How To Achieve Long-Term Least Privilege with Endpoint Privilege Management: A PAM Innovation Story

Most organizations considering an endpoint privilege management solution are focused on removing local admin rights from their estate—often in order to achieve least privilege as part of a larger zero trust strategy. Removing local admin rights will drastically reduce the attack surface of any organization, but it’s only the first step in achieving least privilege.

Least privilege isn’t a checkbox; it’s a continuous process, and you need the right tools to be successful with that process for the long term. Without advanced reporting and analytics functionality that allows you to monitor and understand the behavior of the users in your estate, you run the risk of missing key security insights and blocking the productivity of your end users.

This brings us to our latest release of Privilege Management for Windows and Mac—23.5—where our latest value-driving innovation is leveraging advanced analytics to bridge the gap between user behavior insights and actionable policy updates to keep your organization protected.

In this edition of our privileged access management (PAM) innovation series, we explore how BeyondTrust Privilege Management for Windows and Mac’s latest innovation is helping organizations implement a successful long-term least privilege strategy that can enhance productivity and keep their organizations safe, despite their ever-expanding attack surface.

Read on to explore the details of our latest release--Privilege Management for Windows and Mac 23.5--or click here to see our full release notes.

Privilege Management for Windows and Mac and Least Privilege

Least privilege should be the foundation of any modern security strategy. Privilege Management for Windows and Mac is a crucial tool for implementing least privilege successfully for the long term. Here's why:

• Privilege Management for Windows and Mac implements true least privilege by removing standing local administrative rights across desktop and server users while enabling dynamic, just-in-time elevation of privileges for specific applications and tasks.
• It provides powerful application control enabling management of which applications users can install or run, with the flexibility to set both broad and granular rules through a non-resource-intensive operational process.
• It enables reporting on privileged user behavior including applications installed or run, system and configuration changes, as well as changes to critical policy or data files.
• It provides a single, unimpeachable audit trail of all user activity that simplifies compliance and streamlines forensic investigations.

Many solutions claim to be able to implement least privilege, but in order to be successful for the long term you need a comprehensive solution that enables true least privilege, like Privilege Management for Windows and Mac.

Introducing Privilege Management for Windows and Mac 23.5

BeyondTrust is pleased to announce the availability of Privilege Management for Windows and Mac release 23.5. Our fifth release of this product for 2023 includes new features and enhancements that give you the tools to successfully achieve least privilege for the long term. These enhancements include updates to Analytics v2 that make it even more seamless to use, completely redesigned macOS QuickStart policy templates, copy and paste functionality for application definitions, and more. Read on to learn about all of our new features.

Analytics v2 Update (New Feature)

At the end of 2022, we introduced Analytics v2, an upgraded beta version of the analytics and reporting functionality in Privilege Management. Built on next-generation technology, Analytics v2 surfaces deep insights from your user behavior data and turns them into actionable policy refinements to help you protect your estate.

Since that initial release, we’ve released four Privilege Management for Windows and Mac releases in 2023 alone, and in each of those releases, we’ve introduced new features and enhancements to expand the capabilities of our Analytics v2 beta. Thanks to all of those new features and added functionalities, Analytics v2 now provides you with more intuitive insights about your users’ behavior, as well as a streamlined path to turn those insights into actionable policy updates that keep your organization protected. In addition, it allows you to granularly define what analytics data each of your Privilege Management users have access to at the computer group level.

Our latest release is no different. Release 23.5 has equipped Analytics v2 with three new enhancements—additions to the applications view, new application types supported in the applications view, and policy details available for events–to improve the application view and provide you with more detail on each event that is happening in your estate.

Enhancements to Applications View

In release 23.4 we introduced a new view to Analytics V2 that aggregates your user behavior data at the application level, making it easier for you to get a detailed picture of the applications your users are trying to install or run at any given time. With release 23.5, you can now execute policy changes directly from the applications view with the Add to Policy functionality.

For example, if you were to see in the applications view that 15 of your users have tried to install or run Google Chrome, but have been blocked from doing so, you’d now be able to add Google Chrome to the allow list within your desired policies directly from the applications view by simply selecting the “Add to Policy” button. This functionality utilizes our auto-populating recommended matching criteria for matching at the application level, making the process even more seamless.

Additionally, the applications view now supports additional application types, including Mac Binary (bin), Windows Com Class (com), Windows Control Panel Applet (cpl) & Management Console (msc), Windows Store App (appx), and Windows Service (svc). With support for these additional application types, you’ll now be able to get a comprehensive view of all of the different applications being used in your estate.

