Endpoint Privilege Management: A New Generation of 007
Contrary to popular belief, cyberattacks are not (always) a massive attempt to take over or disable your infrastructure. While a wide DDOS attack can be used as a decoy, the real work is more subtle, more elaborate. Consider a James Bond film, for example. The bad guy would try to infiltrate your organization quietly, identify its weaknesses, and attempt to gain power gradually in order to fulfill his villainous plan.
Just as in those Bond movies, broad, external defenses are not enough, and usually countermeasures come too late to stop the infiltration. This is especially true for fragmented organizations and enterprises relying heavily on external contractors and employees working remotely. Once an enemy has found his way in, the whole organization falls. With 69% of breaches perpetrated by outsiders like organized criminal groups and nation-states, it takes a special problem-solver like 007 to save the day.
Evolving endpoint protection
Your endpoints, such as workstations and servers, are ideal targets to successfully infiltrate a system. And they are made all the more vulnerable when they are taken outside of the corporate network, and therefore don’t benefit from perimetric protection.
In the early days, anti-virus solutions focused on identifying malware signatures, and on white-list/black-list mechanisms. This approach quickly reached its limits due to one key factor: it relies heavily on known exploits. Therefore, systems end up repeatedly exposed to zero-days as new threats constantly arise.
As attack vectors evolved and mutated, software vendors developed new protections, the Next Generation Antivirus (NGAV) which relies on tools including:
- Machine Learning, enabling the ability to detect unknown threats and prevent unidentified attacks.
- Endpoint Detection and Response (EDR), which can correlate events and detect suspicious activity.
Those technologies, however, still focus on identifying threats rather than protecting the system from the inside. Reactivity rather than proactivity.
Protecting the system from within
Endpoint Privilege Management is a new generation of cybersecurity protection which focuses on providing an effective “immune” defense for your endpoints. Rather than trying futilely to identify, then block an attack, it stops whatever is not a natural part of the organism.
That is to say, only legitimate actions can be performed on your systems.
This new approach is particularly interesting for endpoints exposed to external networks, like those used by third-party providers or remote employees accessing your network resources. This approach makes the assumption that any system could be infiltrated, but implements internal protections such that it cannot be harmed even if that comes to pass, even if it is outside the corporate network. Endpoint protection employs the Principle Of Least Privilege: without local admin rights, an intruder or malware won’t be able to acquire the necessary privileges to run processes and applications.
Enforcing the Principle Of Least Privilege also has additional benefits:
- Eliminating over-privileged users on endpoints, so that malware is unable to damage your system or steal critical data
- Removal of all local admin accounts to reinforce defenses
- Blocking of crypto API’s so that systems can’t be held hostage by ransomware
- Granting appropriate rights to the right users in the right context
This is a good first step, but it still focuses on the “external agent”: the user and his or her privileges. While this is, in theory, functional, it is not enough to fully defend the endpoint. Systems must be able to protect themselves against threats. That’s why best-in-class solutions take EPM to another level:
Privileges at the process level, not by user
The strongest, most innovative EPM solutions no longer address privileges at the user level, but at the process and application level.
This is a major conceptual shift for security: Local systems are no longer only protected against threats or against users. The defense is deployed at the application or at the process level for deeper, more tailored control and security.
More often than not, application management relies on a binary decision: users can access it or not, this application is authorized or not. The purpose of those rules is to prevent applications and processes from harming the system, but it comes at the expense of productivity when a user must interrupt their IT team for every otherwise legitimate software download.
When applications are pre-approved and specific actions within those processes are also approved (or denied), managing endpoint security becomes simple. Processes and applications can run only with a precise set of privileges in a precise context. With users that can’t self-elevate their privileges, and admin accounts removed, processes can’t be hijacked to perform malicious operations.
Providing granular protection at the process level allows the user to maintain access to all the tools necessary to accomplish their tasks, efficiently and independently, while ensuring that the software won’t be able to harm the system should an enemy find its way in.
Calling Bond, James Bond to save the day is not always an option. EPM enables organizations to block the root cause of the danger they face from the inside: processes and applications, especially when endpoints like employee PCs are exposed to external threats. Proper implementation of the Principle Of Least Privilege helps to prevent infiltrated agents from hijacking your systems, simply because they won’t be able to perform any activity beyond those allowed for your employees to perform their specific tasks.