Website: specopssoft.com

Price: Based on volume

Scores

Performance 5/5

Features 5/5

Value for Money 4/5

Ease of Use 4.5/5

Overall 5/5

Verdict

Tight integration with Windows AD and support for a wide choice of identity services allows Secure Service Desk to verify that password reset requests are from bona fide users.

Active Directory (AD) password reset requests are one of the most common issues service desks have to deal with but can be a major vulnerability as they are open to bad actors attempting to impersonate real users using tactics like social engineering. Good password hygiene is easy enough to implement in AD but service desks must also be able to securely verify that users making the requests are who they say they are, not relying on an insecure method like an employee ID number, but enforcing a secure verification process with no exceptions, not even the executive team.

Specops specializes in password management and authentication solutions and its Secure Service Desk offering provides the tools for helpdesk agents to securely verify users’ identities before performing password resets, changes or account unlocks. Snapping in seamlessly with AD, it can enforce user authentication and doesn’t require users to enroll as it leverages personal information present in their account attributes such as email addresses, mobile numbers or an existing identity service the user is already enrolled with.

Along with sending one-time passwords (OTPs) via mobile SMS and email, it supports many other identity services including Okta Verify, Symantec VIP and Duo Security. More importantly, it employs multi-factor authentication (MFA) and a smart weighting feature to verify the identity of administrators and service desk agents when they access the Secure Service Desk portal.

Image 1. – The only onsite component required is the Specops Gatekeeper which links up transparently with AD and the cloud authentication services

Easy deployment, tight security

Installation is a swift process as Secure Service Desk only requires a Gatekeeper component installed on a Windows server in your domain which securely links up with AD. All other services are hosted in the cloud and you start by creating an account which will be appended with a unique UPN suffix.

Once you’ve created your first authentication account, the portal provides a secure link to install the Gatekeeper. This creates three new Specops AD security groups and then asks you to choose which AD users are to be added to the Specops Administration and User Administration groups.

With the power to change passwords and unlock user accounts, access to the Secure Service Desk web portal needs to be strictly controlled and this can be locked down tight by assigning multiple identity services to the enrolment and authentication processes. Weighting is a standout feature as you assign from one to twelve stars to both processes to ensure multi-factor authentication is enforced.

Each identity service is then assigned a number of stars so you can apply higher weightings to strong authentication methods such as the Specops Authenticator or Fingerprint mobile apps and give lower weightings to weaker methods such as email and SMS.

The end result is if administrators and service desk agents choose weaker methods, they’ll have to use more of them to authenticate than if they chose a stronger identity service. Furthermore, you can apply geo-location blocking and trusted network locations to limit where they can authenticate from.

Image 2. – You can apply custom weightings to the various identity services for strong user authentication

Who goes there?

When a user calls in requesting a password reset, the agent accesses the portal’s Service Desk tab and uses its search facility to find their AD account. From the user details page, you can send them an OTP to the mobile number or email address defined in the AD user account attributes for verification.

One very important factor here is the service desk agent is not shown any codes so they can’t prompt or assist the user who must repeat the code back to them. If the agent believes further verification is required, they can then choose further authentication methods to confirm the user’s identity.

Other valuable administrative settings are facilities to set a session time limit in minutes and force identity verification to stop it being bypassed. New password generation can be fully automated so service desk staff won’t know what they are and you can force users to change them after a reset at next logon, a setting that admins can configure so a service desk agent cannot remove.

Password resets are a swift process as when auto-generation is enabled, all the agent has to do is request a new one to be sent via email or text message. If disabled, they manually enter a password that must adhere to the AD domain password policy which is also sent to the user via the chosen method.

If an AD account lockout policy is configured and the user has managed to trigger this, the agent can unlock it from the service desk portal. This extra tab only appears if the account in question is locked and enablement is nothing more than a single click.

Image 3. – Once users have been verified, passwords can be quickly reset and accounts unlocked from the cloud portal

Reporting

As you’d expect, the web portal provides plenty of valuable reporting services which can be easily filtered to show various activities for specific date periods. The historical view reveals everything you need to know about enrolment and authentication, the identity services used, text messages sent per day and service desk events.

The auditing tab provides a rundown on all system events such as password resets and identity verification along with the date, time and AD user that instigated them and this can all be exported as CSV files. All reports that provide output in graphical format can be exported to PNG, JPG, PDF, XLSX and JSON formats.

The portal can also be fully customized to suit your business requirements. You can add personalized icons and images, change the colour of backgrounds, menus or buttons, modify any text element and choose from fourteen different languages.

Image 4. – The Secure Service Desk portal provides a wealth of reporting and auditing tools

Conclusion

In these turbulent times, organisations must implement strong AD password management and a critical part of the process is user authentication. Helpdesk staff in large businesses certainly won’t personally know every user so they must be able to verify a caller’s identity before performing password resets or account unlocks.

Specops Secure Service Desk is an ideal solution as it’s simple to deploy, integrates neatly with AD and is easily managed from a well-designed cloud portal. Support for a wide range of identity services makes it highly versatile and the smart weighting system allows businesses to enforce strong authentication processes for portal access.

And if you want to ease the support burden even further, the Specops uReset product integrates with the on-site Gatekeeper and Secure Service Desk cloud portal to provide self-service password reset facilities protected by the same authentication functions.

The post Specops Secure Service Desk Product Review appeared first on IT Security Guru.

