Menu
Contact Us
Free Trial
incident-response

Incident Response

An identity centric approach to breach response and containment 

24x7 admin rights: the real indicator of compromise (IOC)

The credential has become a commodity that will be breached. 74% of breached organizations admitted the breach involved access to a privileged account. In addition, The Verizon Data Breach Investigations Report found that out of all attacks, 29% of total breaches involved the use of stolen credentials, second only to phishing. Once a credential is compromised, privileged access management solutions are rendered useless.

The underlying reason behind this (and why administrator credentials continue to be low hanging fruit for attackers) is the access the credentials provide. Specifically, it is the 24x7x365 always on, high levels of access that these administrator credentials provide that can be used to move laterally across a network, steal sensitive data, or deploy ransomware. 

In addition, weaponized administrator rights can bypass traditional Endpoint Security, EDR and PAM solutions. Specifically,

  • XDR, EDR and NGAV have no visibility into privileged identities
  • Traditional PAM solutions cannot identify hidden / nested admin rights

Adversaries weaponized administrator credentials to infect critical servers with ransomware. 

See how Remediant contained a rapidly spreading ransomware attack at a U.S. firm in under a day.

An identity centric approach to incidents:

Remediant focuses on removing 24x7 administrator rights from endpoints.

74%

of breached organizations admit involvement of a privileged account

480

Average number of admins with 24x7 access to each workstation

30%

of an average organization is covered by Privileged Access Management

 Remediant takes a three step approach to deploying, analyzing, triaging and addressing incidents:

  • Deploy single VM: Remediant SecureONE requires no agents on endpoints. The management console operated as a single virtual appliance that can be shipped remotely.

  • Scan for points of exposure: A targeted scan of the potentially compromised network is conducted to surface any administrator access that were potentially compromised for lateral movement, counter IR or ransomware infection

  • Disarm: Remediant then takes steps to contain the incident and limit impact:

    • Manage Offline Access: Take control of default admin accounts on critical servers and rotated passwords
    • Freeze: Switch servers to “Freeze” mode to stop new admin accounts from being added
    • Protect: Remove all standing access with the exception of critical path machine accounts that were marked "persistent" and monitored for login attempts with MFA

This approach limits the intrusion and reduces the impact of the intrusion from a major publicly exposed data breach to a minor incident. 

Reduced Mean Time to Respond

Downgraded breach to minor incident

Improved throughput with no added FTE

How Remediant works

Rapid Discovery

Constantly scans for administrator rights across the ecosystem.

Repeatable IR playbook

designed to minimize breach and business impact.

Single action removal of standing access

to ensure protection even if credentials are compromised.

Low business disruption

no administrator friction.

Agent-less, single VM deployment

that requires no agents on endpoints.

Peaked your interest? Sign up for a 30 day free trial.

See how SecureONE can defend your enterprise with zero standing privilege.