Certified Pwned: PKI Spotlight® May 2023 Feature Release Webinar Highlights

Nick Sirikubult, Director Of Business Development, and Michael Bruno, PKI Software Engineer, showcased the latest features of PKI Spotlight® during our May 9th, 2023 Webinar.

PKI Solutions has announced the latest release of PKI Spotlight®, a Public Key Infrastructure monitoring and alerting solution designed to address specific, ongoing tasks that CISOs are responsible for in the current cybersecurity landscape. With the upcoming cybersecurity bill from the SEC and other regulatory bodies and increasingly complex IT requirements, CISOs are facing new emerging threats to PKI environments, cybercrime insurance requirements, and a shrinking talent pool. PKI Spotlight aims to help CISOs secure the enterprise and customer data against exploitable PKI misconfigurations and vulnerabilities, extend visibility into non-Microsoft PKIs, and scale PKI expertise.

This release of PKI Spotlight® introduces the following capabilities:

• SIEM Integration with Splunk: This feature allows CISOs to easily integrate PKI Spotlight® with their Splunk SIEM solution, providing a consolidated view of PKI events and alerts alongside other security data, helping to streamline incident response and improve security posture.

• Detection of Certified Pre-Owned Vulnerabilities: This feature enables PKI Spotlight® to identify and mitigate PKI vulnerabilities which were documented by SpecterOps in the “Certified Pre-Owned Active Directory” white paper. As this document is leveraged by both penetration testers and malicious actors, detecting and mitigating these specific vulnerabilities is paramount to keep an organization’s PKI secure, compliant and audit-safe.
• Detection of Strong Name / OID: This feature enables PKI Spotlight® to identify PKI misconfigurations that would result in the issuance of client authentication certificates that do not comply with Microsoft “KB5014754 – Certificate-based authentication changes on Windows domain controllers”. Such certificates may not be used for authentication to Microsoft Active Directory resources. Ensuring certificates cannot be issued in this state mitigates the risk of service disruptions.
• Detection of High Value Certs: This feature enables PKI Spotlight® to trigger an event upon the issuance of digital certificates that have a higher level of risk or value (such as Code Signing and Wildcard-named certificates), giving organizations the ability to react in real-time to revoke such certificates which were issued maliciously or in error.
• Detection of Unknown OCSP: This feature enables PKI Spotlight® to give organizations confidence that their Online Certificate Status Protocol (OCSP) environments are configured to not only recognize if a certificate is revoke but whether or not the CA actually issued the certificate being queried by the reliant party.

This release of PKI Spotlight®, a Public Key Infrastructure monitoring and alerting solution, is designed to address the specific jobs to be done of CISOs in the current cybersecurity landscape. With the upcoming cybersecurity bill from the SEC and other regulations and concerns, CISOs are facing new emerging threats to PKI environments, cybercrime insurance requirements, and a shrinking talent pool. PKI Spotlight® aims to help CISOs secure the enterprise and customer data against exploitable PKI misconfigurations and vulnerabilities, extend visibility into non-Microsoft PKIs, and scale PKI expertise while saving at least $185k in salary per year.

Nick Sirikulbut, Director of Business Development, and Michael Bruno, PKI Software Engineer, showcased the latest features of PKI Spotlight® with a heavy focus on getting, and keeping you compliant and prepared with visibility into your PKI environment.

We also demonstrated how PKI Spotlight® will automatically alert you on the presence or absence of SpecterOps’ ESC1 to ESC8, which can be exploited to cause common audit failures.

And we provided a glimpse into out new SIEM support with SPLUNK and will reiterate some features you may have missed, such as HashiCorp and our extended visibility into your PKI environment.

Industry Experts Agree

“With PKI Solutions, we get the best-in-class PKI expertise. PKI Spotlight® is an important addition to our portfolio of products and gives us productivity gains together with peace of mind that our PKI systems are available and functional, and any service that relies on our PKI is operating smoothly and securely,” said Scott Fales, principal network engineer at BayPort Credit Union. “We expect our reliance on our PKI environment to increase over time and having a product like PKI Spotlight® means that we can reliably execute on initiatives that continue to improve our security posture.”

According to Roger A. Grimes, 34-year cybersecurity consultant and author of 13 books and more than 1,200 magazine articles on computer security, the time has come for a product like PKI Spotlight®. “Whether you have one PKI server or dozens, you should get PKI Spotlight®. It’s what Microsoft should have created 20 years ago,” said Grimes. “Once you see what it does it seems so obvious why you absolutely need it.”

Making CISOs Look Good and Pass Audits

• Unparalleled visibility and control over PKI environment: With PKI Spotlight®, CISOs can monitor and manage their PKI environment in real-time. This visibility allows them to detect and respond to potential issues before they can cause harm. This capability makes CISOs confident in the security of their digital assets.
• Cost-effective solution: PKI Spotlight® can save CISOs at least $185k in salary per year, in addition to a worry-free nights. By employing PKI Spotlight®, companies can have a 24/7 ‘employee’ whose sole task is to monitor the PKI environment, like having an expert gatekeeper on staff who never sleeps. This cost-effective solution provides CISOs with the expertise they need without the high cost of hiring additional personnel.
• Compliance with industry regulations and standards: PKI Spotlight® helps organizations stay compliant with industry regulations and standards, reducing the risk of data breaches and audit findings. The features of PKI Spotlight® such as detection of Certified Pre-Owned Vulnerabilities and Detection of High-Value Certs ensure that CISOs can identify and mitigate potential vulnerabilities related to PKI and digital certificates, making them compliant with industry regulations
• Scalability and expertise: PKI Spotlight® is built to scale with the growing needs of the organization. It also provides the necessary expertise in managing and monitoring the PKI environment, making CISOs confident in the security of their systems.

Questions and Answers

Q: Do you also monitor for “high value accounts in UPNs” (i.e. Enterprise Admins, Domain Admins, etc.) or Computer-Accounts (DCs)?

A: Yes, and low value too. If Domain Users have write or full control on a template – that is a risk as well.

Q: If your certificate template only allows a specific service account (used by Venafi for example) to enroll using that template, do the other issues matter then?

A: Yes, as any service account or context is generally only protected through password NTLM, which then translates into Kerberos and then enrolls. The service account often has pretty high credentials that are targets for attacking. There are risks associated with many types of templates and if not properly managed, could introduce new risks

Q: I saw you have added some SIEM support to this version – but it was for Splunk. Are you planning to add support to Microsoft Sentinel and LogRhythm SIEM?

A: Yes, We will continue to evaluate different SIEM solutions. Microsoft Sentinel is on the list. Feel free to reach out if you would like to see MS Sentinel and LogRhythm support in PKI Spotlight. Importantly we will work with any customer who buys Spotlight to make sure their SIEM is supported.

Q: Are tcp/80 (HTTP) based – Internet facing CRLs vulnerable to underlying OS level attacks?

A: Not directly, the CRL is cryptographically signed and any tampering will be detected. However, a DoS attack could make the CRL inaccessible and cause disruptions in an environment. But it is not common. nor needed, to use TLS protection for access to CRLs

FULL WEBINAR VIDEO

SpecterOps Demo

SPLUNK!

Unknown OSCP Demo

High Value Cert Detection Demo