The shift in remote working has meant that not only have your users left the office, but so have your endpoints. Ensuring endpoints such as laptops, tablets and phones have strong defences to keep them protected from attackers requires all endpoints to be considered as privileged users. Keeping the endpoints protected but beyond that, ensuring that should they be compromised, they cannot then be used as a platform to navigate deeper into your environment. By putting least privilege into practice will help you achieve this.
Least privilege is the practice of restricting access rights for users, accounts and applications to only what they need to perform routine and legitimate activities. It gives users, processes, systems and endpoints the minimum amount of access they need to perform their functions.
Let’s take a look at 5 key steps you can take to build an effective defence-in-depth endpoint security approach using the principles of least privilege.
1. Communication is crucial
As with any change to processes, policies or strategies, good communication is the key to a successful roll-out. Regular communication about your intentions, processes and the reasons for the changes you are making ensures that everyone is on the same page and understands why the changes have been made.
Communicate the value of least privilege to users and help them understand how it works and how it strengthens endpoint security. Notify them of any upcoming changes so they are aware they are on the horizon and how they will affect them and also the steps they need to take to elevate privileges when necessary.
2. Identify critical assets
Having an inventory of your endpoints will help you understand who is using them, what applications are running on them and where they reside, i.e. on prem, in the cloud, with remote workers etc. Knowing this can help you determine the level of business risk each endpoint represents.
Automated endpoint discovery tools can help you:
- Locate the applications, services and users that have admin rights.
- Understand which applications require admin rights.
- Identify the employees and developers who install software frequently.
- Discover which users are using legacy applications.
- Uncover third-party and non-domain accounts.
Ongoing and automated scanning is crucial to keep your inventory up to date, while you may have visibility of the applications that have been installed and approved by IT, users may add software which is not accounted for and could cause a vulnerability.
3. Automate least privilege enforcement
Applying the principle of least privilege should be a foundational element of any organisation’s cyber security strategy. Automation is vital to ensure strong enforcement of least privilege and ensure minimal disruption to users and IT teams.
In instances where privileges need to be escalated for a short period of time to enable a user the level of access they need for a particular task, raising a help desk ticket or request with IT to get this escalation authorised isn’t always practical or productive.
A good endpoint privilege management (EPM) solution, such as Thycotic Privilege Manager, can define policies and apply security controls selectively to allow privileges to be elevated on demand. Privileges can be increased or decreased based on dynamic needs, risks and threats via the use of one-time passwords and an EPM can ensure that users and applications elevated privileges are only in place for as long as they need to be.
4. Identify the risks
Determining your riskiest applications, services and users helps you understand where your risks are and can help you protect against them and determine where least privilege can be put into practice. It is all too common that service account privileges are set too high and never expire to help avoid application downtime, but this can contribute to creating vulnerabilities.
When it comes to users, typically the higher up they are in the organisation and the higher their privileges are and the greater risk they represent. This unfortunately comes hand in hand with them being more likely to be targeted too. Placing applications and users into categories based on their risk can help ensure there are no gaps in your defences.
For example, IT admins and developers need high privileges to perform their roles, but sharing and reusing passwords within administrator groups or not shutting down temporary testing environments can leave doors into your network wide open.
Educating these two groups on the risks and implementing policies and procedures to avoid them from occurring can help protect against them.
5. Create allow/deny/restrict lists
Taking this approach allows you to categorise applications based on their risk; low, high and unknown. Low risk applications can be added to the allow list while high risk ones should be placed on the auto deny list to help manage the threat.
Those with an unknown risk should be placed on the restrict list so they can be sandboxed and only allowed to run after they have been vetted by IT and the level of risk has been determined.
Beyond the risk category, controls should be in place to limit an applications privilege. For example, Email would be on the allow list, but it also presents a great risk to every organisation as the most common threat vector so should have its privileges reduced.
Next Steps
Gain practical insights and key information to build your own efficient defence endpoint security strategy to ensure you get started with the right processes and technologies to help you strengthen your defences and secure your endpoints.
Contact us to learn the key roles of enterprise privilege management, least privilege and application control and how to integrate EPM into your existing IT security ecosystem while avoiding the common pitfalls that could impact on your success.