Telework is certain to become a fixture across the public sector long after the COVID-19 outbreak subsides. Government managers must adjust to the new reality that employees are going to work remotely and, in many cases, use their own devices.
The sudden transition to telework has caused many agency IT managers to rethink how to secure networks, as they implement policies and tools to protect employees working from home. Recently, we explored the remote access security and technology challenges brought to the forefront by COVID-19 in our blog, Remote Access for the Public Sector: Agencies Must Get this Right. In this blog, we’re going to focus on a need that is only getting more urgent with the growing number and diversity of devices connecting to public sector networks—the management of endpoint privileges, which is a central piece of modern endpoint security.
Rethinking Endpoint Security
Endpoints are no longer just desktops, laptops, and servers, but include smartphones, tablets, wearables, and Internet of Things (IoT) technologies, and other non-traditional devices that may connect to corporate systems or the Internet. Due to social distancing policies, agencies have also experienced an explosion of employee-owned devices (BYOD) regularly hitting their networks.
While organizations have traditionally deployed antivirus (AV) and antimalware software on endpoints, these solution classes have long been recognized to only partly address endpoint security. AV and anti-malware solutions tend to be signature-based, meaning they work best at protecting against threats that are already well documented, and they frequently introduce computing performance issues. Some of these solutions are evolving to include machine learning and other next-generation capabilities, yet they still miss many modern attacks and cannot typically mitigate internal attack pathways, such as via lateral movement. If an end user clicks on an infected link in a phishing email, it can bypass many of these anti-malware and antivirus controls altogether.
While AV and antimalware software can typically help prevent ransomware attacks that have already been documented and for which there are code pattern matches, new variants of ransomware can be completely missed. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), ransomware looms as a particular outsized problem for public sector agencies, with financially motivated attackers leveraging it to target a diverse array of government entities. While ransomware accounted for 27% of malware incidents across all industries in the Verizon report, within the Public Sector and Education verticals it accounted for 60% and 80% of all malware incidents respectively.
Cyber attackers haven’t taken a break during the coronavirus epidemic, they’ve just adapted their bag of tricks. At least several major hacker groups have already used coronavirus-related phishing scams to steal user credentials, according to a joint alert issued in April by the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC). The Verizon report also shows that phishing remains on the most significant threat vectors across all industries.
Why Privilege Management Should be the Cornerstone of Endpoint Security
Least privilege is recognized as one of the most fundamental security IT strategies, yet, agencies have lagged in fully implementing it across endpoints. As opposed to signature-based tools which rely on code matches and heuristics, endpoint least-privilege solutions are policy-driven to dial in the precise level of privilege a user or endpoint needs, and nothing more. The 2020 edition of the annual Microsoft Vulnerabilities report, showed that removing admin rights would mitigate 77% of all Critical Microsoft vulnerabilities in 2019, 100% of Critical vulnerabilities in Internet Explorer & Edge, and 80% of Critical vulnerabilities affecting Windows 7, 8.1 and 10.
By enforcing least privilege via an endpoint privilege management solution, agencies can dramatically reduce the threat surface against both internal and external attacks, while allowing employees just enough access to remain productive in their roles. Modern solutions can elevate access to applications without provisioning extra privileges to the end-user themselves.
In addition to stopping many attacks (such as ransomware, phishing-related exploits, etc.), which need privileges to execute, endpoint privilege management can also deny a malicious attacker from gaining the privileges they need to move laterally and exploit vulnerabilities or acquire sensitive files.
The leading privilege management solutions also layer on application control capabilities, which further support workforce productivity, while reducing application security risks. Application control can enable instant allow or deny decisions for application access or privilege elevation based on allow listing, block listing, and grey listing policies.
Another benefit of these endpoint privilege management solutions is their ability to help reduce the burden on IT help desks. For instance, freshly remote employees often need to access new technologies to fulfill their roles or install new devices (such as home printers). BeyondTrust’s Endpoint Privilege Management solution eliminates service desk tickets and empowers users with out-of-the-box policies to install and run their own pre-approved applications.