Policy Details Now Available for Events

Now, with release 23.5, when you go to the Event Details page for an event within Analytics v2, you can find policy information related to that event in the new Policy tab. This tab allows you to see which policy, workstyle, application group, message, token, or more was applied to the event you’re viewing, giving you the granular detail needed to understand how Privilege Management is performing in your estate. In addition, we have now posted Favorite Filters documentation for Analytics v2, which shares recommended approaches to creating reports that allow you to get the most value out of Analytics v2.

What’s Next for Analytics V2?

In addition to these three new enhancements, release 23.5 marks the transition of Analytics v2 out of beta. For the time being, you still need to switch the toggle in the top-right corner of the Analytics page in the Privilege Management Console to enable Analytics v2, but later this year Analytics v2 will fully replace the existing Analytics functionality in Privilege Management, unlocking greater scalability and performance to match the needs of large, dynamic organizations. In the meantime, we’re working hard to deliver many more new features and enhancements to Analytics v2 over the coming months to help you protect your estate. Stay tuned for more proactive insights based on your users’ behavior, including graphed trend data for applications, improvements to identify administrator accounts, summary insights via charts and graphs on the dashboard homepage, and upgraded CSV export that can handle up to 5 million events.

Other important updates in Privilege Management for Windows and Mac 23.5

Redesigned macOS QuickStart Policy Templates (Enhancement)

QuickStart policy templates are flexible, out-of-the-box workstyles that enable you to deploy Privilege Management across your organization quickly and remove admin rights fast. Built from the expertise gathered from thousands of Privilege Management deployments across complex organizations, QuickStart policy templates do the heavy lifting for you when you’re getting started with Privilege Management and give you a great policy foundation from which to build and refine to fit your estate.

In release 23.5, we’re introducing completely redesigned QuickStart policy templates for macOS endpoints. We’ve completely rewritten these QuickStart templates from the ground up to facilitate a streamlined, simple onboarding process for macOS endpoints. We know that the vast majority of organizations today utilize both Windows and macOS endpoints within their estates, so we’ve redesigned the macOS QuickStart policy templates in a way that aligns them with their Windows counterparts. This allows for simplified management by IT and security teams that manage both Windows and macOS endpoints. This redesign also improves the macOS end user experience, decreasing time-to-value and making it easier to implement Privilege Management in your organization.

Copy & Paste Applications Definitions in Web Policy Editor (Enhancement)

Previously, when creating or editing policies in the Web Policy Editor, Privilege Management users would need to manually set up and transfer application definitions to each of their desired application groups individually or from one of their policies to another. This was a time-consuming process that slowed IT and security teams down in their day-to-day administration of Privilege Management.

Now, with release 23.5, application definitions can be copied and pasted between application groups within the same policy, reducing the manual work required from IT and security teams to create or edit policies. When viewing your application definitions within one of your policies, you can click the three vertical dots on the right side of the page and select “Copy” from the dropdown list. After selecting “Copy”, a “Paste” button becomes enabled near the top of the page, and you can click it to paste your copied application definition.

Hint Field Enabled for Smart Card Integration (Enhancement)

The hint field can now be enabled for use with smart cards. This means that organizations that utilize the smart card integration can now have multiple accounts mapped to one smart card. This enhancement is particularly useful for those organizations, governmental or otherwise, that are required to comply with identity verification compliance standards.

Next Steps: How to Start Leveraging the Improved Security and Productivity Benefits across your Windows and macOS Estate

BeyondTrust is constantly innovating Privilege Management for Windows and Mac to help our customers improve their privilege management and endpoint security, and to help protect their organizations from constantly evolving cyberthreats. Privilege Management for Windows and Mac enables you to achieve and dynamically enforce the principle of least privilege while improving end user productivity and administrator workflows. The new features and enhancements introduced in release 23.5 are dedicated to giving you the tools you need to successfully achieve least privilege for the long term—which can not only help you achieve a larger zero trust strategy and meet compliance mandates, but also keep your organization secure against today’s advancing threats.

If you are ready to learn more about the best solution for achieving and dynamically enforcing proven endpoint security policies, like least privilege, contact us today! Or, if you are already a BeyondTrust Privilege Management for Windows and Mac customer, here’s how you can get started with version 23.5.

Be sure to stay tuned to our PAM Innovation Series to keep up-to-date as we continue to make the feature updates and enhancements that matter most to our users!