Website: www.edgescan.com

Price: Based on assets

Scores

Performance 5/5

Features 5/5

Value for Money 4/5

Ease of Use 5/5

Overall 5/5

Verdict: Fullstack vulnerability management made easy – Edgescan does all the hard work so you don’t have to

The pandemic has undoubtedly led to a massive surge in cyber-attacks but even as restrictions start to ease, businesses can’t afford to relax as these threats will keep evolving and continue long into the future. Vulnerability assessment, management and mitigation are critical to survival in this harsh landscape but far too many businesses rely only on automated solutions which can leave gaping holes in their cyber defences.

One of the biggest problems with vulnerability assessment automation is assessment coverage and the number of inaccuracies, false positives and false negatives it can generate. Feeding these into a threat tracking system can be a complete waste of resources as security teams will spend valuable time chasing down false findings.

Edgescan takes an innovative approach to vulnerability assessment by combining machine-based analytics and automation with human intelligence. Coined ‘fullstack vulnerability intelligence’, Edgescan uses a two-fold approach allowing it to automate common, repetitive tasks but bring human decision making to more complex duties such as vulnerability validation, risk assessment and prioritization. It also covers both the web application layer and supporting host infrastructure.

Using dedicated teams of in-house security analysts combined with custom vulnerability automation, Edgescan sorts the wheat from the chaff and presents its findings to customers showing clearly where they should be directing their resources. It manually validates threat feeds ensuring only actionable data is being received allowing businesses to focus on the weaknesses and risks that matter.

Deployment

Easily deployed as a SaaS (security as a service) solution, Edgescan is completely agent-less and requires no on-premises scanners as everything is run from the cloud. Onboarding is equally pain-free as the customer fills in a form declaring the assets they want protected which can include network devices, applications, APIs and anything with an IP address or URL that could be exposed.

If internal network scanning is required, Edgescan deploys a production ready jump–box as a virtual machine (VM) that provides a secure connection to the customer network. An Amazon Machine Image (AMI) version is also available on AWS allowing Edgescan to assess a company’s cloud services.

Licensing options are extensive with Edgescan Essentials providing the tools for foundational assessments across an enterprise network to discover and determine a basic web app security posture. The Standard license expands services to include authenticated testing, the Advanced license adds on-demand logic and penetration testing for critical apps while the Host version provides vulnerability management services for hosts and servers.

The new web console

Having previous experience with Edgescan, we can safely say its new award-winning (Good Design Awards 2020) user interface is a significant improvement. The original dashboard was very informative but the revamped web interface places all the most important information at your fingertips and provides improved user navigation.

The new dashboard presents a simplified actionable data view that shows clearly what your security posture is. The score presented by the exposure factor graph is derived by taking the combined vulnerability score for all your public facing assets and dividing it by the number of exposed assets.

The risk over time graph is self-explanatory while the MTTR (mean time to remediate) graph shows how effective your teams are at closing vulnerabilities. Select any of these graphs and the main window to the right changes to reflect their values where you can apply filters to show all or specific assets over a custom time period.

The lower graph can be changed to show a range of valuable information such as the CVSS landscape, average patch performance for assets with CVE-related vulnerabilities, the top assets at risk and your score for remediation performance. The pie chart alongside can be set to show the top vulnerabilities grouped by threat, severity or risk and clicking on the chart transports you straight to the console’s vulnerabilities page with a filter already applied that is based on the section of the chart selected.

Assets, vulnerabilities and hosts

Many of the menus from the previous console have been tidied up and are now accessed from a simple navigation bar across the top with four options for viewing the dashboard, assets, vulnerabilities and hosts. You can see all your assets in one screen and apply a wide range of filters to fine-tune the information presented. Custom filters can be saved and easily recalled at the click of a link and everything in the GUI can also be accessed via the Edgescan API if required.

Click on an asset and it takes you to a deep-dive screen which reveals a wealth of information such as its priority, combined risk score, associated applications and networks, risk over time and a scanning schedule.

The view menu above the risk graph shows how smart Edgescan is as it’ll transport you directly to the relevant screen based on your selection. Choose the highest risk vulnerability view, for example, and with one click, the screen changes to show a critical listing for the selected asset.

APIs

API security assessment is a key strength of Edgescan as it builds out from external IP monitoring to pinpoint hosts that have APIs on them. It also handles APIs differently to other security vendors that treat them as no different to web apps and run the same tests on them all which rarely provide any useful information on API vulnerabilities.

Web apps are designed to interact with humans whereas APIs interact with machines so Edgescan runs different sets of tests on them. Using automated multi-layered checks and human verification, it probes endpoints to discover all known, unknown and shadow APIs, sends requests to see if and how they respond and determines their security posture.

You can view all API information in the console’s asset view and drill down into each one for more information. The resultant screen shows details such as the API’s priority, combined risk score plus affected applications and, unlike other solutions that charge per scan, the licenses allow you to submit retest requests to Edgescan’s security experts.

Conclusion

By delivering a smart combination of scan automation and human intelligence, Edgescan takes vulnerability assessment and management to the next level. Its security experts manually validate all feeds so customers can be assured accurate vulnerability data which can result in a massive time saving for any organisation.

Edgescan clearly shows all detected vulnerabilities accompanied by valuable advice on fixing them but if a customer has any issues understanding the threat, Edgescan support can guide them through the remediation process. It’s simple to deploy with flexible licensing schemes, the new web console is very well designed and Edgescan’s security teams make false positives a thing of the past.

The post PRODUCT REVIEW – Edgescan makes fullstack vulnerability management easy appeared first on IT Security Guru.