21
July 2023
What is EPM and why should I care?
Mark Warren
The Need for Endpoint Privilege Management
Let's get the basics out of the way first, then consider why it's important, and finally look at how it can be addressed quickly and easily.
What is an "Endpoint"?
"Endpoint" is a shorthand way of describing the laptops, desktops and workstations staff members use to get their work done. In theory, it also includes other devices like PoS terminals, kiosks, and more. But in this context, it mainly refers to the computers used by staff in all corporate departments every day.
Because there are so many endpoints in every business (often more than actual staff), they are frequent targets for cybersecurity threats.
What's "Privilege"?
In the general world, it could mean a lot of different things. In the corporate IT world it means having access or permissions above the minimum needed to use an IT system. For example, a "regular" user can log into their Windows laptop, use their email package, word processor, and much more without the need for special privileges.
Occasionally, they may need elevated permissions to do more. For example, to install a new application or change a configuration setting. Windows requires that an account with "administrator" rights is used when making such changes. In most cases, that means the user will see the "User Account Control" pop-up window appear.
At that point an IT administrator may provide their account details (which usefully have more power than regular users). If the user's account has been granted "local admin" rights, they could provide their Windows login credentials and the process can continue.
Privileged accounts - whether on local workstations or shared services - are the prime target of cyber attacks because they are so powerful.
Why is management of endpoint privileges important?
Imagine a valued member of your team, let's call them Jo. Years ago they were granted local admin rights on their laptop. At the time, Jo had been installing some new data analytics and modelling packages. They had to make many calls to the IT help desk to get everything installed.
IT (as always) was really busy, they knew Jo and granted them access to a secondary account "Jo_admin". The Jo_admin account would be used anytime an installation or update was needed. It was particularly useful when Jo started spending more time working at home and needed to change configuration settings for local WIFI connections, printers etc.
It all seemed fine. The standard Jo account couldn't do anything risky and Jo could get on with their work. IT could get on with more valuable tasks.
Roll forward a few years, and that Jo_admin account still exists, Jo is happy and it's pretty much been forgotten about.
Then, one fateful day, that flexibility was exploited.
Jo installed what looked like the latest version of a plug-in to their analytics tool. As usual, they used the Jo_admin account. Unfortunately, the plug-in had been infected with malware. It opened a backdoor onto Jo's laptop.
The attacker managed to extract the credentials for the Jo_admin account and it was a short hop from there to move around the network. Confidential data was accessed and stolen along with more user and admin account credentials.
Eventually it became a fully-fledged ransomware attack.
Jo was absolutely gutted. But they hadn't done anything wrong. Training may have helped but, as with many sophisticated attacks, it's unlikely even the best training would have prevented this attack. Training cannot be the only line of defence.
How could Endpoint Privilege Management help?
Removing local admin rights might have prevented the attack. But that would be a significant impact on Jo's productivity and increase the IT workload. Managing the use of privileged accounts reduces the attack risk and avoids the impact on productivity - hence the need for Endpoint Privilege Management (EPM).
With Osirium EPM, Jo would not have needed the Jo_admin account. IT would have granted Jo access to well-known and verified applications, or even to a folder containing approved applications, via an EPM policy. The malware couldn't be installed but Jo could still get on with their work without interruption. IT would have an audit trail of which apps or plug-ins had been installed.
There are some members of staff that need more open access to privileged access rights. For example, systems administrators, network engineers, or software developers may need access to tools such as network protocol sniffers or Windows Services. For those users EPM can also add protection.
Osirium EPM allows for approved users to elevate their entire Windows session for a limited period of time. Within that session, the user can perform all the tasks that normally need elevated permissions. IT still has visibility that the user had been running an elevated session should they later need to investigate any incidents.
The most senior or trusted staff can even have the option to self-approve their request to elevate their sessions. Again, an audit trail of privileged sessions is always maintained.
With EPM, attacks can be blocked at the point of entry - much easier and more secure than trying to hunt down and remove the malware after it's got into the network. But as with all cyber security defences, strength comes from multiple levels of protection. So training is still valuable as is the management of privileged access to shared IT systems and devices (that's the job of Privileged Access Management - PAM) and automating privileged processes with Osirium Automation.
In the second part of this series, we'll take a closer look at Osirium EPM and how it can be a key contributor to endpoint security. If you'd like to learn more, please visit https://www.osirium.com/epm or get in touch.