identities from across your multiple identity stores. It summarizes those identities so that you know who—or what—they’re assigned to. With SecureONE, you see human accounts, service accounts, and privileged accounts. When SecureONE integrates with your EDR solution, you get an analysis showing what excess standing privilege means to the endpoints of your ecosystem. That means knowing the privileges, groups, and—most importantly—the attack paths those privileged accounts promise to would-be attackers.
Automation: SecureONE brings the Zero Trust model to your EDR solution, finding accounts with an attack path before they rise to threat-level in your EDR alerts. Zero Trust also identifies standing privilege before it can be hijacked and leveraged by bad-actors. You can still block authentication attempts, but you may not need to, if the access has been turned off already and Just-In-Time has been enabled.
Verification: SecureONE brings you the ability to verify. SecureONE adds Zero Trust policy rules defined by identity, behavior, and risk. SecureONE can inform EDR and vice versa for an identity-centric, intrinsic security model.
And, SecureONE requires no agents to run on your system. As one enterprise user told us last week, SecureONE is both “simple and elegant.”
Imagine the Architecture of the Future
By combining your EDR solution with Remediant, you keep your endpoint protection, but you add protection over who is walking around the virtual halls within your network.
Over the next several months, Remediant begins to roll-out a series of integrations and use cases. First up is our integration with VMware Carbon Black. Coming on March 23, Remediant SecureONE’s integration with VMware Carbon Black uses Carbon Black’s native EDR abilities to deliver SecureONE’s Zero Trust admin access controls, bringing a truly identity-centric approach to EDR.
With pinpoint access and XDR, companies running both EDR and SecureONE reduce their attack surface, and embrace the true spirit of SOAR (Security Orchestration, Automation, and Response). That allows security ops to focus on what matters most: managing vulnerabilities, responding to incidents, embracing automation—and ultimately reducing MTTD (time to detect) and MTTR (time to respond/remediate).
When you’re looking to take your EDR capabilities to the next level, look for a Zero Trust provider that can do dynamic Just-In-Time access, like SecureONE. Look for one that delivers immediate results too—one that doesn’t require agents and months or years to deploy.
Remediant is an early adopter and provider of Zero Trust technologies and we’re excited about our series of integrations and use cases with leading EDR providers. The work is done, The patents are filed. We’re committed to the innovation that will lead the way to next-generation XDR via an identity-centric approach. Come join us!
Want to read more about Remediant SecureONE’s new integration with VMware Carbon Black? Check out our press release!