enterprisesecuritymag

Enzoic: Ushering in a New Era for Compromised Credential Screening Online and in Active Directory

Follow Enzoic on :

Michael Greene, CEO, EnzoicMichael Greene, CEO
Over the last five years, a majority of the cybersecurity breaches involved identity— generally a compromised password—as the prime vector of attack. Let’s face it; in an era where cybercriminals have spawned a full-blown credential trading economy on the dark web, a password is only “secure” if it is both uncommon and uncompromised. Compromised credentials are still a primary cause of data breaches, making organizations inherently vulnerable to a myriad of cyberattacks, including brute-force and credential stuffing attacks. This vulnerability is exacerbated if credentials of a privileged user are compromised, providing the intruder with “the keys to the kingdom.” Against this backdrop, the question is: how can organizations, in today’s day and age, detect these compromised credentials, and prevent account takeover and fraud?

“Look no further than continuous credential or password monitoring,” answers Michael Greene, CEO, Enzoic.

Enzoic offers an award-winning, streamlined solution to detect compromised credentials with minimal friction for end-users, which is changing the narrative in the cybersecurity world. Drawing on its cloud security expertise and innovative, easy-to-deploy tools which layer-in with other security measures, Enzoic has developed elegant solutions for account takeover protection and Active Directory. Enzoic for Account Takeover Protection is an innovative API solution designed explicitly for companies—like a bank or a healthcare firm—that have customer-facing authentication pages on their websites. With an aim to provide incremental protection over a web application firewall, the company maintains the largest continuously updated database of compromised credentials that can be leveraged by organizations to securely compare and prevent the use of compromised credentials. Enzoic’s Account Takeover Protection goes beyond just checking the validity of usernames or passwords, the REST API can determine if the credential combinations are found together and available to cybercriminals on the dark web. When a password is inevitably found to be compromised, the solution assists organizations in stepping-up authentication, resetting the password, reducing privileges, or using other threat mitigation tactics. The REST API empowers organizations with Enzoic’s massive database that can be easily integrated into their enterprise applications.

While hackers target dictionaries and credentials exposed in data breaches, Enzoic for Active Directory—an easy-to-implement plug-in solution—prevents employees on the network or anybody on the Active Directory from selecting a known compromised password. Additionally, the simple plug-in improves the existing password policies in an organization by utilizing a standard password filter object that automatically restricts the selection of commonly-used, expected, or compromised passwords. This is followed by enabling continuous monitoring of those passwords to prevent them from becoming vulnerable in the future. If a password becomes unsafe, Enzoic automates remediation with configurable actions that include requiring password reset on next login.

“The uniqueness of our solutions stems from our ability to provide continuous monitoring. It helps to eliminate the need for continuous password resets every 90 days, which in turn increases security, customer satisfaction, and NIST compliance. This continuous password protection prevents ongoing use of compromised credentials and simplifies meeting the NIST requirements for real-time detection of insecure passwords and eliminating the need for periodic password expiration,” explains Mike Wilson, founder, and CTO, Enzoic.

Enzoic helps organizations screen user accounts at login without impeding access but allows those organizations to take action if the user credentials or password are compromised


“Furthermore, while credential stuffing is at an all-time high, companies continue to implement tools that are only partially-effective for detection such as web application firewalls. To help the client increase their coverage, our tools are complementary to other methods to provide more coverage.”


To highlight the efficacy of Enzoic, Wilson recalls an instance that involved one of their financial services clients.

• After implementing Enzoic’s solutions, the client figured that 5000 of the million users’ credentials were compromised every month.

• In the first two months, 10,000 users were prone to work risk as somebody was doing an account takeover on them, which provided a consistent pattern.

• That equates to roughly 6 percent of clean credentials being compromised throughout the year, which affirmed for the customer that credential screening was worth the investment.

• Enzoic’s solution helped the company to detect a potential breach early on, which neatly translated into significant remediation savings for the customer.

The core premise of Enzoic’s products is the database and the research behind it. While organizations focus on collecting compromised credentials on their own by implementing small tools, Enzoic goes the extra mile to enable continuous monitoring, and provide access to constantly updated research information. “It is not an easy task to perform high volume queries against billions of compromised credentials in real-time. However, we empower our clients with this ability through a big data system designed to provide protection,” says Greene. Unlike other solutions in the market that utilize heuristics or behavioral-based analysis, Enzoic’s API solution for account takeover protection provides more of “a definitive definitions-based solution,” helping users understand definite risks with minimal false positives. “In terms of deployment, our solution is quick to install, scalable, and can be configured to work within the organization’s existing infrastructure in no time. We are the solution for any company in the marketplace that experiences issues with compromised credentials, must be NIST compliant or is concerned about password security,” he adds.

