Least Privilege: The Most Effective Approach to Endpoint Security

In 2020, hundreds of thousands of new malware samples are discovered every day. There is absolutely no way to fight against this with traditional reactive measures. We need to move from reactive to proactive endpoint security!

If we look at the data from the Microsoft Vulnerability Report 2020, we can see that our environments are trending toward higher vulnerability, with more complexity, and more exposures. In 2020, more than 850 vulnerabilities were found in Microsoft products. Our OS is full of vulnerabilities – even the newest and most secure Windows 10 that is used on 70.98% of Windows computers as of March 2020.

For those who still run Windows 7, (21.21% of the computers as of March 2020), the problem is, of course, even more severe as Microsoft won’t patch these vulnerabilities. Even I need to run Windows 7 in a clothing factory (currently making face masks because of the COVID-19 outbreak) that I operate. My principle is simple: computers that don’t need network/internet access don’t get it, and, even more important, every Windows 7 has the principle of least privilege (PoLP) and allow listing in place. As I can’t trust Microsoft to fix the vulnerabilities, I need to take care of them myself. This entails blocking entry points, blocking apps that abuse them, and blocking the privileges that the apps could abuse. A multi-layered approach is a must.

There are a couple different pathways by which malware can get into your machine. The malware either penetrates an open port in your firewall, or you call it in. In 95% of the cases, it’s the latter one. How do you call in a malware? This is mostly done via a browser or your email. When the malware gets in, we still need to somehow activate it. It could be activated by your browser or email app, but, in many cases, it’s activated by an external app or a plugin. All of these pieces have to be protected.

The great news about the latest, annual Microsoft Vulnerabilities Report is that most of the vulnerabilities can be blocked with the oldest protection in the book – getting rid of admin rights. Removing admin rights blocks most of the attacks against your operating system, your browser, and your Office apps. Eliminating admin rights is an easy way to make sure no harm happens to your computer – which also means it keeps running better, longer, and faster.

I always try to remind people that the principle of least privilege is not just about security, but about productivity as well. I have multiple customers who have decreased the number of tickets to their service desk by a whopping 75% by getting rid of end-user admin rights.

In some cases, getting rid of admin rights isn’t enough. In these cases, we can make security jump from the level of being able to block approximately 80% of malware to the level of being able to stop roughly 99.99% of malware. This is achievable by adding allow listing to the picture. A single rule of saying we only allow apps that are signed by a trusted Certification Authority may limit 99.99% of malware daily. Layering on allow listing further dials down threats, and is effective against phishing exploits. It’s all part of a sound endpoint privilege management approach.

For a deeper dive into how to dial down your vulnerability exposure, check out my on-demand webinar: How to Vanquish Critical IT Vulnerabilities!