Introduction

CyberArk Endpoint Privilege Manager (EPM) enforces least privilege and allows organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom. A combination of privilege security, application control and credential theft prevention reduces the risk of malware infection.

Overview

In today's world corporate environments are more vulnerable than ever, requiring careful application control and user privilege management. EPM introduces a combined solution for application control, privilege management, and threat protection. This full set of application control and privilege management provides granular control to a secure desktop and server environment.

Setting up a risk-based application control framework establishes default behavior for managing unclassified applications in your Windows environment.

Privilege Management

Certain Windows applications and desktop functions require local administrative privileges to run and function properly on a desktop or laptop, a requirement that is reflected in the “Run as Administrator” option. This requirement is mostly handled by implementing two contradicting approaches: least-privileged user account and the “Run As” method.

The least-privileged user account (LUA) approach ensures that users always log on with limited user accounts. Using this strategy, administrative tasks are only carried out by Administrators who have administrative credentials. The LUA approach can significantly reduce the risks from malicious software and accidental incorrect configuration. However, the high amount of planning, testing, and support involved in the implementation of the LUA approach can make this approach highly expensive and challenging.

On the other hand, granting full Administrator rights to standard users is considered a highly risky process, because it can compromise the safety of the desktop environment and enable the operation of malicious hackers and viruses. The associated increased security risk - which in most cases is further intensified due to the permanent connectivity to the Internet - often breaches compliance regulations put in place by the Sarbanes-Oxley Act and HIPAA.

Additionally, the United States Government Configuration Baseline (USGCB) and Federal Desktop Core Configuration (FDCC) mandates stipulate that administrative rights cannot be granted to end users and cannot be made available on federal desktops and laptops.

The EPM Privilege Management solution solves this issue and provides the optimal balance by elevating the privileges of standard users – that is, granting such users administrative privileges – for certain processes or applications only, rather than at the user account level. When permissions are raised, the elevation is performed directly within the security token of the process. The application or process is started by using the current user credentials, as opposed to using “Run As”, which needs an administrative account to raise privileges. The “Run As” method potentially introduces security risks and issues, for changes that are written into a current user registry.

The EPM Privilege Management solution can be configured to collect events triggered by applications not covered by EPM explicit policies (unhandled applications) to a designated location, called the Privilege Management Inbox, as a result of any of the following:

  • An attempt to run an unhandled application requiring administrative privileges

  • A new occurrence of an unhandled application requiring administrative privileges

  • Custom end user requests

Application Control

The EPM Application Control product provides a method of ranking unhandled applications and resources, which have not yet been identified as safe (allowed) or threatening (denied). You can configure events to be collected to a designated location, called the Application Control Inbox, as a result of any of the following:

  • EPM Application Control detects an attempt to run an unhandled Application

  • A new occurrence of an unhandled Application (installation, download and so on)

  • An attempt to access sensitive resources (Internet/Intranet sites, Network Shares, local Files/Folders, or Registry Keys)

The applications are then evaluated and, based on the evaluation results, are blocked, restricted, or allowed to run.

If certain applications should only be run under specific circumstances, Application Control offers flexible rules that allow IT Administrators to automate the handling of such Applications. Instead of completely locking down the desktops of end users, the execution of a specific Application can be blocked or unblocked for the same end users by simply applying different EPM policies. For example, if the Brokerage division has a specific policy that prohibits any Instant Messaging software from executing, employees within this division are assigned to the Brokerage group and are usually not allowed to run this type of software. However, if two of this division’s employees take part in a conference abroad they can be assigned to a special EPM policy for traveling personnel, thereby allowing them to use Instant Messaging software.

Using Application Control allows you to establish automated rules for identifying approved applications through Trusted Sources. Creating Trusted Sources highly simplifies and shortens the Application handling process, by reducing the number of Application events collected into the Inbox. Using Trusted Sources, EPM allows System Administrators to group together applications that would be elevated as required based on a particular set of criteria, such as applications located in a specific network share or installed by a verified software distribution system.

The concept of Trusted Sources is enhanced by a powerful “Inherited Trust” mechanism. This mechanism extends the Trusted Source concept to other applications installed by the original Trusted Source Applications, even if these applications bear different properties. For example, defining Microsoft's System Center Configuration Manager (SCCM) as a Trusted Source means that all applications distributed by SCCM are considered as trusted, regardless of their digital signature and other properties. Also, any additional applications installed by these applications are considered “trusted” as well, and this trust continues from Application to Application.

As the Source information accompanies a file throughout its entire lifetime, the policy maintained by Trusted Sources is applied retroactively. For example, if an application was installed by a distribution system, after creation of a policy defining the distribution system as a “Trusted Source”, the application is considered “trusted”. Moreover, the “trust” is still applied to the application even if the application file is moved or copied to another location on the end user's computer.

After initial Trusted Sources have been created, collection of events for unhandled applications can be enabled. Using the EPM comprehensive database, the events captured in the Inbox have calculated Application Reputations and Source history, including the full FamilyTree with the parent and child processes, to help assist in their handling.

EPM flexibility is reflected in the use of the Restrict Access option, which is the optimal balance between refraining from interrupting users (the Monitor option) and blocking unauthorized applications automatically (Default Deny).

In addition, the EPM Application Control, based on its comprehensive database, provides the Application Catalog. The Application Catalog displays information on all applications installed on all of the end user computers managed by EPM. Using the Application Catalog allows quick discovery of new applications in the system, regardless of whether applications generated events or are monitored by any EPM policy.

Threat protection and defusion

The EPM Threat Protection module allows you to detect and block specific application threats to your system's security. CyberArk provides a number of specific threat protection policies.

Threat protection

Description

Activate policies

Activate policies on all end user computers or exclude policies from certain computers. You can also exclude certain applications from being checked by these policies.

View events

View the events created by the threat protection policies, exclude applications from the specific policy that created the event, and add applications to the threat protection ignored files.

Create reports

Create reports in the Threat Protection Dashboard for a comprehensive view of threat protection activity.

The EPM Threat Intelligence module allows you to use CyberArk's own risk analysis service or third-party services to check whether specific applications constitute a threat to your system's security.

CyberArk Application Risk Analysis Service (ARA), automatically uncovers sophisticated APTs (Advanced Persistent Threats), zero-day attacks, and targeted threats.

EPM offers several third-party services for checking an Application for a potential security threat. By default, two options are enabled: Check Application checksum by VirusTotal and by NSRL.

 

Users of EPM, who are also customers of the companies that manufacture the relevant Products, can use the services listed below, which are only visible only if they are configured in EPM management Console.

  • Palo Alto WildFire
  • Check Point ThreatCloud

After the check proves that an application is malicious, it is displayed in red. Additional important information, such as the application source and related applications, can be used to reveal other potential threats.

Malicious applications can be blocked from the Privilege Management inbox, Application Control inbox, or Application Catalog.

 

If the blocking is applied to the specific executable by its checksum, the selected executable is always blocked, regardless of other parameters such as the file’s location, digital signature, and version information. In this case, we recommend analyzing the discovered threat further to avoid polymorphic malware.