ENDPOINT PRIVILEGE MANAGER

Implement Least Privilege

Contain Attacks on the Endpoint

Huy Do – CISSP, CISA, CCNP-S, CEH

Regional Solution Engineer, ASEAN
huy.do@cyberark.com 1
CHALLENGES

Most attacks start on

the endpoints

Regardless of origin, attacker will typically have restricted

rights and will need to elevate privilege to achieve goal
(e.g. financial or data theft, disruption, vandalism)

CONFIDENTIAL INFORMATION 2
PRIVILEGED CREDENTIALS IN THE NEWS

CONFIDENTIAL INFORMATION 33
ATTACKERS DON’T PLAY BY
THE RULES
Unmanaged privilege
has a potential to
create and multiply
negative
Well, once you have admin access on a particular
consequences of a system you can pretty much do anything you want on
it.
breach – A response to “why wasn’t there an alarm for 11 days?”,
SolarWinds hearings

cyberark.com
ATTACKERS
DON’T NEED TO
HACK IN – THEY
JUST LOG IN

5
KEYS TO THE KINGDOM

EXTERNAL ATTACKERS MALICIOUS INSIDERS

PROLIFERATION OF PRIVILEGED ACCESS

Any Identity can become Privileged under certain conditions

Admins DevOps 3rd Party Business Application Robots / Apps

Vendors Users
6
PROACTIVE PROTECTION AND DETECTION
ü Enforce least privileges
ü Block from credentials theft
ü Deception-based detection
ü Block unknown applications

Local Admin
Right

Harvested
Credentials

Trusted
Applications

7
THE PRIVILEGED PATHWAY

8
THE PROBLEM: USERS WITH ADMIN RIGHTS CAN…

Change system Install Access and change

configurations malware accounts

87% of organizations have not removed local admin

rights which represents a significant increase YoY.”
Source: CyberArk Threat Landscape Survey
THE DILEMMA – SECURITY VS. OPERATIONAL IMPACT

USERS HAVE LOCAL LOCAL ADMIN RIGHTS

ADMIN RIGHTS ARE REMOVED

Happy, Increased burden on

productive users the support team.
OPERATIONS
IMPACT Increased calls and costs.

Increased “Contain attacks

SECURITY security incidents on the endpoint”
IMPACT
It makes existing strategy does not work well…

IOA / IOC

Network firewall
Intrusion Prevention SIEM

Network sandbox
EDR / Anti-malware
Attack Vector Mitigation
CyberArk EPM

Known Threats (signature and/or behavior)

System wide/persistent malware

Credential Theft & Content

Ransomware Protection,
Detection Technologies
Software Installation

Privilege Management

Application Control
Disable/uninstall security software/services/policies

Handler Control
User Account attacks and lateral movement
Tamper with system configuration and OS files

User context applications/malware (installs and portable)

APT’s and Exploit kits
Social engineering email/installs
Zero-day browser/App exploits
Fileless malware (leverage built-in tools/functionality)
Malicious Content (macros, scripts, payloads)
Credential Theft
Ransomware
A FUNDAMENTAL BUILDING BLOCK IS MISSING

AV/EDR/NGAV –
Tries to detect and block execution based on
signature or behavior

Privilege Management –
Ensures least privilege and removes local admin

Configuration Management –
Mitigates vulnerabilities
and exploitable code in OS and applications

13
Identities Resources
Identity Security Platform
Admins Applications &
Services

Seamless & Secure Intelligent Flexible Identity

Access for Privilege Automation &
Workforce All Identities Controls Orchestration
Infrastructure &
Endpoints

Third Parties
Endpoint
Workforce & Endpoint Privileged Cloud Data
Privilege Secrets Identity
Customer Privilege Access Privilege
Security Management Management Environments
Access Security Management Security
Customers • Endpoint Privilege
Manager:
Workstations &
Servers Data Centers
• Secure Desktop

DevOps
OT

Identity Security Intelligence

Workloads
Hybrid & Multi-Cloud
Shared
Single Admin Portal | Workflows | Unified Audit | Authentication &
Services
Authorization
Devices SaaS
SaaS | Hybrid | Self-Hosted
cyberark.com
HOW WE DO IT – ENDPOINT PRIVILEGE MANAGER EPM

15
LEAST PRIVILEGE

Privilege Management– prevent attacks that start at the

endpoint by removing local admin rights on Windows
workstations, servers, and Macs.

