May 22, 2018 | Endpoint | Stephen Lowing
Defense-in-depth is a common security strategy that often includes a combination of endpoint security products, including next generation anti-virus (NGAV), traditional anti-virus (AV) and/or endpoint detection and response (EDR). But as attacks and breaches continue to surge, I can’t help but wonder: are these technologies missing the point? The CyberArk Endpoint Privilege Manager and products in NGAV (including traditional AV) and EDR primarily share the same end goal of preventing attackers from stealing your IP, ruining your brand and/or taking off with your sensitive customer data. But, each one takes a fundamentally different approach. We have discussed some of the limitations on these technologies previously, but as a refresher, NGAV and EDR primarily look to identify threats, each threat, with their proprietary technology whereas EPM primarily looks to control which applications can run, and how they run, with privilege as well as protect against credential theft.
What some endpoint products miss is that if you’re running as an admin, it’s only a matter of time before the bad guys “get in and own you.” This even appears in some of their corporate messaging. No single endpoint product can claim a perfect record for effectively stopping an attacker from getting in. Furthermore, given that most attacks are initiated via a phishing attack vector, such as an email that tries to lure the victim into opening a document, executing content, or visiting a fake website, you have to assume breach is inevitable given enough time and effort on the attacker’s part.
Just like in Vegas, it’s a numbers game, and the house always wins in the end (oh, and you’re not the house). Hackers know this and expect that even in the most secure environments, even with members of the IT admin teams that should know better, mistakes do happen, clicks eventually happen, and unfortunately pwns happen. If you are like one of the many companies recently surveyed that reported that most users (86 percent) still operate with admin/elevated privileges, you are on the wrong side of that bet. As a result, the attackers will have a privilege pathway paved for them.
Privileged access is what enables attackers to achieve their goals. For this reason and others, companies should be using an endpoint security solution that also efficiently and effectively implements least privilege. Think about it: If your end users are not running as admin, then even when an attacker evades an NGAV product or circumvents detection by an EDR product, the attacker is exceedingly unlikely to move from the point of origin. Instead, they will be contained on the endpoint. It’s really that simple, but getting there is not always so simple (otherwise everyone would be doing it).
While it is relatively easy to remove local admin rights for users (just Google “group policy to remove local admin rights” to see a few examples), doing so can make your end users very unhappy because now they won’t be able to install most applications, update drivers, etc., which will in turn result in more help desk calls. This has the opposite effect over time when local admin rights are then re-granted back to more and more end users. This puts you right back to where you were.
Furthermore, while Windows 10 helps companies start the process of separating admin privilege from standard users, it is still an all or nothing proposition. This is where CyberArk Endpoint Privilege Manager can help to fill the gap left from Windows 10 and the security team’s desire to remove local admin rights from end users. CyberArk enables customers to elevate a standard user to admin on a per application basis based on a user’s role within the organization. CyberArk can also reduce and control which applications a user should be able to run in the first place. Lastly CyberArk can protect privileged credentials from being stolen, by blocking attempts to harvest credentials including those that target browsers such as Vega Stealer.
So given all this, are you willing to gamble it all on a NGAV or EDR solution to protect you from attackers? Instead layer into your endpoint security strategy a privilege management solution that can enable you to effectively implement least privilege at your endpoints to control what users can run, how they run and help stop privilege theft from occurring at all.
If you are looking for a new way to stop attackers, let CyberArk help you implement an effective endpoint security strategy today and swing the odds in your favor.