Michael Greene, CEO
Over the last five years, a majority of the cybersecurity breaches involved identity— generally a compromised password—as the prime vector of attack. Let’s face it; in an era where cybercriminals have spawned a full-blown credential trading economy on the dark web, a password is only “secure” if it is both uncommon and uncompromised. Compromised credentials are still a primary cause of data breaches, making organizations inherently vulnerable to a myriad of cyberattacks, including brute-force and credential stuffing attacks. This vulnerability is exacerbated if credentials of a privileged user are compromised, providing the intruder with “the keys to the kingdom.” Against this backdrop, the question is: how can organizations, in today’s day and age, detect these compromised credentials, and prevent account takeover and fraud?
“Look no further than continuous credential or password monitoring,” answers Michael Greene, CEO, Enzoic.
Enzoic offers an award-winning, streamlined solution to detect compromised credentials with minimal friction for end-users, which is changing the narrative in the cybersecurity world. Drawing on its cloud security expertise and innovative, easy-to-deploy tools which layer-in with other security measures, Enzoic has developed elegant solutions for account takeover protection and Active Directory. Enzoic for Account Takeover Protection is an innovative API solution designed explicitly for companies—like a bank or a healthcare firm—that have customer-facing authentication pages on their websites. With an aim to provide incremental protection over a web application firewall, the company maintains the largest continuously updated database of compromised credentials that can be leveraged by organizations to securely compare and prevent the use of compromised credentials. Enzoic’s Account Takeover Protection goes beyond just checking the validity of usernames or passwords, the REST API can determine if the credential combinations are found together and available to cybercriminals on the dark web. When a password is inevitably found to be compromised, the solution assists organizations in stepping-up authentication, resetting the password, reducing privileges, or using other threat mitigation tactics. The REST API empowers organizations with Enzoic’s massive database that can be easily integrated into their enterprise applications.
While hackers target dictionaries and credentials exposed in data breaches, Enzoic for Active Directory—an easy-to-implement plug-in solution—prevents employees on the network or anybody on the Active Directory from selecting a known compromised password. Additionally, the simple plug-in improves the existing password policies in an organization by utilizing a standard password filter object that automatically restricts the selection of commonly-used, expected, or compromised passwords. This is followed by enabling continuous monitoring of those passwords to prevent them from becoming vulnerable in the future. If a password becomes unsafe, Enzoic automates remediation with configurable actions that include requiring password reset on next login.
“The uniqueness of our solutions stems from our ability to provide continuous monitoring. It helps to eliminate the need for continuous password resets every 90 days, which in turn increases security, customer satisfaction, and NIST compliance. This continuous password protection prevents ongoing use of compromised credentials and simplifies meeting the NIST requirements for real-time detection of insecure passwords and eliminating the need for periodic password expiration,” explains Mike Wilson, founder, and CTO, Enzoic.
Enzoic helps organizations screen user accounts at login without impeding access but allows those organizations to take action if the user credentials or password are compromised
“Furthermore, while credential stuffing is at an all-time high, companies continue to implement tools that are only partially-effective for detection such as web application firewalls. To help the client increase their coverage, our tools are complementary to other methods to provide more coverage.”
To highlight the efficacy of Enzoic, Wilson recalls an instance that involved one of their financial services clients.
• After implementing Enzoic’s solutions, the client figured that 5000 of the million users’ credentials were compromised every month.
• In the first two months, 10,000 users were prone to work risk as somebody was doing an account takeover on them, which provided a consistent pattern.
• That equates to roughly 6 percent of clean credentials being compromised throughout the year, which affirmed for the customer that credential screening was worth the investment.
• Enzoic’s solution helped the company to detect a potential breach early on, which neatly translated into significant remediation savings for the customer.
The core premise of Enzoic’s products is the database and the research behind it. While organizations focus on collecting compromised credentials on their own by implementing small tools, Enzoic goes the extra mile to enable continuous monitoring, and provide access to constantly updated research information. “It is not an easy task to perform high volume queries against billions of compromised credentials in real-time. However, we empower our clients with this ability through a big data system designed to provide protection,” says Greene. Unlike other solutions in the market that utilize heuristics or behavioral-based analysis, Enzoic’s API solution for account takeover protection provides more of “a definitive definitions-based solution,” helping users understand definite risks with minimal false positives. “In terms of deployment, our solution is quick to install, scalable, and can be configured to work within the organization’s existing infrastructure in no time. We are the solution for any company in the marketplace that experiences issues with compromised credentials, must be NIST compliant or is concerned about password security,” he adds.
Enzoic’s ascension to success can also be credited to the unique combination of in-depth security expertise, with over 80 years of collective experience in the enterprise and commercial software industry in the executive team, and innovation it brings to the table. While Greene draws on his more than 13 years of extensive experience in cybersecurity, Wilson leverages his insightful expertise garnered from working in high-security environments like Webroot and NASA. Enzoic looks forward to expanding its product reach and making their Active Directory and API platform accessible to more organizations.