Application Control allows IT operations and security teams

allow approved applications to run while restrict the unapproved
ones. Unknown applications runs in ‘Restricted Mode’ which
prevents them from accessing corporate resources, sensitive
data or the Internet.

Just-in-time user elevation and access on a by-request basis for

a time limited period of time with full audit of privileged activities.

16
PRIVILEGE MANAGEMENT

Enforce the minimal level of user rights, or lowest clearance level,

that allows the user to perform his/her role

Endpoint Privilege Manager Privilege Management

• Remove local privileged accounts without the negative impact on the IT/helpdesk.
• Enforce granular least privilege policies for Windows administrators
• Seamlessly elevate user privileges as needed.
• Strengthen the protection and detection capabilities of your existing endpoint security

17
APPLICATION CONTROL

Endpoint Privilege Manager Application Control

• Allow approved applications to run while blocking

malware, including Ransomware.
• Unknown applications, are run in ‘Restricted
Mode’ which prevents them from accessing
corporate resources, sensitive data or the
internet.
• Application Risk Analysis service is provides
additional insights about the risk.
• Trust business requirement sources such as
SCCM, updaters, URL’s and more.

18
JUST IN TIME

Right Person. Right Access. Right Resource. Right Time. Right Reason.

Interactive

APPROVAL

No Standing Access Privilege Escalated Access Removed

Automated

Endpoint Privilege Manager allows just-in-time elevation and

access on a by-request basis for predefined period of time with a
full audit of privileged activities

19
PRIVILEGE DEFENSE

Credential theft blocking capabilities helps organizations

detect and block attempted theft of Windows credentials
and those stored by popular web browsers and file cache
credential stores.

Ransomware protection provides another layer of

security to the endpoint – the ability to detect ransomware
with certainty and respond before the attack can cause
damage.

Privilege Deception detects an insider threat or an attacker

impersonating to an insider, who tries to operate undetected.
Privilege Deception detect and block lateral movement by placing
deception components in the attack path.

20
CREDENTIAL THEFT BLOCKING
APPROVED & RELEVANT APPS

RESTRICTED ACCESS

ALERT CHAIN CREDENTIAL LURES CREDENTIAL CACHES

LSASS, BROWSER CREDS, ETC

21
RANSOMWARE PROTECTION

22
PRIVILEGE DECEPTION

Think Like an Attacker

Privilege Deception feature enables defenders to quickly detect and proactively shut
down in-progress attacks by placing deception components in the attack path.

23
INTEGRATIONS

Our Technology Partnerships allow us and our partners to create unified, integrated
experiences across diverse disciplines. We partner with the right partners to provide
the best experience and protection for our customers — secure, easy, robust.

24
INTEGRATIONS EXPLAINED

SECURITY INTEGRATIONS
CyberArk gains intelligence by integrating third party
data into its platform including threat intelligence, asset
data, and other indicators of security health.

Examples: enabling dual factor authentication, file

threat score, or sandboxing.
IT/Helpdesk INTEGRATIONS
With CyberArk Rest API capabilities, organizations
can improve data flows, enrich data streams, and
automate ticketing and response time.

Examples: ticketing systems

Explore our existing plug-ins, product add-ons at the CyberArk’s marketplace

25
AS A SERVICE DEPLOYMENT

Benefits:

• Security
• Cost effectiveness
• Scalability
• Simplicity
• flexibility

SUPPORTS:

Windows Workstations

Windows Servers

MacOS operating system

Linux Machines
DEMO

27
 CYBERARK IDENTITY SECURITY PLATFORM

Endpoint Vendor Privileged Cloud

Privilege Privileged Access Entitlements
Manager Access Manager Manager
Workstations | Servers Manager Cloud | On Premises

Secrets
Manager
Workforce
Identity
Access Privilege DevSecOps Conjur Enterprise
Open Source

Secrets
Customer
Manager
Identity IDENTITY SECURITY PLATFORM Credential Providers
Security First • AI-Enabled • Frictionless • Everywhere

CONFIDENTIAL INFORMATION 39
WHY CYBERARK

Provide a modern approach to IDENTITY SECURITY

anchored on privilege to protect against advanced
cyber threats

#1 6,300 50%
Leader in Privileged Global Customers Trusted by more
Access Management than 50% of the
Fortune 500

40
READY TO START? ENDPOINT PRIVILEGE MANAGER FREE TRIAL

https://www.cyberark.com/try-buy/endpoint-privilege-manager/
41
THANK YOU

42