NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Why Discovery is So Important in Endpoint Least Privilege

March 30, 2016

  • Blog
  • Archive

Discover Endpoints

Controlling and managing access is how you win in security – and you can’t control what you don’t know you have.

A key component of controlling access and maintaining least privilege is data discovery. Access is all about managing, controlling, and protecting critical information. However, if you don’t know what your critical information is and where it is located, how can you properly protect the information?

With endpoints, it’s all too easy to copy critical information, and consequently, key pieces of information will often exist in a large number of locations, which is unwieldy to control and manage. If a manager sends a critical customer proposal with sensitive information to their team to review, most people will save a local copy on their system. Now that information exists in many locations and control of the information has been lost.

Fortunately, there are still several ways of managing information sprawl, but it requires a change in mindset.

Limit the Amount of Data Stored on Endpoints

The first approach is to limit the information that is allowed to be stored on endpoints, either by buying systems with small hard drives, or by utilizing thin clients to reduce the amount of information and exposure that exists for a single system.

While this approach does work in some cases, it is not always scalable with regards to mobile laptops and the ability to be able to work and access information without an Internet connection. In those cases, endpoint-based access control software is critical to manage and control what information can be accessed and when it can be accessed. Just because information resides on a laptop does not mean it should be accessible at all times and in all locations.

Frequently, when a system gets compromised, there is a lot of extraneous data that the user has access to that was not required for them to do their job. This means that, for a large percentage of the information stolen, the user did not require it. If it had been properly maintained, the amount of damage from the attack would have been greatly reduced.

While performing data discovery, it is important to: 1) Understand where critical information is located, 2) Determine who needs access to the information, and 3) Control access to minimize potential damage.

The easiest way to think about data access is to consider that the more access a given user has, the more exposure is created when their account and/or credentials are compromised. In any given system, it’s only a matter of time before a certain number of user credentials become compromised. While multi-factor authentication can help, to a point, to prevent this from happening, controlling damage by minimizing exposure provides an optimal level of protection. Controlling and managing access is how you win in security.

Monitoring and Revoking Access

If controlling and managing access is the first step, then monitoring and revoking access is a close second. When an account becomes compromised, there is a distinct difference in behavior patterns that can be observed – assuming this information is being logged and monitored. With careful analysis, data breaches can be detected early, which aids in containing the damage.

Ultimately, the best way to stop access is by revoking access when it is no longer required. For example, if a user has privileged access to a system that has not been used in “n” days, why are they still granted access to that privilege? It is analogous, to setting the archive bit on a file and after a period of time, allowing the backup solution to archive the file since it is stale. This step sounds so simple, yet it is often overlooked. I have seen cases where employees have left the organization and their accounts remain active.

Managing Access for Dormant Accounts

In addition to revoking access of employees who left the organization, managing access for dormant accounts is just as important. Often, when organizations implement systems or new processes, they will set up accounts for everyone in the organization with a default account, requiring users to change the password after the first time they login.

However, in many cases employees never login in and/or never use the system. Yet, those accounts remain active and are sitting targets for hackers. The reason why hackers love dormant accounts is because, all too often, no one will notice if the account is being use for anomalous purposes.

Therefore, all accounts must be carefully monitored, any employees or contractors who left the organization must be removed, and any dormant accounts that have not been logged into for a certain period of time must be disabled. This is true for any local accounts, applications, cloud resources, and even partner systems that are outside of the management policies an organization maintains.

BeyondTrust Can Help

Eliminating excessive rights on user endpoints is a common starting point for many organizations to close avoidable security gaps, but legacy approaches to solving this problem are insufficient. Existing tools lack visibility into the security profile of applications targeted for elevation, and the risk-reducing effects of eliminating over-privileged users are negated if a vulnerable or exploited application is elevated for use. The traditional approach to solving these endpoint least privilege problems requires security and IT teams to cobble together point tools from multiple vendors resulting in unnecessary complexity and cost, and no visibility into user behavior throughout the enterprise.

BeyondTrust solves this problem by:

  • Removing excessive rights on all endpoints, reducing risk, and simplifying least privilege enforcement
  • Providing visibility into target system and asset security, reducing risk from elevated application vulnerabilities
  • Providing application control on the endpoint, block listing hacking tools
  • Analyzing and reporting on privileged user and account behavior, reducing risk from anomalies
  • Delivering a modular, integrated platform, speeding implementations and reducing costs

If you would like to learn more about how BeyondTrust can take these best practice recommendations and translate them into real use cases, download my white paper, It’s All About the Endpoint: Protecting and Enabling End Users with Least Privilege, today.

Photograph of Dr. Eric Cole

Dr. Eric Cole, World Renowned Cybersecurity Expert, CEO of Secure Anchor

World Renowned Cybersecurity Expert with more than 30 years of network security experience, Dr. Eric Cole is a distinguished cybersecurity expert and keynote speaker who helps organizations curtail the risk of cyber threats. Many of the foundational principles of this course and training in cybersecurity were developed by Dr. Cole. He has worked with a variety of clients ranging from Fortune 50 companies, to top international banks, to the CIA, for which he was a professional hacker.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.