Defense-in-depth with overlapping rings of endpoint security
When a cybercriminal wants to break into your network, the number one way they succeed is by attacking endpoints. Cybercriminals break into one endpoint and then use the passwords found there, and the privileges they provide, to move laterally from the endpoint onto your network.
Endpoint Privilege Management (EPM) can keep exploits confined to users’ devices. By removing or reducing local administrative privileges on endpoints, you can reduce lateral movement via privilege escalation and pass-the-hash attacks. Policy-based controls, including Allow, Deny, and Restrict lists help you control shadow IT and manage application privileges.
There are aspects of endpoint security that EPM doesn’t manage
As powerful as EPM is, there are aspects of endpoint security it doesn’t manage. For example, EPM doesn’t replace firewalls to block attacks on an endpoint. It doesn’t authenticate users at login or protect data on an endpoint from being exfiltrated. It can’t remove malware from an endpoint or quarantine infected endpoints.
For comprehensive endpoint security, you need a defense-in-depth strategy made up of multiple tools with overlapping controls. By integrating your Endpoint Privilege Management solution with additional technologies like those below you can manage your entire security tool stack more easily and enhance the effectiveness of each component.
See how other endpoint security tools work together with EPM for maximum protection.
Anti-virus and EPM solutions solve fundamentally different problems. Like endpoint firewalls, A/V software is aimed at identifying and stopping malware at the perimeter, while EPM is all about “boxing in” the endpoint so malware can’t escape.
Endpoint detection and response (EDR)
Like EPM solutions, endpoint detection and response systems keep exploits that slip past A/V or are launched by an unwitting user contained to the endpoint. EDR tools also provide data about endpoint usage that aids in understanding the root cause of an attack and determining if it has expanded beyond the endpoint. By continuously collecting and analyzing data from all endpoints managed by an organization, EDR systems can provide surveillance, alerting, and reporting. The data they collect can be used to monitor current user behaviors and conduct forensic analysis after a breach has occurred.
Data loss prevention (DLP)
EPM is focused on privileges while DLP is focused on data. DLP stops data breaches and leaks using policy-based controls, data encryption, and real-time activity monitoring. It alerts your security teams when red flags appear, such as copies being made or data being transferred to an external drive or USB stick. EPM enables DLP with the appropriate privileges to scan endpoints for sensitive data, thereby increasing DLP success. Like EPM systems, DLP tools can respond automatically to contain incidents before they get out of hand and provide audit trails in the event a data breach does occur.
Endpoint protection platform (EPP)
Think of an endpoint protection platform as A/V on steroids. These solutions support the same goal of recognizing and stopping attacks by blocking malware before it launches. Advanced EPP solutions rely on many detection technologies, from static indicators of compromise to behavioral analysis, to spot suspicious activity. Like A/V, EPM complements EPP solutions with least privilege capabilities, reporting, and incident
File integrity monitoring (FIM)
FIM tools take regular snapshots of the endpoint and then compare that snapshot with any changes to a file to look for suspicious activity. If they spot anything fishy, such as a sudden change in file size or access by an unauthorized user, FIM can trigger alerts or take immediate action. EPM offers similar functionality when it comes to users, applications, and services. They work alongside FIM solutions that are focused on files.
EPM solutions integrate with threat prevention engines to perform real-time reputation checks so applications that are known to be malicious can’t execute. Privilege Manager, for example, has out-of-the-box integrations with both VirusTotal and Cylance. If an application isn’t included on a deny list and is unknown, your EPM solution can sandbox it or add it to a deny list until it can be vetted by IT.
Multi-factor authentication (MFA)
Multi-factor authentication works to authenticate users by verifying that the person logging into the endpoint is who they say they are. This is done using various methods, such as SMS, hardware and software tokens, email, or other means, by which the user verifies they are a human (and not a bot) by responding to the MFA system in real-time, typically by entering a temporary code. EPM can integrate with MFA tools so users are required to verify their identity before privileges are elevated.
System Center Configuration Manager (SCCM)
This Microsoft tool is used to push out new software, software updates, and patches to endpoints. EPM solutions can integrate with SCCM tools to verify that the new software, patches, and updates your sysadmins deliver, adhere to your least privilege policies, and enable software updates to install successfully.
EPM systems can integrate with ticketing management solutions, such as ServiceNow. When users ask for privileges to be escalated their request goes through the support workflows you’ve already set up and can be approved, managed, and audited easily.
Overlapping rings of security with endpoints at the center
As you build out a comprehensive endpoint security strategy, consider the different ways cybercriminals and malicious insiders could threaten your IT environment. Build up your defenses for each of these scenarios using an integrated mix of endpoint security solutions. By choosing best-in-breed tools for each type of solution, you can create a security system in which the whole is greater than the sum of its parts.
Learn more about Endpoint Privilege Management as a key part of endpoint security.
Get your copy of The Definitive Guide to Endpoint Privilege Management.
How many risky applications are running on your high-risk endpoints?