How BeyondTrust Endpoint Privilege Management Helps Secure Public Sector Agencies
BeyondTrust not only offers the most comprehensive endpoint privilege management solution, it can often be applied in just hours or days, and at tremendous scale. Our solution also complements the traditional privilege elevation and delegation capabilities expected of an endpoint privilege management solution with advanced application controls capabilities. Working together, these capabilities dramatically lower your attack surface, while also boosting business and operational productivity. Today, our solution secures over 50 million endpoints worldwide.
Here are 6 ways BeyondTrust’s Endpoint Privilege Management solution can protect your agency from internal and external attacks, while enhancing productivity:
1. Enforces Least Privilege
Elevates privileges dynamically and only for the finite moments in time they are needed (referred to as, just-in-time privileged access) to applications for standard users on Windows or macOS through fine-grained policy-based controls. Our solution can also eliminate root and enforce least privilege across Unix, Linux, and other endpoints. This aligns perfectly with DHS’ Continuous Diagnostics & Mitigation (CDM) program, which pertains to functional areas related to endpoint integrity, least-privilege access, and infrastructure.
2. Applies Powerful Application Control Capabilities
Delivers trust-based application allow listing, with a flexible policy engine to set broad rules. You can choose automatic approval for advanced users - protected by full audit trails - or utilize challenge-response codes. These capabilities align with several National Institute of Standards and Technology (NIST) security controls across NIST Special Publications (SP) 800-53 and SP 800-171 covering access control and risk assessment. BeyondTrust also offers an industry-unique Trusted Application Protection (TAP) capability. TAP adds context to the process tree across Windows, allowing restriction of common attack chain tools, such as PowerShell and Wscript that are spawned from commonly used applications, such as browsers or document handlers (Word, PowerPoint, Excel). TAP does not rely on reputation or signatures.
3. Centralizes Auditing & Reporting of Privileged Sessions
All BeyondTrust PAM solutions excel at providing robust session auditing, management, and control features. With BeyondTrust Endpoint Privilege Management, agencies benefit from a single, unimpeachable audit trail of all user activity, speed forensics and simplify compliance with complete reporting for multiple stakeholders. These capabilities align with security controls across NIST SP 800-53 and SP 800-171 covering audit and accountability.
4. Privileged Threat Analytics
Our solution correlates user behavior against asset vulnerability data and security intelligence from best-of-breed security solutions to provide an overall picture of end-user risk. This aligns with the CDM program’s efforts to reduce agency threat surface, increase visibility across agencies’ networks for potential threats, and improve response capabilities.
5. Security Ecosystem Integrations
By leveraging built-in connectors to third-party solutions, including help desk applications, vulnerability management scanners, SIEM (security information and event management) tools, agencies can benefit from a number of technology synergies and improve their security investment ROI.
6. Make Rapid Leaps in Risk Reduction and Productivity
BeyondTrust’s Quick Start features can be configured to deliver risk-reduction power in hours. Our out-of-the-box workstyle templates provide unmatched time-to-value. This means achieving least privilege has never been easier, less obtrusive to end user productivity, and eased the stress and workload of IT administrators – all at once.
With comprehensive features available via both on-prem and SaaS offerings, public sector agencies have a choice of deployment methods to suit their unique needs and adapt as they grow.
The COVID-19 pandemic has altered the way government works. Remote workers require access to resources on the agency campus, agency-sanctioned cloud services, and on the public web. Each of these areas presents unique risks and the need for corresponding security capabilities for appropriate use.
Endpoint Privilege Management presents a potential for significant ROI by protecting the organization against an enormous range of insider and external threats, while also enhancing operational performance and end-user productivity. Endpoint Privilege Management working in conjunction with two other pillars of BeyondTrust’s Universal Privilege Management (UPM) framework, Privilege Password Management and Secure Remote Access, gives agencies a comprehensive solution to dramatically reduce risks at the endpoint and meet compliance mandates.
Craig McCullough, Regional Vice President, Public Sector
Craig has over 20 years of experience in the technology industry, having started his career as an intellectual property attorney in Washington, DC, and then moving into leadership roles growing technology businesses that support federal, state and local governments. He is a visible industry leader and frequent spokesperson, giving interviews in various media outlets and participating as a panel speaker at multiple industry events. Craig joined BeyondTrust in 2018 and created the Public Sector Team.