Identity And Access Management

The Top 9 Solutions To Stop Account Compromise

Discover the top ten solutions to help prevent, detect and block account compromise attacks, including multi-factor authentication, password managers and email security.

The Top 9 Solutions To Stop Account Compromise include:
  • 1. Avanan
  • 2. BeyondTrust Privileged Remote Access
  • 3. Cisco Secure Access by Duo
  • 4. Dashlane
  • 5. Delinea Secret Server
  • 6. HID Advanced Multi-Factor Authentication
  • 7. IRONSCALES
  • 8. Keeper Security
  • 9. Ping Identity PingOne

Your employees’ accounts are doorways into your organization’s data. They enable access to all of the applications that make up your network, and all the information stored within those applications. Cybercriminals know this, which is why they consistently attempt to gain access to corporate data via account compromise attacks.

Account compromise is when a bad actor hacks into—and takes control of—a user’s account. They usually do this by cracking weak passwords via brute force, or exploiting user vulnerabilities and human error to steal passwords from users via social engineering attacks. These are some of the most prevalent causes of data breaches we’re seeing today; in fact, 85% of breaches involve a human element, and 61% involve misused or stolen credentials.

There are a number of solutions available to help prevent and mitigate the risk of account compromise, such as password managers, which secure your employees’ passwords; multifactor authentication solutions, which ensure that a hacker can’t access a user’s account even if they crack its password; privileged access management solutions, which ensure your most critical corporate accounts are secured; and post-delivery email security solutions, which scan inboxes for signs that an attacker is trying to steal a user’s credentials or has successfully managed to hack into their account, and shut down the attack.

In this guide, we’ll explore the best-in-breed of each of the above types of solution. We’ll give you some background information on the provider and the key features of each solution, as well as the type of customer that they are most suitable for, so you can be certain you’re choosing the best account compromise protection for your organization.

Avanan Logo

Avanan is a cloud-based security solution designed to protect businesses using email clients such as Office 365 and Google Workspace, as well as cloud applications such as OneDrive and Google Drive, against advanced threats such as spear phishing and account compromise. Avanan’s innovative solution sits within the email client itself and analyzes all email content for signs of impersonation or email fraud, to help proactively block sophisticated attacks in real time.

Avanan’s platform uses machine learning algorithms to identify malicious email activity, including zero-day credential theft attacks, by searching for over 300 signs of account compromise, such as the sender’s location, domain and time of sending. Suspicious content is either quarantined or removed, as per admin-configured policies. Avanan also creates a baseline of each user’s “normal” account behavior and analyzes their account activity for anomalous behavior, such as logins from unusual locations or suspicious mailbox configurations, and alerts admins to any suspicious behavior that may indicate an account has been compromised. According to admin policy, Avanan can also respond to these threats in real time by automatically locking out the “user” (i.e. attacker) in question before they can do any damage.

Avanan deploys via API integration, without having to make any changes to existing MX records. This makes it quick and easy to set up, so that organization can benefit from Avanan’s protection in just a few minutes. We recommend Avanan as a powerful solution for all organizations looking to protect their inbound, outbound and internal emails against credential theft attacks, as well as detect and block any account compromise attacks that may slip through their existing account-level protection.

BeyondTrust logo

BeyondTrust is a market leader in privileged access management. Privileged accounts provide administrative levels of access to critical business systems, based on being assigned higher levels of permissions. Because of this, they’re a lucrative target for cybercriminals trying to access corporate data via account compromise attacks. BeyondTrust’s Privileged Remote Access solution enables organizations to manage internal and third-party remote privileged access, enabling secure access to critical corporate data from any location, without need for a VPN.

Privileged Remote Access enables companies to store the credentials to critical business systems in a cloud-based on-appliance vault, or in BeyondTrust’s software-based Password Safe. This prevents bad actors from stealing passwords via social engineering, as users don’t actually have access to account credentials; once a user has verified their identity, BeyondTrust injects the credentials directly into the session without exposing them at any time. BeyondTrust Privileged Remote Access also offers robust management functionality, enabling admins to configure authentication and notification policies that enable them to grant access remotely. The solution also offers comprehensive audit trails and session forensics, allowing security teams to closely monitor account usage to help eliminate excess privilege and generate reports to prove compliance.

Privileged Remote Access is compatible with Windows, Mac and Linux operating systems, and support privileged access with a web-based console and a mobile app, ensuring that legitimate privileged users can access critical data no matter where they are or what device they’re using. We recommend BeyondTrust’s solution for any organization looking to mitigate the risk of privileged account compromise, and particularly those with users accessing privileged systems remotely.

Duo Logo

Acquired by Cisco in 2018, Cisco Secure Access by Duo is a market-leading access management solution that secures access to corporate accounts by verifying each user when they attempt to log in. Cisco Secure Access by Duo combines risk-based or “adaptive” multi-factor authentication (MFA) with secure single sign-on (SSO) and is available in five different plans, ranging from a version for smaller teams through to an enterprise-grade version with granular policy configuration for larger organizations.

