Additional new capabilities include expansion of support for NetApp and EMC NAS Devices, and the ability to add Lockdown capabilities that override native Windows File System permissions.
Security software vendor STEALTHbits Technologies has announced the 3.4 release of its StealthINTERCEPT threat detection solution. It adds five new analytics to the three that were there before, for Bad User IDs, Breached Passwords, Concurrent Logins, forged Golden Ticket Kerberos tickets and Impersonation Logins. Version 3.4 also improves the platform support provides for NetApp and EMC NAS Devices, and adds the ability to add Lockdown capabilities that override native Windows File System permissions.
STEALTHbits is an established player in the data governance and data security spaces, which has been shipping product for 11 years.
“We put solutions in place to govern access to the data, with StealthAUDIT, our original and flagship product, which is agentless,” said Adam Laub, STEALTHbits’ SVP, Product Marketing. “We then strengthen the protection with StealthINTERCEPT.” The two offerings are often purchased together, although it’s not required.
StealthBITS focuses on the management and security of unstructured data around Active Directory, which 95 per cent of the Fortune 1000 uses. They have an impressive array of reference customers, which includes several large financial organizations.
“Those reference customers are global deployments, not small departmental ones,” Laub said.
That high end of the market was StealthBITS’ original target market, and is still the focus of their direct sales. When the company started, it went to market entirely direct.
“When I started here in 2005, one of the first things I did was add some channel partners,” Laub stated. “Still, we were not dedicated to the channel in the way you need to be in order to be successful. The last couple years, the channel has had a much greater focus and the revenue balance between direct and channel is now about 50-50. The really big customers like the big banks with long sales cycles we do direct, but we have a midmarket team here that works with partners to drive opportunities in the 500-5000 seat space.
“In our initial stages with the channel, it was foreign to us to pass deals over,” Laub acknowledged. “We looked for them to bring deals to us, which is not really the way the channel likes to work. We learned we needed to prime the pump, and we began to pass business over to partners for pure fulfilment to create stronger relationships. There are conflicts here and there, but we work all those out individually.”
Today, StealthBITS has 43 channel partners globally, which includes many big players like Optiv. Their principal partner headquartered in Canada is Halifax-based Setka Solutions.
Partnerships with other security vendors are also critical to StealthBITS, as they are able to leverage their own solutions’ openness and flexibility to easily integrate with them, something that not all their competitors are able to do.
“We have teamed up with most of the major identity and access management providers as an unstructured data feed to their system, which we are able to do because of our openness,” Laub said.
The StealthINTERCEPT solution which is being enhanced offers real-time detection of authentication-based threats in traffic through Active Directory. It analyzes the traffic data in real-time to identify the most common and damaging attack vectors, and issues alerts when they are detected.
“StealthINTERCEPT essentially creates a ‘firewall’ for Active Directory and unstructured data,” Laub indicated. “It detects all changes, protects against unauthorized changes and provides control through granular policies. There is a heavy focus on integration with SIEMs and we provide a real-time feed to SIEM solutions.”
Laub stressed that StealthINTERCEPT’s technology gives it capabilities that extend far beyond the Active Directory logs.
“With the exception of Dell, our competitors rely on native logging,” he said. “We have our own mechanism to monitor Active Directory. We don’t look at the logs because we can get better data and data the logs don’t provide, such as at the group policy level.”
StealthINTERCEPT previously provides analytics that detected account hacking, brute force attacks, and horizontal account movement. Version 3.4 supplements this significantly with five new threat analytics.
“Bad User ID identifies both by user and by source,” Laub said. “It looks for preauthentication failures, where multiple user names that don’t exist are tried, and will flag that.”
The Breached Passwords analytic looks for multiple failed attempts followed by a successful one, and can analyze this over a long period of time. The Concurrent Logins analytic looks for logins from multiple locations simultaneously over a short period of time, indicating where login is successful. Impersonation logins checks multiple authenticated accounts coming from a single system.
“Not all these, if detected, mean an attack, but they are still patterns of activity you still want to know about,” Laub said.
Laub considered that the most interesting of the new analytics is one that detects Golden Tickets.
“This is where you have a fully compromised Active Directory without knowing about it, where the attacker is able to create a Golden Ticket allowing them to modify any Kerberos ticket so it doesn’t have to be verified,” he said. “Now we can see the guts of every Kerberos ticket to see if it has been forged. This is something you would never pick up just with native information from logs.”
Version 3.4 also expands the platform support beyond Windows – to NetApp and EMC NAS devices.
“We’ve monitored them before, but now we have real time alerting,” Laub said.
Windows File System Blocking has also been introduced.
“We have added new lockdown capabilities that supersede native Windows security, regardless of permissions,” Laub noted.
Version 3.4 of StealthINTERCEPT is available now.