Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Access Management

// // //
08:05 AM
Simon Marshall
Simon Marshall
Simon Marshall

How the Cloud Is Changing the Identity & Access Management Game

Fresh off a $17.5M funding round, startup Preempt is one of several companies that is looking to change the identity and access management game as the enterprise shifts to the cloud.

Defending the security perimeter is a lot more straightforward when you can see it and get your arms around it. In the cloud, of course, that's just not possible.

One only needs to recall the Mirai botnet attack on Dyn DNS servers, which in 2016 brought the Internet in the US and Europe to its knees, to understand that the cloud really can be a very unsecure environment.

In receipt of a recent $17.5 million Series B round, Preempt, a San Francisco-based identity and access management startup, is developing and deploying a technology that looks at verifying identity, not location, in order to limit cloud threats based on an amalgam of identity, behavior and risk factors.

This triad forms the core function of identifying a user or entity, assessing their online behavior, and calculating the risk it poses to security that acts as a gating system to access. The concept is simple, but Preempt is pioneering an entirely new category of security functionality.

And, they're not the only ones.

(Source: Flickr)
(Source: Flickr)

"Startup Preempt Security has emerged with a network and authentication server-based access control platform that combines elements of identity, user and entity behavior, and risk to help combat credential theft and breaches," 451 analyst Garrett Bekker wrote in a recent profile report.

Using a newish term -- the "identity-aware perimeter" -- Bekker sees a focus on identity, not location, as critical to moving security ideologies away from the relative comfort of on-premise, out into the wilds of the cloud or hybrid set-ups.

"The essential idea is that as new architectures such as cloud, containers, mobility and IoT take hold, controlling access to resources will rely on identity as an alternative to purely network-based approaches focused more on 'where' you are than 'who' you are," Bekker wrote. "We think [this] could be one of the most interesting and powerful [trends] to hit the InfoSec market in years."

Disarm Mimikatz, 'pass the hash' and 'golden ticket'
The B round represents not only an investment in the future of a cybersecurity startup's ability to execute, but also an investment into the future of the technology itself, given it's a true paradigm shift.

And that shift deserves consideration in a world where high-level enterprise IT admin credentials are being stolen, intercepted or forged and used to control networks and sensitive data all over the world.

Patrick Heim, operating partner and CISO at ClearSky, a US venture firm that took part in the round, is full of examples of identity and credential misfortune. He cites Mimikatz, the automated admin credential grabber created by Benjamin Delpy that was reportedly hybridized with stolen NSA tools that were behind NotPetya and BadRabbit.

Another two are "Pass The Hash" and Kerboros "Golden Ticket," respectively a method to authenticate to a remote server using a stolen password hash, and a method of forging tickets used as authentication in Kerboros environments.

And then there are "stealthy admins." (See Office 365 Flaw Could Lead to 'Stealthy Admin' Headaches.)

"What excites us about Preempt is that finally there is a technology to disrupt this tried and true attack path," said Heim. "Detection and response are fine but prevention is king."

Segment the user, not the network
Preempt's solution means that network segmentation as a security precaution could diminish over time, replaced by context-based access control that determines and enforces who is able to access resources without network segmentation at all.

For those who live and die by network segmentation, this may be a tough cookie to chew.

"Today's network segmentation is static," Preempt CEO Ajit Sancheti told SecurityNow. "In a world where applications are on-premises, in the public cloud, private cloud, multi-cloud and in hybrid environments, static network segmentation is not practical."

Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

Sancheti believes that the only "practical unit of control" is the user themselves. That's why Preempt focuses on user rather than network segmentation, because it combines both static and dynamic elements.

"It's more effective in a world where the perimeter is rapidly disappearing," he added.

The challenge now is to not only provide technical benefits, but to reinforce them using use cases which help define this new category in the face of likely enterprise comfort with other vendors and time-honored categories.

"Some unique use cases are the ability to detect and control security tools like Mimikatz, PowerShell and PsExec, for example," Sancheti said. "[We also provide] a holistic view of a user's activity across all platforms, something that takes months of tuning when using a log analysis system or a SIEM."

Also, he claims his customers can control access by privileged users without deploying a "hard-to-manage" PAM solution, which he considers "overkill" for the majority of enterprises.

Of course, all this positivity is a good thing in terms of innovation, but in funding terms, Preempt now needs to prove it can execute against a large list of competitors that have embedded solutions. Preempt will also need to prove out its new category against better-known and already-trusted software that fits into clearly defined buckets.

"Preempt's challenge, like it is for any other vendor, is rising above the noise of the other vendors. Fortunately… most of our deals are not long, drawn out competitive bakeoffs," Sancheti said.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file