Cisco Secure Access by Duo analyzes each login attempt for anomalous behavior, such as an unusual login time, location or device—admins can configure these policies from the central management console—and uses these analyses to grant or deny access to corporate accounts. If a login attempt is deemed safe, the user is granted access; if the login is considered risky, an admin is alerted and the user must verify their identity via a secondary method of authentication. Cisco Secure Access by Duo supports authentication via passcodes, tokens, U2F USB devices, devices’ in-built biometric scanners and their own “Duo Push” authentication app. Requiring users to verify their identity via MFA prevents cybercriminals from accessing a user’s account, even if they manage to crack their password. Duo also offers SAML 2.0 SSO; integrated cloud apps redirect users to Duo for authentication, so users can access all of their accounts securely using just one set of credentials. This eliminates the risks associated with re-using passwords, and encourages users to create stronger passwords because they need only remember one.

Delivered as-a-Service, Cisco Secure Access by Duo is easy to deploy and offers hundreds of out-of-the-box integrations with popular cloud applications. We recommend Duo as a strong, user-friendly solution for any organization looking to combat account compromise with adaptive authentication and single sign-on.

Dashlane logo

Dashlane is a market-leading password management solution designed to protect users against credential-based breaches by helping them to create, securely store and share unique, complex passwords. Dashlane offers their business solution via two packages: Dashlane Team, for SMBs looking for a simple, intuitive password manager, and Dashlane Business, for larger organizations that also want integrated SSO. With their Team plan, Dashlane offer a free personal account per user, and with their Business plan they offer a free family account per user, helping eliminate account compromise caused by re-using passwords across work and personal accounts.

Dashlane’s password vault combines AES 256-bit encryption with an additional Argon2d encryption setting, which adds latency to offer stronger protection against brute force attacks, as well as phishing. Users can import their passwords manually, through their web browser, or via an inbox scan, which automatically detects credentials within a user’s inbox and adds them to the vault. This also encourages users to permanently remove any emails that contain sensitive content, so they don’t fall into the hands of a bad actor if an inbox is compromised. Once passwords are imported, Dashlane generates a password health report that indicates whether any passwords are too weak or need updating, and automatically fills out any credential forms online so that users needn’t remember passwords for each of their accounts—they only have to remember the “Master Password” to log into their vault at the start of their session. Dashlane also features an in-built VPN that encrypts users’ online activity if they’re browsing via an unsecure WiFi network.

As well as their technological features, Dashlane offers excellent customer support. This, combined with its user-friendly interface, makes it a strong solution for SMBs—including non-technical companies—looking for a password manager that’s easy to set up and manage, but still offers powerful protection against credential-based attacks.

Delinea logo

Delinea is an access management provider that was born of a 2020 merger between Thycotic and Centrify. Secret Server is Delinea’s privileged access management solution, which helps IT and security teams to secure access to critical company databases, applications, security tools, network devices, and hypervisors. Secret Server offers a broad range of features to secure against account takeover attacks, as well as powerful session monitoring tools to help prove compliance with strict data protection standards.

Secret Server stores privileged credentials in an encrypted vault that can only be accessed by users who have verified their identities via two-factor authentication. Within the vault, users can only view the passwords they need to be able to do their jobs. Admins can define these permissions via the central management console, as well as set up just-in-time access controls and configure policies for credential rotation and password complexity. This eliminates the use of weak or static passwords, reducing the risk of credential theft via brute force or phishing. Admins can also configure approval workflows to automate the granting or denying of access requests, including for third parties. Secret Server also offers comprehensive session recording, to help admins detect any suspicious or fraudulent activity being carried out by privileged users.

Secret Server offers on-prem and cloud deployment, and two different packages. The Professional package includes a password vault with Active Directory integration, reporting and auditing, and CRM, SAML, and HS integrations. The Platinum package includes all of the above, plus Unix protection, approval workflows, advanced scripting, and disaster recovery. Overall, we recommend Delinea Secret Server to larger enterprises looking to secure privileged access to their most critical and sensitive systems, to ensure compliance and prevent account takeover attacks.

HID Logo

HID specializes in identity verification solutions for both physical and logical (digital) asset authentication. Their user authentication and access management products currently secure over 85 million user identities globally. HID Advanced Multi-Factor Authentication is their logical MFA solution. Delivered as a part of their Identity and Access Management suite, it enables organizations to secure user access to corporate networks, cloud applications and VPNs, as well as to generate granular reports into account usage and data access across the network.

