Microsoft announced last week that they have acquired Israeli start-up Aorato, an innovator in enterprise security.
Microsoft’s Corporate VP of Cloud and Enterprise Marketing Takeshi Numuto stated in a blog post that they are making this acquisition to give customers a new level of protection against threats through better visibility into their identity infrastructure. With Aorato, they will accelerate the ability to give customers powerful identity and access solutions that span on-premises and the cloud, which is central to their overall hybrid cloud strategy.
Details of the acquisition are elusive; however, sources state Microsoft will pay $200 million for the purchase.
Aorato offers advanced security solutions in various attack scenarios. Key to Aorato’s approach is the Organizational Security Graph, a living, continuously-updated view of all of the people and machines accessing an organization’s Windows Server Active Directory (AD). AD is used by most enterprises to store user identities and administer access to critical business applications and systems.
Aorato further enunciates that Active Directory is a prime target for advanced attacks. In several security breaches, malware impersonates an employee. Compromised employee devices may expose an organisation through Active Directory and lead to identity theft and information disclosure. A targeted attack may directly access a file share, which authenticates via the active directory.
“When you change the user’s password, it is the holy grail of authentication since the attacker gets full control over the victim’s identity,” Tal Be’ery, vice president of research at Aorato told eWEEK. “This is why the vulnerability that we have discovered that enables an attacker to change the Active Directory password is so important.”
Attacks include pass-the-Hash (PtH)- where attackers can use NTLM to obtain encrypted login credentials, called hashes. Or Pass-the-Ticket (PtT) attacks. PtH attacks were first documented in 1997, but the emergence of automated hacking tools has made the risk to companies using AD all the greater. “Common tools such as WCE and Metasploit have support to carry out PtH attacks in an automated manner,” said Be’ery.
Be’ery further stated that all modern versions of Active Directory have some backward-compatibility options that could enable an attacker to force the end user to authenticate over NTLM instead of the more secure Kerberos authentication method. With NTLM, the attacker is able to change the user’s password to a new one without knowing the user’s previous password.
Aorato informed Microsoft of the issue and also provided the company with the proof-of-concept tool used to trigger the vulnerability, according to Be’ery. Microsoft told eWeek– “This is a well-known industry limitation in the Kerberos Network Authentication Service (V5) standard (RFC 4120),” and claim that it’s a by-design flaw. However, Be’ery states that it is still a flaw that needs to be fixed.
Be’ery also added that Windows log files would not typically be able to help an enterprise identify that an attacker was able to downgrade Active Directory authentication and change a user’s password. He suggests that organizations consider directly monitoring their networking traffic, since logs are only a summary. “If you are directly monitoring traffic to Active Directory information, you can see the abnormal change that the user is downgrading their encryption level,” he said.
Existing security solutions that track only privileged accounts are not enough as today’s attackers also compromise non-privileged accounts. Merely detecting anomalies in the entire network doesn’t offer a solution. Monitoring and auditing solutions of AD cannot correlate information between entity behaviour and information residing in AD.
Aorato, on the other hand, functions by automatically profiling and predicting entity behaviour. Any attempt at entity impersonation will change the entity behaviour which will be detected by Aorato. It protects AD and leverages its central role in a network and secures organisations. It maintains profiles throughout organisational security graph and associates suspicious activities into an attack timeline.
In addition to Aorato’s various advantages like seamless deployment, easier BYOD, integration with SIEM solutions- Splunk, ArcSight, and RSA envision, Entity- Driven behavirol Forensics; it is adaptive to the changing nature of threats. Also, it doesn’t require configuration, signatures or rules; only port mirroring.
Aorato stated, “At our core, Aorato has always been focused on strengthening enterprise security, by giving customers deeper visibility into their Active Directory and identity infrastructure with an emphasis on user behavior intelligence and analytics. Joining Microsoft gives us a unique opportunity to pursue this vision, and help customers at the broadest possible scale.”
Numoto at Microsoft expressed excitement on the new technology that Aorato is providing and the people who would be now joining Microsoft. He stated that- “Microsoft is committed to moving nimbly and aggressively to provide customers with solutions to their top challenges.”
With this acquisition, Aorato will cease selling their Directory Services Application Firewall (DAF) product. As part of Microsoft, they will share more on the future direction and packaging of these capabilities at a later time.
Read more here.
(Image credit: Aorato)