Author: Carolyn Crandall, Chief Security Advocate and CMO – We are proud to announce that Attivo Networks and SentinelOne are now working together to disrupt attacks from modern adversaries. By combining the two companies’ solutions, joint customers gain the ability to prevent endpoint compromises and disrupt an attacker’s attempts to gather credentials and perform reconnaissance activities that are needed for lateral movement. Additionally, Attivo Networks has joined the SentinelOne Singularity Partner Program, which creates a collaboration model for the two companies to work together to sell and support customers.
With its Singularity XDR platform, SentinelOne is a leader in Endpoint Protection (EPP), Endpoint Detection and Response (EDR), IoT security, and cloud security. The platform delivers differentiated endpoint protection, endpoint detection and response, IoT security, cloud security, and IT operations capabilities – consolidating multiple existing technologies into one solution.
The Endpoint Detection Net (EDN) Suite has made Attivo Networks a leader in protecting Active Directory (AD) and credentials on endpoints, both of which are prime targets for modern cyber-attacks. The EDN solution provides SentinelOne customers with an effective way to detect and prevent attacks against Active Directory, credential theft, and privilege escalation while reducing the attack surface by removing exposed credentials.
The joint solution creates a rich defense against even the most sophisticated attackers and will efficiently derail attacks targeted at today’s ever-expanding attack surface. When used together, the SentinelOne XDR platform prevents attackers from compromising an endpoint while the Attivo EDN suite prevents attackers from breaking out of that endpoint if they manage to get in.
Attivo and SentinelOne are collaborating around the following specific areas:
Active Directory Protection
Protecting Active Directory has become increasingly complex with pervasive access and a multitude of objects with varying levels of privilege and domain control. Monitoring and keeping this environment secure has become a significant challenge and comes with dire consequences when that control is lost to an attacker.
With ADSecure implemented, when an attacker queries AD, the attacker is prevented from gaining access and the SOC is immediately alerted to the active attack. In addition to the Attivo ADSecure solution hiding real results, it can also return misinformation that steers the attacker’s path away from the production environment. With ADSecure, organizations conceal valuable enterprise resource information, reduce the attack surface, and alter what the adversary sees as a means to slow and deter attacks. By controlling the path of an attacker, security teams can also gather Tactics, Techniques, and Procedures (TTPs) and company-specific threat intelligence for remediating exploited systems and fortifying defenses. ADSecure does all this from the endpoint – without touching production AD Domain Controllers. ADSecure can be purchased as part of the EDN Suite or as a standalone product.
Credential Theft Detection
As attackers look for valuable targets, they will seek credentials to leverage to move laterally and escalate privileges. Over 60% of attacks are found to have used stolen credentials, because they appear to be authorized employees and are difficult to detect.
The Attivo EDN solution resides on the endpoint as the first line of defense against credential theft. It uses machine-learning to gather the information required to create authentic-looking credentials that mirror those used by employees and deploys these fake credentials and various other artifacts onto endpoints as lures for attackers. As soon as anybody uses the fake credentials (Windows, Mac, Linux, cloud, SaaS), the EDN solution detects them and diverts them away from real assets while raising high-fidelity alerts, reducing the time it takes the organization to detect and stop attackers.
Removal of Exposed Credentials
Gaining visibility into exposed, orphaned, or misused credentials on an endpoint can be challenging. Further, neglecting these credentials increases security risks and consequently expands the attack surface by creating paths for adversaries to leverage in their attacks.
The Attivo EDN suite provides continuous monitoring and reduction of the attack surface by identifying and automatically removing exposed credentials and local and shadow admin accounts left on endpoints that attackers can use to move laterally in the network. Security teams can also view historical data to see exposed critical paths, local administrator accounts, misconfigured SMB shares, browser credentials, and more. It takes little effort to deploy, so even organizations without a mature visibility program can immediately benefit from understanding their credential-based vulnerabilities and an attacker’s opportunities for lateral movement.
We are proud to work with SentinelOne and join the company’s Singularity Partner Program to help bolster endpoint security with Active Directory protection, credential theft detection, and credential exposure prevention. The Attivo EDN solution is a perfect complement to the SentinelOne Singularity XDR platform and will seamlessly add visibility to credential-based attacks, deny the adversary access to the data they seek, and derail them with misinformation every step of the way.
For more information on the joint solution, read the solution brief.
[Updated on January 25, 2021]
At the end of December 2020, Attivo Networks completed an integration with the SentinelOne platform that adds another facet to the partnership. With this integration, once the Attivo platform detects an attack, it can send the data to the SentinelOne platform to automatically quarantine the infected endpoint, accelerating incident response and reducing the mean-time-to-respond/remediate.