HID Advanced MFA enables secure logical and physical access to company assets, from shared drives to shared offices, via a converged credential ecosystem. Because of this, HID supports a wide range of authentication methods, including hardware tokens, PKI-based smart cards, digital certificates, push notifications, and biometric scanning. This ensures that all users can authenticate securely, no matter what type of device they’re working from. Additionally, these methods support the FIDO and OATH protocols, and the PKI-based cards enable secure physical access to company sites. From the management console, admins can view useful insights into who is accessing which parts of the network. This helps ensure all users are only accessing the data they need, whilst providing a robust audit trail and enabling organizations to prove compliance.

HID Advanced MFA can be deployed on-prem or in the cloud, making it both flexible and scalable. We recommend it as a strong solution for mid- to large-sized companies going through a period of growth, those with remote or hybrid-remote workers, and those with multiple office sites. We also strongly recommend HID’s solution for organizations looking not only to secure access to their digital assets, but also physical, on-site locations.

IRONSCALES Logo

IRONSCALES is a post-delivery email security platform that provides protection against email threats from within each user’s inbox. The cloud-based platform combines human intelligence with machine learning to detect malicious activity within the inbox, such as phishing emails or signs of business email compromise, and proactively block or remove these threats. It also includes security awareness training and phishing simulations, to help train users to spot attacks and reduce their likelihood of falling victim to a credential theft attack.

IRONSCALES uses a machine-learning algorithm, combined with crowd-sourced threat intelligence from their end users, to identify suspicious or dangerous email content and automatically remove any malicious emails from all user inboxes, preventing users from falling victim to phishing attacks and helping organizations to detect and mitigate account compromise attacks. IRONSCALES also offers a “Report Phish” button that sits within the email client and enables users to report suspicious emails in real time, helping to reduce the time it takes to detect and stop an attack. When a user reports an email, it will either be quarantined from all other inboxes or IRONSCALES displays a warning to other users within the email body, according to admin-configured policies.

IRONSCALES integrates easily with cloud-based email clients such as Office 365 and Google Workspace, as well as on-prem Exchange, and deploys without needing to make changes to any MX records, making it easy to set up and manage even without a dedicated security team. We recommend IRONSCALES as a powerful solution for organizations of any size looking to detect signs of credential theft attacks and successful account compromise, and proactively blocks attacks to mitigate the damage they cause.

Keeper Logo

Keeper Security is a market leader in password management, providing consumer and business-focussed solutions that help users more securely create, store and use passwords. Keeper Business and Keeper Enterprise, their password managers for SMBs and large organizations respectively, encourage and enforce better password practices that reduce the risk of account compromise. Keeper also alerts users should any of their passwords become compromised, encouraging them to update them to mitigate any damage.

Keeper stores each users’ login credentials in a secure, encrypted vault. Users can access their vaults using a decryption key, called a “Master Password”, beknownst only to them. Once they’ve entered this key, they verify their identity via MFA, ensuring that nobody but the genuine vault owner can access the credentials stored within it. Once logged in, Keeper automatically fills in web- and application-based login forms. This means that users only have to remember one password—their Master Password— to be able to access all of their accounts. If a user wants to access an application with which they don’t already own an account, Keeper generates a unique, strong password for them and saves it automatically. Within the vault, users can also securely share passwords without having to rely on shared spreadsheets, emails or instant messages.

From the management console, admins can view reports into employee password security and generate custom reports for auditing and compliance. With Active Directory, SSO, SCIM and API integrations, the solution is easy to deploy and provision. We recommend Keeper as a strong password management solution for any sized organization looking to eliminate the risk of account compromise caused by poor password practices and increase overall password health organization-wide.

Ping Identity Logo

Ping Identity is an identity and access management vendor that enables secure access to cloud accounts and applications, with a focus on ease-of-use. PingOne is Ping Identity’s cloud-based adaptive authentication solution, which secures access within public, private and hybrid cloud environments as well as on-premise resources. As well as MFA, PingOne offers built-in SSO and a unified admin console which, combined, enable a secure, seamless login process for end users and a detailed overview of user login behavior for admins.

PingOne allows admins to configure granular adaptive authentication policies for all users and devices across a range of SaaS, on-prem and cloud apps. Once set up, the platform then analyzes all login attempts for anomalous activity. If high-risk behaviors—such as logging in from an unknown device—are detected, PingOne either denies the user access, or requests further verification from them, according to given policies. If a login attempt is considered safe, the user is granted access without having to authenticate. This prevents bad actors from compromising employee accounts, without adding friction to all users’ login experiences unnecessarily. PingOne also offers in-built SSO, and the platform is also compatible with mobile devices, ensuring a universal login experience no matter which application a user is accessing, or which device they’re using.

PingOne is delivered as-a-Service and integrates easily with Active Directory, making deployment and onboarding a straightforward process. We recommend the platform as a strong solution for organizations trying to combat account compromise via adaptive, user-friendly MFA.

The Top Solutions To Stop Account Compromise Attacks - Expert Insights