Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Least Privilege: The Most Effective Approach to Endpoint Security

May 6, 2020

  • Blog
  • Archive
Quote Image

I have multiple customers who have decreased the number of tickets to their service desk by a whopping 75% by getting rid of end-user admin rights.

Sami Laiho, Windows OS & Security Expert, Senior Technical Fellow

In 2020, hundreds of thousands of new malware samples are discovered every day. There is absolutely no way to fight against this with traditional reactive measures. We need to move from reactive to proactive endpoint security!

If we look at the data from the Microsoft Vulnerability Report 2020, we can see that our environments are trending toward higher vulnerability, with more complexity, and more exposures. In 2020, more than 850 vulnerabilities were found in Microsoft products. Our OS is full of vulnerabilities – even the newest and most secure Windows 10 that is used on 70.98% of Windows computers as of March 2020.

Get the Microsoft Vulnerabilities Report 2020

For those who still run Windows 7, (21.21% of the computers as of March 2020), the problem is, of course, even more severe as Microsoft won’t patch these vulnerabilities. Even I need to run Windows 7 in a clothing factory (currently making face masks because of the COVID-19 outbreak) that I operate. My principle is simple: computers that don’t need network/internet access don’t get it, and, even more important, every Windows 7 has the principle of least privilege (PoLP) and allow listing in place. As I can’t trust Microsoft to fix the vulnerabilities, I need to take care of them myself. This entails blocking entry points, blocking apps that abuse them, and blocking the privileges that the apps could abuse. A multi-layered approach is a must.

There are a couple different pathways by which malware can get into your machine. The malware either penetrates an open port in your firewall, or you call it in. In 95% of the cases, it’s the latter one. How do you call in a malware? This is mostly done via a browser or your email. When the malware gets in, we still need to somehow activate it. It could be activated by your browser or email app, but, in many cases, it’s activated by an external app or a plugin. All of these pieces have to be protected.

The great news about the latest, annual Microsoft Vulnerabilities Report is that most of the vulnerabilities can be blocked with the oldest protection in the book – getting rid of admin rights. Removing admin rights blocks most of the attacks against your operating system, your browser, and your Office apps. Eliminating admin rights is an easy way to make sure no harm happens to your computer – which also means it keeps running better, longer, and faster.

I always try to remind people that the principle of least privilege is not just about security, but about productivity as well. I have multiple customers who have decreased the number of tickets to their service desk by a whopping 75% by getting rid of end-user admin rights.

In some cases, getting rid of admin rights isn’t enough. In these cases, we can make security jump from the level of being able to block approximately 80% of malware to the level of being able to stop roughly 99.99% of malware. This is achievable by adding allow listing to the picture. A single rule of saying we only allow apps that are signed by a trusted Certification Authority may limit 99.99% of malware daily. Layering on allow listing further dials down threats, and is effective against phishing exploits. It’s all part of a sound endpoint privilege management approach.

For a deeper dive into how to dial down your vulnerability exposure, check out my on-demand webinar: How to Vanquish Critical IT Vulnerabilities!


Whitepapers

Microsoft Vulnerabilities Report 2020

Whitepapers

A Guide to Endpoint Privilege Management

Sami Laiho, Windows OS & Security Expert, Senior Technical Fellow

Sami Laiho is one of the world’s leading professionals in the Windows OS and Security. Sami has been working with and teaching OS troubleshooting, management, and security since 1996.

In 2019 Sami was chosen by TiVi-magazine as one of the top 100 influencers in IT in Finland. He is the 11th most followed person in his field in Finland.

At Ignite 2018, Sami’s “Behind the Scenes: How to build a conference winning session” and “Sami Laiho: 45 Life Hacks of Windows OS in 45 minutes” sessions were ranked as #1 and #2 out of 1708 sessions!! This was the first time in the history of the conference that anyone has been able to do this.

Before that, at Ignite 2017, the world’s biggest Microsoft event, Sami was evaluated as the Best External Speaker! Also, Sami’s sessions were evaluated as the Best session in TechEd North America, Europe and Australia in 2014, and Nordic Infrastructure Conference in 2016, 2017 and 2019.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

KuppingerCole Executive Review - BeyondTrust Endpoint Privilege Management

Webcasts

Ransomware in 2021: How to Strengthen and Fund Your Cyber Protection Measures

Whitepapers

The Guide to Multicloud Privilege Management

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.