Article by Thycotic regional director for Asia, Jude Kannabiran.
A chain is only as strong as its weakest link. When it comes to breaching a network, the weakest links are usually the endpoints, and that is where most cyber-criminals start. There, they take advantage of any vulnerabilities that might exist, or simply trick the user into handing over control of their device.
But the cyber-criminal’s ultimate target generally lies elsewhere. After breaking into an endpoint system, they use the passwords they find there and the privileges they provide to move further up the chain — or into the cloud — to where the most valuable assets are.
Endpoint privilege management (EPM) can keep exploits confined to users’ devices. By removing or reducing local administrative privileges on endpoints, users can reduce lateral movement via privilege escalation and pass-the-hash attacks. Policy-based controls, including ‘allow, deny and restrict’ lists, help control shadow IT and manage application privileges.
As powerful as EPM is, however, there are aspects of endpoint security it doesn’t manage. It would be ideal to prevent cyber-criminals from gaining control of endpoints in the first place, and EPM doesn’t replace firewalls or anti-virus, which can block endpoint attacks. EPM doesn’t authenticate users at login or protect data on an endpoint from being exfiltrated. It can’t remove malware from an endpoint or quarantine infected endpoints.
For comprehensive endpoint security, a defence-in-depth strategy made up of multiple tools with overlapping controls is needed. By integrating an EPM solution with additional technologies like those below, teams can manage the entire security tool stack more easily and enhance each component’s effectiveness.
Let’s see how other endpoint security tools work together with EPM for maximum protection.
Anti-virus and EPM solutions solve fundamentally different problems. Like endpoint firewalls, A/V software aims to identify and stop malware at the perimeter, while EPM is all about “boxing in” the endpoint so malware can’t escape.
Endpoint detection and response (EDR)
Like EPM solutions, EDR systems keep exploits that slip past A/V or are launched by an unwitting user contained to the endpoint. EDR tools also provide data about endpoint usage that aids in understanding the root cause of an attack and determining if it has expanded beyond the endpoint.
By continuously collecting and analysing data from all endpoints managed by an organisation, EDR systems can provide surveillance, alerting, and reporting. The data they collect can be used to monitor current user behaviours and conduct forensic analysis after a breach has occurred.
Data loss prevention (DLP)
EPM is focused on privileges, while DLP is focused on data. DLP stops data breaches and leaks using policy-based controls, data encryption, and real-time activity monitoring. It alerts security teams when red flags appear, such as copies being made or data being transferred to an external drive or USB stick.
EPM enables DLP with the appropriate privileges to scan endpoints for sensitive data, thereby increasing DLP success. Like EPM systems, DLP tools can respond automatically to contain incidents before they get out of hand and provide audit trails in the event a data breach does occur.
Endpoint protection platform (EPP)
Think of an EPP as A/V on steroids. These solutions support the same goal of recognising and stopping attacks by blocking malware before it launches. Advanced EPP solutions rely on many detection technologies, from static indicators of compromise to behavioural analysis, to spot suspicious activity. Like A/V, EPM complements EPP solutions with the least privilege capabilities and reporting.
File integrity monitoring (FIM)
FIM tools take regular snapshots of the endpoint and then compare that snapshot with any changes to a file to look for suspicious activity. If they spot anything fishy, such as a sudden change in file size or access by an unauthorised user, FIM can trigger alerts or take immediate action. EPM offers similar functionality when it comes to users, applications, and services. They work alongside FIM solutions that are focused on files.
EPM solutions integrate with threat prevention engines to perform real-time reputation checks so applications that are known to be malicious can’t execute. If an application isn’t included on a deny list and is unknown, an EPM solution can sandbox it or add it to a deny list until it can be vetted by IT.
Multi-factor authentication (MFA)
MFA works to authenticate users by verifying that the person logging into the endpoint is who they say they are. This is done using various methods, such as SMS, hardware and software tokens, email, or other means, by which the user verifies they are a human (and not a bot) by responding to the MFA system in real-time, typically by entering a temporary code. EPM can integrate with MFA tools, so users must verify their identity before privileges are elevated.
System centre configuration manager (SCCM)
This tool is used to push out new software, software updates, and patches to endpoints. EPM solutions can integrate with SCCM tools to verify that the new software, patches, and updates that the sysadmins deliver adhere to privilege policies, and enable software updates to install successfully.
EPM systems can integrate with ticketing management solutions. When users ask for privileges to be escalated, their request goes through the support workflows that are already set up and can be approved, managed, and audited easily.
Overlapping rings of security with endpoints at the centre
As a comprehensive endpoint security strategy is built out, consider the different ways criminal hackers and malicious insiders could threaten the IT environment. Build up defences for each of these scenarios using an integrated mix of endpoint security solutions. By choosing the best-in-breed tools for each type of solution, teams can create a security system in which the whole is greater than the sum of its parts.