NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Videos
    • Glossary
    • Infographics
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

How Trusted Application Protection Builds on Application Control & Endpoint Privilege Management

June 18, 2020

  • Blog
  • Archive
  1. Home
  2. Blog
  3. How Trusted Application Protection Builds on Application Control & Endpoint Privilege Management

Trusted Application Protection (TAP) is a powerful capability of BeyondTrust’s Privilege Management for Windows product. TAP enhances security against malware—including ransomware--and phishing attacks by adding context that stops attack chain tools that may exploit commonly used and legitimate applications. This also gives organizations protection against fileless malware and living off the land (LotL) attacks. Working together, the BeyondTrust privilege management product’s least privilege, application control, and application protection capabilities give organizations a powerful way to secure users, sessions, and endpoints against a broad array of common and sophisticated attacks to drastically reduce the enterprise threat surface, while always optimizing for end-user productivity.

In this blog, I’ll briefly cover how the Trusted Application Protection capability evolved and how it works, and I will also provide some examples, including a short video.

Usability, Productivity, & Security

As a consultant specializing in endpoint privilege security, my role allows me to engage with many organizations who are looking to improve their security posture wherever possible. You may be thinking that this is a tough (and rewarding) gig—and you’d be correct! Most challenges to security controls rightly revolve around one main area – end-user productivity. If we could switch off the Internet, it would solve many problems – but ultimately, the end users will suffer productivity loss.

While end users, generally, cannot be impeded in their day-to-day role, the big challenge is that end user-interactions often instigate security issues; clicking on the wrong link, visiting the wrong website at the wrong time, or opening that one attachment that got through filtering.

Privileges/privileged access is one of the vectors favored by attackers. By default, privileges are frequently over-provisioned. Sometimes this is due to lack of IT visibility and awareness of the humans, applications, machines, etc. that have privileges. Other times, overprovisioning privilege is a conscious trade-off IT teams make when they lack the right privilege management tools, and they don’t want to impede users in their jobs. After all, rarely does anyone ever complain to IT about having too many privileges. Of course, incurring a security incident due to excess privileged access can derail business continuity.

Over the past 8 years, I’ve worked with organizations to implement BeyondTrust Endpoint Privilege Management (comprised of solutions for Windows, Mac, Unix, Linux, and more) so they don’t have to make those hard, and often, perilous, trade-offs between security and productivity. BeyondTrust’s solution is the most powerful, flexible technology for implementing the principle of least privilege (PoLP). This is the single biggest improvement to the end-user device security that you can make, validated again this year by findings and analysis in the 2020 Microsoft Vulnerability Report. Our Endpoint Privilege Management solution can deliver precisely the right access and only for that finite period of time privileges are needed. This aspect of ensuring ephemeral privileges/privileged access is today known as just-in-time privileged access management.

You could stop at these powerful capabilities, and you would still be talking about an industry-leading endpoint PAM solution However, there is much more to BeyondTrust Privilege Management for Windows & Mac than privilege management alone. Since endpoint privilege management provides an engine to target many types of applications for elevation, it makes sense to use the same engine for process control – application allow listing and block listing.


Watch a 1-minute demo video on Trusted Application now

Why Trusted Application Protection?

Traditional application control remains a powerful capability and is an important part of BeyondTrust’s Endpoint Privilege Management solution. Allow listing, block listing, and grey listing help ensure only legitimate approved applications are allowed, reducing the threat surface and enabling productivity.

To understand Trusted Application Protection, which builds on the foundation of Windows and Mac privilege management and application control, I believe it helps to show the history behind the feature.

In 2015, sandboxing was introduced into endpoint privilege management as a feature, designed to run defined processes in isolation. It was largely based on the principle of using temporary, local accounts for privilege separation, rather than using much more complex hypervisor-based solutions that were around at the time. This worked as an effective security measure, running processes that are commonly targeted for exploit, such as browsers and document handlers, away from the logged in user context and data.

While this did layer on some protection around the endpoint; it introduced some challenges. A lot of large enterprises made use of user data folder redirects and roaming profiles, which required an evolution of the feature to ensure productivity was not hindered. With the balance between security and productivity being paramount on end user devices, a further evolution was needed.

