EXPEL BLOG

Expel MDR has new advanced identity threat detection & response

· 3 MIN READ · CLAIRE HOGAN · SEP 16, 2024 · TAGS: Announcement / Company news / MDR

TL;DR

  • Expel’s new identity-based auto-remediations are live, and reduce manual work required for credential compromise incident resolution 
  • You can now reset compromised credentials for Microsoft Entra Identity and Okta 
  • Users can also disable compromised user accounts in a variety of tools, including Google Workspace and Azure Cloud Direct 

In today’s increasingly digitized world, it’s no surprise that we see identity-based attacks more than ever before. In fact, identity-based attacks, such as account compromise and account takeover, accounted for a whopping 61% of all incidents our security operations center (SOC) identified in Q1 2024. Our findings show that the attackers behind identity-based threats don’t play favorites—attackers will attempt to exploit compromised credentials and accounts regardless of your industry.

In order to help our customers stay ahead of the rise in identity-based attacks, we’re continuing to expand our capabilities around identity threat detection and response (ITDR). The latest addition to the Expel arsenal are auto-remediations that focus on automated identity-based threat detection and response. These auto-remediations allow our SOC analysts to quickly and seamlessly take action when credential compromise, business email compromise (BEC), or other identity-based threats are detected. Leveraging auto-remediations means your team can drastically reduce mean-time-to-remediate (MTTR) and mean-time-to-contain (MTTC), minimizing the blast radius of an attack.

Expel’s identity-based auto-remediations now includes the ability to:

  • Reset compromised Microsoft Entra Identity credentials, in both cloud and hybrid active directory environments
  • Reset compromised Okta credentials
  • Disable compromised user accounts in Microsoft Entra Identity, Azure Cloud Direct, Duo Cloud, Github, Google Workspace, and Okta

Your team can configure accounts for these new automated response actions in Expel Workbench™, which allows our analysts to remediate on your behalf when an attack is detected. Before the launch of our new auto-remediation capabilities, the remediation process for resetting credentials was manual. You would see the notification within Workbench, login to the impacted systems, coordinate with internal IT teams and compliance mechanisms, and manually take the recommended response action. Now—by leveraging our new identity-based automated response through Workbench—we can not only significantly reduce the dwell time an attacker has in your environment, but also give valuable time back to your team. Here’s how it works.

Automatically reset compromised credentials

When Expel’s platform detects potentially compromised credentials, our highly skilled SOC team can now automatically reset the credentials in seconds, nullifying the threat and giving teams time to investigate and build resilience. 

In addition to automatically resetting credentials, all active sessions for the account are terminated, ensuring that threat actors are cut off from further access to your environment. This reduces the risk of data exfiltration, privilege escalation, or other unauthorized actions that attackers could carry out with stolen credentials. 

The reset credentials auto-remediation is highly effective in cases of compromised credentials, where account passwords are stolen but multi-factor authentication or conditional access stops the threat before a true BEC occurs. By automatically resetting the compromised credentials, we can stop the attacker within seconds and alleviate the burden on internal IT teams, who no longer need to manually address every suspected credential breach. 

Automatically disable compromised user accounts

We’ve seen increased adoption of our existing auto-remediation to disable user accounts when suspicious behavior or signs of compromise are detected. Whether it’s unusual login activity, access from an anomalous sign-in location, or indicators of lateral movement, our analysts act quickly on your behalf to automatically disable the affected user account, giving you 24×7 peace of mind.

Disabling compromised users also helps you align with security policies and best practices, ensuring that access controls are swiftly enforced following an incident. By automating the response to identity-based attacks, Expel gives organizations a markedly faster, reliable, and repeatable way to mitigate threats without introducing delays or human error.

Customized automation tailored to fit your needs

As cyber threats evolve, Expel continues to lead the way in the MDR space, helping you stay ahead of attackers with smarter, faster, and more automated solutions. However, automation isn’t a one-size-fits-all approach. When it comes to remediation, organizations should insist on an MDR provider that includes remediation steps as part of the investigative process, regardless of whether they decide to opt for auto-remediation. Expel’s expert SOC analysts will always recommend remediation actions, even if we don’t automate the steps ourselves. 

Auto-remediation should be tailored to your organization, based on the threats seen in your environment. Our customers decide which users should be immediately disabled and which credentials should be automatically reset after a threat is confirmed. 

Expel’s new automated identity threat detection and response capabilities greatly enhance our ability to respond quickly to identity-based attacks. This means your team can focus on other security initiatives—without spending a ton of time on remediation.

Contact us to learn more or get a demo.