Guest Author: Eran Cohen, Vice President of Product Management, Preempt. This post is also published on the Preempt Blog.
At Axonius, we integrate with over 250 security and management solutions to give customers a comprehensive asset inventory, uncover security solution coverage gaps, and automate policy enforcement. In this post, we’ll look at one integration partner, Preempt, to show how the integration benefits customers.
What is Preempt?
Preempt Security’s software platform reduces cyber threats through real-time analysis of authentication traffic of user and system accounts. Preempt continuously analyzes, adapts and enables conditional access to respond to threats based on identity, behavior, and risk for use cases such as insider threats and credential based attacks.
Axonius and Preempt: Understanding Endpoints and the Accounts Using Them
As a cybersecurity asset management platform, Axonius exists to help customers understand the intersection between users, endpoints, and the security solutions that cover them. To do that, Axonius integrates with solutions that know a lot about device and identity security, and a great example is Preempt.
Preempt feeds Axonius information on behavioral and anomalous user and service accounts based on advanced monitoring and machine learning algorithms. Entity classification, baseline of activity against specific accounts and associated groups, relationship with endpoints devices, attributes and 100+ analytics enrich Axonius data using the flexible APIs provided by Preempt.
Let’s take a look at a specific example to show how the integration between Preempt and Axonius gives customers capabilities they simply cannot get from a single solution.
Incident Response using Preempt and Axonius
A common use case among Axonius customers relates to incident response: given an IP or MAC address, show me detailed, contextual information about the device, what’s on it, known vulnerabilities, and users that have access.
Let’s say a SIEM solution spits out an alert about an IP address, noting that something odd is going on. Axonius customers are able to (either through the product UI or the API) search that IP address to get detailed information about the endpoint and what’s known about it:
Looking at the IP address in Axonius, we can see what each adapter knows about the device:
As well as the correlated information:
Looking at the data gathered from Preempt, we can see that the device has a risk score of 4.0, and has SMB Signaling Disabled.
The screenshot below shows the entity risk score from the Preempt interface. This view enables the analyst to browse the risk history and investigate the different factors contributing to the risk. Preempt offers more than forty-five unique risk factors that are based on parameters such as configuration, behavior, roles , etc. This is in addition to 100+ analytics attributes related to the entity itself. And all this information is accessible via API or the web interface.
We can then look at the other information provided by the connected adapters to understand:
- Known vulnerabilities
- Endpoint protection product coverage
- Installed software
- Available OS patches
- Admin accounts
- Associated users that are owners or regular users of the endpoint
And more to decide what to do next. Based on the risk score and factors from Preempt, customers can then use Preempt to enable visibility, threat detection, and response. Visibility gives transparency into user and service account activities and behavior for on-premises or cloud activities. Detection enables a seamless threat hunting attack story, highlighting the sequence of events and entities involved in an attack – including techniques such as lateral movement, pass the hash, discovery, privilege escalation, and other complex attacks. Enforcement options, based on policy or automatic response can range from alerts, to multi-factor authentication challenges, to block the authentication transaction.
To learn more about how to connect the Preempt adapter in Axonius, see the Preempt adapter configuration page.