Enzoic’s ascension to success can also be credited to the unique combination of in-depth security expertise, with over 80 years of collective experience in the enterprise and commercial software industry in the executive team, and innovation it brings to the table. While Greene draws on his more than 13 years of extensive experience in cybersecurity, Wilson leverages his insightful expertise garnered from working in high-security environments like Webroot and NASA. Enzoic looks forward to expanding its product reach and making their Active Directory and API platform accessible to more organizations.
Share this Article:
Enzoic

Company
Enzoic

Headquarters
Boulder, CO

Management
Michael Greene, CEO and Mike Wilson, Founder & CTO, Josh Horwitz, COO, Kristen Ranta, Co-Founder and Haikal Wilson, CMO

Description
Enzoic offers an award-winning, streamlined solution to detect compromised credentials with minimal friction for end-users, which is changing the narrative in the cybersecurity world. Its continuous password protection prevents ongoing use of compromised credentials and simplifies meeting the NIST requirements for real-time detection of insecure passwords and eliminating the need for periodic password expiration. Enzoic solutions empower organizations to screen customer and employee accounts to mitigate the risk associated with attacks and helps secure user credentials proactively, rather than reactively. While organizations focus on collecting compromised credentials on their own by implementing small tools, Enzoic goes the extra mile to enable continuous monitoring, and provide access to constantly updated research information

Enzoic News

Enzoic Launches Real-Time Password Monitoring in Active Directory

BOULDER, Colo. - Enzoic, a leading provider of compromised credential screening solutions, today released the latest version of Enzoic for Active Directory. The product is the only Active Directory plugin to meet NIST 800-63b requirements for real-time blocking of unsafe passwords at set-up and provide continuous monitoring of those same passwords to ensure they don’t become vulnerable later. The service gives organizations new ammunition in the ongoing fight against the use of compromised passwords.

Across industries, organizations of all sizes rely on Microsoft’s Active Directory to manage access to networked resources. As such, the technology is frequently a top target for hackers who need only use a cracking dictionary or exposed credentials to gain unauthorized access to a user’s Active Directory account—and wreak havoc from there. For example, 29 percent of the breaches studied in Verizon’s 2019 Data Breach Investigations Report involved the use of stolen credentials.

Enzoic for Active Directory helps organizations protect against this threat by screening users’ passwords against its proprietary database of compromised credentials, a continuously updated catalogue containing multiple billions of unique exposed user-name and password combinations.

A new feature of Enzoic for Active Directory 2.0 is Continuous Password Protection, which automatically triggers a response if a password becomes vulnerable. This capability enables Active Directory administrators to move beyond a static list of exposed credentials and periodic forced password resets. It enforces password changes in response to real-time credentials exposures—a critical differentiator given that new credentials are compromised daily. A user password that was secure at creation might no longer be secure the next day. If an unsafe password is detected, Enzoic can notify and automate follow up action—ranging from prompting the user to change their password upon the next login to instantly disabling the account, depending upon the organizations’ policies.

“To date, much of the password security surrounding Active Directory has focused on complexity rules and forced periodic or quarterly password resets,” said Michael Greene, CEO, Enzoic. “These practices frustrate users and research has shown them to be ineffectual, as people tend to create much weaker passwords when faced with greater complexity requirements and forced password resets. Enzoic for Active Directory removes those burdens while simultaneously strengthening security. By screening passwords both at their creation and monitoring them on a daily basis, we’re giving our customers a leg up in their battle against unauthorized account access.”

Enzoic for Active Directory 2.0 enables compliance with NIST 800-63b in the following ways:
• Screening passwords against a list of commonly used passwords, passwords in cracking dictionaries, or compromised passwords.
• Password checks are performed when passwords are being created and continue to be performed daily on an ongoing basis against a live database, not a static list.
• If a compromised password is detected at creation or during monitoring, an immediate response is triggered.
• By continuously monitoring for the use of compromised credentials, organizations can stop enforcing periodic password resets, meaning that users only need to change their password if it is compromised.

"According to our primary research, more than 90% of organizations have experienced a violation of password policies in just the last year that has exposed the company to extreme financial consequences and business disruption," noted Steve Brasen, research director with IT industry analyst firm Enterprise Management Associates. "Enzoic's approach ensures passwords continuously meet NIST regulations and business requirements while minimizing security administration efforts and related costs."