How to Succeed at Workforce Identity Security Everywhere

August 2020

Networks in 2020 don’t look like 2019. Companies that had 5 to 10%, remote employees and contractors in 2019 now have over 90% working from home. With this new identity-defined perimeter to organisations, network resources are moving to the cloud. This is evident in the uptick in licenses for business programs like Office 365 to Salesforce and project management or HR tools. System administrators are fragmenting into Active Directory (AD), cloud and Azure teams, all trying hard to work with IT security teams. The challenge in this complexity is an enormous security stack that often has insufficient coverage for the biggest enterprise vulnerability: The Identity Stores. 

In this year’s Verizon Data Breach Investigation report, along with an analysis of the MITRE ATT&ACK chain, it revealed that 80% of serious incidents and data breaches involved credentials and the AD and Domain Controllers. Whether a malicious insider or a compromised account hacked by the outside – the result is the same. What matters most is, what are you going to do about it?

Roman Blachman, Preempt’s CTO and Co-Founder, helps us answer this question and more, as we explore the options in a forever changing landscape, including the three steps to cost-effective security. Read on to learn more.

The Steps to Cost-Effective Security Are Straightforward: Protect, Prevent and Enable

To Protect your Active Directory and Domain Servers, you need to know what all your identities are:


  • Are they human or service accounts?
  • Which have privileges and elevated access across the network and cloud?
  • How long do users stay in all your applications and services – which can mean your local AD and Azure AD – after that employee has departed?
  • Which teams use shared logins to vital services?
  • What authentication protocols are you using, and are they the latest versions?
  • Do you have unknown vulnerabilities in your system that have to remain because of a requirement or dependency of legacy systems?

“The Preempt Platform gives you insights and analytics into your entire identity store. Whether in Azure or local AD, Preempt can see your users and analyse their health and status to give you the opportunity to protect them” explains Roman.  

How Do You Prevent AD Security Attacks and Lateral Movement?

Now that you can see your AD forest and clouds with a detailed attack path, you need to Prevent identity attacks, lower risks, and stop lateral movement and misuse of service accounts. A good process helps you build policies that can identify risky activity and then prevent lateral movement. Rather than waiting for an alert to sound and an analyst to look at the logs after the transaction has occurred, Preempt operates in real-time as a user authenticates to a new system.

Roman continues: “Whether setting a threshold by number of password attempts (preventing a brute force attack) or unusual user behaviour, you can shut down the action entirely, or trigger step-up authentication (e.g. if your credential is in an anomalous location, coming from a known infected IP, or simply accessing a brand-new machine for the first time) to validate the activity and shut down malicious lateral movement.”

How Do You Make AD Security Checks Easy On Your End-Users?

You Enable low-friction conditional access everywhere for a great user experience without comprising security. Enterprise employees are already becoming accustomed to using federated identity products like Ping and Okta to access sanctioned cloud services. You use VIP or CA on mobile devices for step-up authentication. But what employee appreciates security when they have to type in their password twenty times a day? Multiply the time spent waiting for a secondary authentication for normal, everyday business tasks times your total number of employees at work, and you have productivity loss.

With machine learning algorithms that take in live authentication input, Roman highlights Preempt’s dynamic risk score that updates with factors including the user’s behaviour index including hour of day, physical location, new or unusual new services being accessed, and more: “Your MFA or SSO investment can now be extended to any asset or service throughout your network and into the cloud, with lower hassle to the end-user. You can set policies to have users log in the first time in a day, and then as long as they access their usual work systems and services, there are no additional challenges. Preempt’s risk data, and conditional access provides MFA vendors like Ping and Okta with that same detection, analysis, and risk scoring to fit any AD security model.”

But what if that employee’s credentials are captured or compromised? Preempt’s Conditional Access technology reads the unusual behaviour, changes the risk score, and offers policies to challenge that behaviour with a secondary authentication. Whether a simple Remote Desktop Protocol login or a check-in on GitHub via Azure, Preempt keeps your credentials – and all your identity stores – safe everywhere, even if all your employees are at home.

Learn more about Conditional Access, how you can reduce productivity loss and further secure your AD environment by getting in touch. We also have an exciting session on Cleaning House in Active Directory with Preempt’s Senior Software Developer, Boris Danilovich on September 21st from 4:30 pm (GMT). Discover our other meetups here.

Our partner Preempt is accelerating digital transformation by securing all workforce identities. Since 80% of all breaches involve compromised credentials, Preempt unifies security visibility and control for on-premises and cloud identities, pre-empting threats and enforcing IT policy in real-time using identity, behavioural, and risk analytics. Protecting over four million identities across 400+ enterprises, customers have reduced the cost required to stop advanced threats and accelerate Zero Trust and Conditional Access initiatives. Founded in 2014, Preempt is headquartered in Silicon Valley, with R&D in Israel and sales offices worldwide. the Preempt Platform has three modules, covering visibility, real-time threat detection and adaptive threat prevention.