Contact Us
Free Trial
Menu
Contact Us
Free Trial
act-sample-bg33.jpg
Medtech Logo

Enterprise deployment over a weekend

Reduced footprint for lateral movement / attack spread for 6,000 servers 

At a Glance

A Fortune 500 medical technology firm was looking to reduce the risk associated with acquired entities during acquisition integration.

5.5 hours

To deploy and enable protection on all servers

1.5M

Admin and service accounts removed 

99%

Risk reduction with no added FTE

Before Remediant

The security group at the global MedTech firm had two key initiatives underway. First, as the firm had recently made a number of strategic acquisitions, a major transformation was underway to merge the IT infrastructure of the acquired entities. This included the merging of Active Directory domains. Second, the "red team" within the security group was performing due diligence on the acquired entities to understand their risk posture before absorbing their infrastructure.

  • Executed with existing resources
  • No formal PAM program or tool
  • No appetite for agents – Multiple agents already degrading performance
MedTech Background

The Problem

Red team performed their assessment and indicated elevated risk levels within the acquired entities. They also successfully demonstrated hijacking local administrator accounts for lateral movement purposes. This implied absorbing Active Directory domains with higher risk would have increased the overall risk posture of the firm.

The security group was tasked with solving this issue with (1) no program in place to address privileged access, (2) no additional available FTE capacity and (3) no appetite for agent based technologies. End users at the firm were already experiencing "agent fatigue" because their current Endpoint Management and Antivirus technologies had demonstrably degraded performance.

Finally, the integration completion dates were committed to investors so the team had to reduce risk without slowing down the integration or upsetting users.

“Our red team was able to acquire a normal user account, log into a system, then elevate the access of the account in such a way to continue escalating privileges and then move laterally wherever they wanted to go. From local admin to domain admin, they could do whatever they wanted. That is what we are hoping to stop. We want to reduce that footprint where attackers can get a foothold and able to move laterally.”

user-white

Lead Security Analyst
MedTech

Accelerating with Remediant

Remediant took a four step approach to addressing the firm's key issues in a timely fashion:

  • Deploy (1 hour): Remediant SecureONE requires no agents on endpoints. The management console was shipped and deployed as a single virtual machine.
  • Scan (2 hours, 5,500 servers): A targeted scan of the potentially compromised network was conducted to surface the standing administrator access identified by the red team. These accounts could be potentially compromised for island hopping, counter IR or ransomware infection. Remediant discovered 1.5M human and 6.2K service accounts with admin rights exposure
  • Protect (3.5 hours, 1.5 million admin access records removed): SecureONE "Protect mode" was turned on to remove all standing access with the exception of critical path machine accounts that were marked "persistent" and monitored for login attempts with MFA. Remediant reduced the risk exposure by 99% removing 1.5 million admin access records
  • Hypercare mode (ongoing): Transitioned to “hyper-care” mode to evaluate and add back non-administrator accounts and unclaimed service accounts

Enterprise Roll-out Over a Weekend

one
Friday 6:00 PM

Roll-out Start 

Remediant initiates deployment

two
Friday 8:30 PM

Install & Scan Complete

Management console deployed and all in scope endpoints successfully scanned

three
Friday 11:30 PM

Protect Mode Complete

All Servers in protect mode - Service accounts and nested access were a major challenge.

four
Sunday

Hypercare Period

Hypercare to add non-ADM accounts to groups and persist unidentified service accounts.

What made the difference?

The security group's ability to use Remediant to reduce risk without delaying the firm's integration milestones or without impacting user experience made all the difference. Remediant's track record with rapid deployments and agentless approach made this possible. Specifically, the security group called out the following four capabilities:

  • Rapid roll-out of protect mode (<6 hours)
  • Defined IR playbook with QuickStart & pre-built VM
  • Use of “freeze” mode for non-ADM and service accounts during hyper-care period
  • Agentless deployment implied no LOB disruption
SecureONE

Peaked your interest? Sign up for a 30 day free trial.

See how SecureONE can defend your enterprise with zero standing privilege.

More

Customers →

Read

Use Cases →

Browse

Resources →