Information security professionals know there are two fundamental endpoint security practices that should be part of their security program in order to reduce the attack surface. Validated by various government information security organizations and industry analysts, the first practice is application patching, and it has been widely adopted thanks to commonly available enabling tools. The second is securing privilege on the endpoint.
As part of the research conducted for the “CyberArk Global Advanced Threat Landscape Survey 2016,” 750 IT decision makers were asked if their organization’s users have local administrative privileges on their endpoint devices. Sixty-two percent said yes.
Removing local admin rights from workstations is perceived to be a difficult trade-off between security and usability. This is because the end-user often has to contact the desktop support team for the most trivial of tasks, resulting in lost productivity.
This also increases the burden of work for the support team, which can lead to missed service level agreements and increased support costs. The overall result can be a stand-off between the information security and desktop support teams.
Plugging endpoint security gaps
To compensate, organizations have added layers of preventative endpoint security, including anti-virus, personal firewalls, intrusion prevention, application and device control.
Even with these in place, many view a network breach as inevitable. In response, data loss prevention (DLP) has been deployed to detect and block attempts to exfiltrate sensitive information. In many instances, file and full disk encryption has also been added to ensure that any information stolen is useless – unless the attacker also steals encryption keys.
Today the perceived choice is either to bet on yet more prevention controls or follow the continued acceptance that a breach is inevitable, and therefore, opt to add detection and response capabilities. These complement prevention controls by helping organizations to understand when and where malicious activity might occur on their network; unfortunately, they often offer too little too late, especially with the current ransomware trend.
Enforcing least privilege
What if information security professionals could go back to that fundamental best practice that is missing? If they can overcome the objections to deploying technologies that allow them to do what they know is right, their endpoints could be far more secure. There are better options today. For example, combining least privilege management with application control allows revocation of local administrator rights, but also offers elevation of privilege for trusted applications when needed.
Facilitating application control
Application control can provide significant additional benefits, such as enabling a policy-based approach to allow known good applications to execute while blocking malicious software. There are two common objections to this approach, which CyberArk has addressed – manual policy creation and the binary approach of white and black listing.
By trusting sources of files, such as those from software distribution tools or file shares, and those with trusted signatures, CyberArk has found that 99% of applications can be automatically added to the policy. The final 1% do not have to be treated in a binary manner. This is the practice that creates a user productivity issue and generates a help desk call when the user tries to install a new application. You can run unknown applications in a restricted mode but prevent access to sensitive information, network shares and the Internet. If the application is malicious, the threat is contained on the endpoint.
Containing attacks on the endpoint
Least privilege combined with application control is a security best practice to contain attacks on the endpoint. As part of a program to secure privileges on the endpoint, consider protecting Windows credentials and those stored by popular browsers too. If you can detect and block credential theft attempts, you will stand a far better chance of containing an attack on the endpoint.
Learn more about how CyberArk can help organizations to enforce privilege security on the endpoint without the negative impact of removing local administrator rights. Visit: https://www.cyberark.com/endpoint-privilege-manager/.
