The Perfect Recipe for Endpoint Security Calls for Privilege Control
Today's most effective ransomware attacks don't require malware; they require a login. Modern threat actors don't need to break in. They can leverage legitimate identities and their privileges to gain a foothold, then continue to capitalize on them, moving laterally to probe for more opportunities and manipulate vulnerabilities and exploits to spread ransomware and spyware. A vulnerable identity or account tied to an endpoint can quickly become an attacker's ticket to your most valuable assets and controls.
With legitimate identities being used as the initial foothold in more attacks, we're seeing less 'anomalous' activity and far more seemingly normal actions performed by a trusted, privileged user. And attackers are keenly aware of how easily they can 'hide' behind these legitimate user accounts.
This is why Endpoint Detection and Response (EDR) is really only one piece of the endpoint protection puzzle. It offers key functionality for detecting real-time threats and providing rapid responses against zero-day exploits, but it has a blind spot. It detects threats that trigger alerts, but it can't stop the threats that blend in by using legitimate privileges. And it lacks many of the features needed for a proactive endpoint security strategy.
That's where Endpoint Privilege Management (EPM) comes in.
What's the Difference between EPM and EDR?
For many years, EPM and EDR have been hailed as critical toolsets when it comes to protecting endpoints. Yet, they cover vastly different stages of the attack lifecycle.
Endpoint Detection and Response is designed to detect and respond to real-time malicious activities that might be executed on an endpoint. EDR successfully uncovers threats like malware and ransomware that leverage malicious files and processes, and in some cases, "fileless" attacks. It also plays a role in helping protect against zero-day exploits. EDR excels at surfacing suspicious behaviors and enabling rapid incident response once an attack is underway.
Endpoint Privilege Management, on the other hand, takes a preventative approach by removing unnecessary admin rights and enforcing least privilege. Even if a threat actor does gain a foothold, EPM minimizes the attack surface and limits the ability for those threat actors to escalate privileges or move laterally. While EDR alerts you to an active threat, EPM helps limit the blast radius and stop threat actors from accessing the privileges they need to complete their objectives.
 |
| Figure 1: A breakdown of how EPM and EDR differ from, but more importantly, complement each other |
Why Endpoint Detection Alone Falls Short
Because of the reactive nature of EDR solutions, organizations ultimately end up waiting for something malicious to occur, then detecting, alerting, and responding when it does. And that's assuming that a SOC analyst or tool is able to locate the detection amongst a high volume of alerts and logs.
As with many other detection and response tools, EDR solutions are noisy by nature: they create massive logs that security operation analysts must pore over and analyze. The sheer volume of alerts produced by EDR solutions also means lots of false positives.
Organizations relying solely on EDR for endpoint protection often find themselves in a tight spot, attempting to comb through significant noise, while potentially missing the alerts that matter most.
How Endpoint Privilege Management Closes the Gap
Let's go back to the play-by-play of a typical, identity-driven endpoint attack. Not only are attackers looking to 'log in' rather than 'hack in', but they are seeking to log into any account, even if it isn't privileged.
We increasingly see attackers first gaining access to seemingly low-privilege human and non-humans accounts, and then finding pathways to escalate privileges from there, whether through group memberships, misconfigurations, or other implicit trust relationships. Because of this reality, every identity should be considered privileged and protected as such.
This is especially crucial in protecting endpoints, where an ostensibly low-privilege user could be able to operate as a local admin on their own device in a BYOD situation, or even execute applications or alter data. If compromised, this 'low-privilege' account can inflict plenty of damage across the corporate network. Foundational identity security strategies such as Least Privilege (including zero standing privilege), Zero Trust, and Defense in Depth are critical in these endpoint contexts.
Endpoint Privilege Management provides the proactive piece of the puzzle that can underpin these identity security essentials. It specifically addresses two key activities:
1. Removing admin rights across all endpoints
If you want to block attackers at the endpoint, start by denying them the privileges they're counting on. EPM solutions minimize potential privilege escalation paths by ensuring users are operating as standard users, without privileges, admin rights, or even delegated rights.
To enable users to continue performing day-to-day tasks uninterrupted, EPM moves the admin rights and privileges on these endpoints to the applications and executables. Instead of requiring users to leverage elevated rights when running applications, the applications themselves elevate, meaning the users are always operating as standard accounts.
2. Layering application control measures with privilege elevation
By leveraging the application control offered in many EPM solutions, organizations can institute "Allow" and "Deny" options to control what users can or cannot do with far more granularity. This also gives organizations visibility into their endpoint application inventory and licensing, where they may uncover hidden licensing issues or violations they didn't know existed in their environment. These added benefits help organizations uncover outdated or vulnerable application versions while addressing the proliferation of shadow IT.
By starting with privilege elevation and application control, teams can significantly reduce the amount of noise produced by their EDR solutions. The number of false positives is significantly reduced as well. As a result, security operation analysts can respond far more rapidly to real threats.
Protecting EDR Itself: Stopping Bypass Attacks
Endpoint Privilege Management can further enhance Endpoint Detection and Response by helping address EDR Bypass Attacks. We are seeing increasing examples of this type of attack as cybercriminals master more advanced techniques, such as exploiting existing system tools or utilities, launching supply chain attacks to get into systems from legitimate third-party tools, and much more.
Endpoint Privilege Management directly addresses EDR bypass attempts by logging early warning signs, including attempts to disable security tools, the abuse of legitimate tools or system utilities ("Living Off the Land"), remote code execution, and signs of Bring Your Own Vulnerable Driver (BYOVD) exploitation. EPM tools can also detect the use of known EDR-Killer applications, such as HRSword, EDRSilencer, and EDRKillerShifter.
In many ways, Endpoint Privilege Management can be regarded as a protective layer for your Endpoint Detection and Response solution. It guards against malicious efforts to neutralize EDR before it can respond.
Final Thoughts: EDR + EPM = Highly Effective Endpoint Protection
While EDR plays a vital role in endpoint security, it's not enough on its own to combat today's stealthy, persistent threats. By combining the proactive defense of EPM with the reactive security of EDR, organizations can better defend against the full gamut of endpoint threats. This encompasses protection against malware, fileless attacks, novel threats such as zero-days, plus EDR bypass attacks and other seemingly 'legitimate' activities that might look like they're performed by a system user, but are really being used by a malicious actor.
In summary, EDR can tell you if something is wrong in your environment, but EPM might prevent that something from happening at all. If you're relying on EDR alone, you're only solving half the problem.
About the Author: This article was expertly written and contributed by Christopher L. Hills, Chief Security Strategist at BeyondTrust.
- 20+ years experience in security & technology
- Military veteran of the United States Navy
- Book author (Cloud Attack Vectors – on Amazon !)
- Book Contributor (Identity Attack Vectors)
- Book Editor (Privilege Attack Vectors)
- Several Articles on Dark Reading, CSO, Security Brief, across UAE, APJ and UK
- Written Compliance Matrix for PAM – CIS 20/18, Mitre, ISO, PCI, NIST & GDPR
- Operated as Deputy CTO and Deputy CISO roles at BeyondTrust
- Former Practitioner