What we now have in our Privilege Management for Windows product—whether you’re deploying our solution on-premise or in the cloud—is Trusted Application Protection, which focuses on the core principles of disrupting attack chains, and delivers them in a policy-driven, user-friendly way that scales in the enterprise.

The 2020 Verizon Data Breach Report revealed that Office documents and Windows apps remain the preferred malware filetypes of attackers. Our alliance partner, McAfee reported a 400% increase of PowerShell based attacks in 2019, which presents a serious challenge to organizations. The threat of ‘living off the land’ by misusing common tools is what BeyondTrust aims to mitigate. Trusted Application Protection, as a core part of BeyondTrust Privilege Management for Windows & Mac, delivers much more effective protection when coupled with privilege management and application control features, and our customers can add this quickly and easily to their endpoint security toolset.

How Trusted Application Protection Works

Trusted Application Protection adds context to the process tree, allowing restriction of common attack chain tools, such as PowerShell and Wscript that are spawned from commonly used applications, such as browsers or document handlers (Word, PowerPoint, Excel). TAP does not rely on reputation or signatures, and adds context to the decision process. This means that, when a user is tricked, such as via a phishing email, into opening a malicious document, the ransomware payload or script is automatically blocked from launching. This capability is an effective measure of defending against common attacks that look to exploit trusted applications in the user environment.

TAP is implemented as a series of pre-populated, extensible configurations which may be imported into the solution’s policy management tools (QuickStart). These configurations can be defined in isolation, for example, early in a deployment process where it may not be practical to implement default-deny allow listing (e.g. due to the potential to impact users until their requirements are fully understood). In this case TAP can offer an immediate attack surface reduction with minimal effort and low risk.

Here’s an example of a workflow involved initiation of Trusted Application Protection:


These are the basic steps displayed above:

  1. This applies only to processes or DLLs that are a descendent of a TAP application
  2. Any excluded process or DLL will not have any restrictions applied by TAP and will be subject to normal rules of the solution.
  3. Block listed processes will be blocked regardless of level of trust
  4. Any process or DLL not owned by a trusted user or signed by a trusted publisher will be blocked
  5. Any other process not blocked by TAP will then be subject to normal Endpoint Privilege Management workstyle rules

Trusted Application Protection hardens security around the endpoint and protects against dangerous attacks that may slip by other defenses—without inhibiting user productivity.

If we look at the examples of this as shown below, we can see that, by restricting high risk application that are commonly used in attack chains, such as Wscript, CScript, PowerShell and unknown applications with context, it can deliver very simple and effective defense layer on your endpoints.

Here are two example scenarios:

Example 1: Word document email attachment containing a macro to open CME.exe and bring down payload:
Example 2: Brower-based exploit through Flash that will call PowerShell to download payload.

Learn more about Trusted Application Protection & Endpoint Privilege Management

To learn more about Trusted Application Protection, watch the short video overview of the solution below. I’ve also included further resources on BeyondTrust Endpoint Privilege Management. And, if you have questions or would like to explore the solution further, contact us today.


Demo video of Trusted Application Protection feature of Privilege Management for Windows

Additional Resources on Privilege Management for Endpoints

Endpoint Privilege Management QuickStart (2-min. video)

Guide to Endpoint Privilege Management (guide)

Demo: Privilege Management for Windows & Mac (video)

Privilege Management SaaS Hardens Windows & Mac Endpoint Security, Protecting On-Prem & Remote Workers & Systems (blog)

Photograph of Ian Pitfield

Ian Pitfield, Sr Solutions Engineer

With more than eight years’ experience of international consultancy and training delivery, Ian has worked with Fortune 500 and FTSE 100 organisations, helping them to achieve compliance and regulatory pressures via user friendly security protocols. He has over seven years’ experience with Endpoint Privilege Management solutions and helped hundreds of organisations to enable least privilege across their user base. His specialist sectors include Finance and Consultancy, Defense, Pharmaceutical, Public Sector and Commercial markets.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Cybersecurity Survival Guide, 2022 Edition

Whitepapers

Azure PIM vs. BeyondTrust PAM

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Infographics
  • Podcast
  • Videos
  • Webinars
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.