The Reason

Hans, can you tell us why you started using Passguard?

Every organization can fall prey to hackers as a 'target of opportunity': a chance too attractive to ignore. As a billion-dollar company active in sensitive sectors, we also face an additional risk: we are a 'target of choice.' This brings risks such as industrial espionage and hacktivism. You can only protect yourself well if you know what you are protecting against. This creates the obligation to look outward. That's why we chose Passguard.

A specific consideration is the infostealer risk that Passguard maps out. Especially as the role of digital identity increases – as it does with us – the point of failure shifts to this subject. We cannot afford to miss those infostealer infections.

"We cannot afford to miss those infostealer infections."

Speaking of those infostealer infections, how do you view them?

Infostealers are almost like consumer-targeted APTs: advanced and very discreet. This is the difference from the classic viruses people have encountered for the last 20 years: those were less harmful but made a lot of noise, for example, by sending out spam. Infostealers are very quiet but steal very relevant information, which can be harmful to organizations.

Findings

What have you found with Passguard?

The good news is that we discovered through Passguard that our managed devices were well protected and not infected with infostealers. The bad news is that colleagues with unmanaged devices also have access to certain business systems, and those devices do have infostealer infections.

Our core systems are fully protected: only managed devices can log in. However, there is a gray zone of systems that may not be essential but still contain information that needs protection. We see that devices infected with infostealers are logging into these systems. Mapping out the infostealer infections made us realize that we might also need to further protect access to those systems.

So an infection on a personal device can still matter?

Absolutely. As long as people have access to business systems and information with their personal devices, this is important. This can include something as simple as an email application. If that device is infected with an infostealer, someone can obtain the credentials and cookies to misuse that access.

"If that device is infected with an infostealer, someone can obtain the credentials and cookies to misuse that access."

Is there a specific finding you can share?

At a location abroad – where everyone typically works at our standard secure workspace – it turned out that a computer was being used in a warehouse that had been locally purchased for convenience. This computer did not have our standard security measures. It was used by several colleagues for some non-essential internal systems. Passguard detected an infostealer infection on that computer. Although no critical systems were compromised, you can see how easily a mishap with infostealers can occur.

Dealing with Infections

When you see such an infection on the Passguard platform, how difficult or easy is it to determine what is happening?

Since the sessions are visible, you always have a username, making it very easy to identify which user is involved. Then, based on the available information, you can quickly determine whether it is a business device and which systems are affected. We usually know the operating system of the device and often the hostname, so you can quickly determine if it is a business device or rule out that possibility. You can't always determine with certainty which personal device it is, but you can usually deduce it.

And what steps do you take next?

The standard procedure is to create an incident so that we can track what happened in the future. The specific follow-up depends on the type of notification. For all recent and relevant logins, we invalidated the sessions and forced a password reset. As I mentioned, the infections did not occur on managed devices. Therefore, we reached out to the users who manage the infected devices, explained what happened without causing panic.

Conclusion

Would you recommend others to start using Passguard? And why?

Yes, 100%. Traditionally, many organizations only look internally at their own operations. By doing this, you miss everything happening outside your organization. By working with Passguard, you map out additional attack indicators. You discover what user information is available externally that shouldn't be, information that can also be used against you. Passguard gives you time to close vulnerabilities before they are exploited, providing valuable Early Warning Indicators.

"You discover what user information is available externally that shouldn't be, information that can also be used against you."

Is there anything else people should consider when starting with Passguard?

Be prepared for an eye-opener! Information will come to light that you didn't expect, no matter how secure you think you are.

‍