Forget About Passwords, Advance to Multi Factor Authentication with Silverfort

Please describe the background behind founding Silverfort.

Silverfort was founded two and a half years ago by three co founders: myself, Yaron Kassner and Matan Fattal. We met while serving together in the prestigious 8200 IDF unit in leadership roles. Later, we all worked at leading cyber security companies and got exposed to different perspectives of the industry. We've known each other for a long time.

A few years ago, we identified a problem with the way authentication is handled today. Even though cybersecurity is a large market with many products, password credentials are still the predominant authentication method out there, with phishing attempts targeting these credentials becoming bigger by the day.

Even though everybody is talking about getting rid of passwords and moving into advanced authentication, most of our systems and applications still rely on them, and that's what we wanted to solve. We decided to create a simple, more realistic way, to apply strong authentication across all corporate systems and assets, without reducing productivity. Today, Silverfort has 25 employees across Israel, USA and EU, and has recently raised its first serious investment of 11.5 million dollars.

What's unique about Silverfort?

Silverfort provides an authentication platform that enables strong authentication across entire enterprise networks, including corporate and cloud environments, without making any modifications to endpoint or servers. We offer a way of protecting user access to any resource or asset,  from a unified platform, without changing any system the company is using, and without installing any software on them. This is unique because the authentication products available today require you to install software or configure something on every individual asset that you want to protect. This kind of integration and modification is not always feasible. There are many occasions where you cannot implement authentication for a certain assets. Some of the main examples are cases where it’s impossible to install external software on the asset; for example, you cannot install security software on IoT devices, medical devices or industrial systems. In some cases, the problem is that the asset is so sensitive and critical that the company doesn’t want to make any changes or install software on it.  In other cases, corporate networks and cloud environments are becoming so dynamic, with new instances being set up and down automatically all the time, making it difficult to implement security verification.

We believe that this approach that has been around for decades is not suitable anymore for corporate networks. It doesn’t make sense to let every server application device handle multi factor authentication on its own. We created a platform that provides authentication across all the assets in the organization: on premise, cloud, infrastructure servers, applications, data.

We can also cover large and dynamic environment that have too many assets in the network and protecting them individually requires too many resources.

So, instead of installing something for each individual server or device, we provide a solution that monitors all the authentication requests on the network without putting inline gateways. It’s a very non-intrusive solution that’s simple to install and allows you to monitor all authentication across all systems environments and apply adaptive authentication and multi factor authentication on top of that.  The unique things that we can offer are:

1. Enable multi factor authentication for assets that don’t support it today such as IoT devices, critical infrastructure, proprietary and legacy systems, and more.
2. Able to do adaptive risk-based authentication across all the different systems and environments. It monitors and learns the user behavior across all the systems and in the cloud and, therefore, can reach better visibility and risk analysis of the user behavior.
3. Visibility. We provide the organization with full visibility of everything the users are doing across all the systems. They can see which users are accessing certain systems, detect vulnerabilities, assess risks and more.

How does Silverfort integrate with existing security solutions?

Recently, we have introduced a new offering which is an ability to integrate with third-party security products that already exist in the company and strengthen their alerts for better decision-making. For example, let’s say that your firewall detected a suspicious behavior from a certain endpoint, we can authenticate whatever that endpoint is doing on the network. This solves two problems that are a risk to security today:

1. These security products can block the user or send passive alerts.  Both options are not ideal because if you block the user, you reduce the productivity of many legitimate users. Passive alerts don’t prevent the threat. What we can do is let the user prove his identity. We can block real threats without blocking legitimate users.
2. We can reduce the amount of false positive alerts that today’s security products are producing, making it difficult for organizations to handle security events. We provide feedback for these alerts. We can tell the organization  which are the alerts the user could not authenticate- true positives, the ones which you will want to investigate.

We have formed partnerships with prominent vendors, including Palo Alto Networks, and will soon be unveiling collaborations with other vendors as well.

Altogether, I believe this is the next generation authentication solution. It’s a way to achieve authentication across everything the company has, every system authentication device, on premises and in the cloud, without integrating with individual systems, all from a unified platform with a seamless user experience and unified behavioral analytics.

What are some of the risks imposed by identity theft?

Today, the majority - 81% of data breaches involve the use of stolen or weak credentials, and this problem is only getting bigger. Passwords remain the main gateway of attack, as an attacker can always use a stolen password to impersonate the user and walk through the main door.

Passwords are being leveraged by attackers to compromise insider accounts and move laterally inside the network. Once an attacker is on one of the computers, he will use credentials to move laterally from one computer to another, compromise additional accounts and additional systems and eventually steal valuable data. Credentials are also leveraged by ransomware to reach target systems and encrypt corporate or individual files.

The fact credentials are easy to compromise has been well-known for many years. It’s difficult for us to remember many complex passwords; we tend to use the same passwords over and over again, both personal or corporate, changing passwords in a predictable way, and expose them in different ways such as writing them in a file or sharing them with other people. They are also very easy to obtain through social engineering. Passwords are vulnerable and are not enough to protect data. Something beyond passwords is needed, which we call multi-factor authentication or adaptive authentication.

While there is an awareness to this, there's still a gap between awareness and the fact that these technologies are still not available for most of the devices, the services and applications that we use. It’s simple to add multi-factor authentication to a modern web application, but it’s very difficult to do the same thing for a medical device, an industrial system, a proprietary business application or a shared folder that might be exposed to someone.

It’s very difficult to accomplish this in large dynamic corporate environments that are changing all the time. This is why we started this company, and this is why we believe that an entirely new approach is needed in order to enable strong authentication effectively. It's not enough to do it on an individual application. We need to create something that will go beyond using just passwords everywhere, and you can’t do that by managing every system individually.  You need to create something that is much more holistic and unified, bring authentication from the individual asset to one centralized solution which will monitor, analyze and protect authentication for all the various assets and environments.

This makes it safer, easier and simpler for the IT team that need to strengthen security by implementing additional authentication factors.

How do you foresee the future of multi-factor authentication?

I believe people would move to risk-based adaptive authentication rather than static policies to increase balance and productivity. They will use more modern authentication methods such as push notifications that don’t rely on dedicated hardware tokens or vulnerable methods like SMS.

Mostly, I believe that the way authentication is delivered over the different systems and environments would be reinvented. The new reality of corporate networks, with IoT and the cloud being so dynamic, calls for a new approach and Silverfort’s solution can deliver authentication effectively and easily across these complex, dynamic environments.

I believe that risk-based adaptive authentication will become much more popular because the ability to analyze risk based on the user behavior before deciding whether the user should provide additional factors of authentication – this is less disruptive for the user while still maintaining security. By monitoring user behavior, we can analyze where he is, which device, which activity,  the time of the day when he is active, and correlate it with behaviors on other systems. Silverfort’s ability to look at all authentication across all the systems and environments provides an important advantage because we don’t only look at the user’s behavior on a single application, we can analyze it across the entire network, which gives us significantly more information about what the user is doing. When we add on top of this our unique integration with other third-party security tools, we are bringing adaptive authentication to the next level of accuracy and coverage. Eventually, we can all get rid of passwords, but it would only be possible once we can analyze and protect authentication across all networks.