My organization specializes in IT security solutions for the finance and manufacturing sectors. We use CyberArk Endpoint Privilege Manager as a core component of our endpoint protection strategy, alongside other essential security measures such as network security, security operation center services, vulnerability management, credential management, and identity access management.
The organization's policy dictates what users can have on their laptops. For example, if the organization wants to limit certain applications, they can be blocked. The policy should define what users can have on their computers, such as restricting financial tools and applications to the finance team. These computers would be highly protected, with access to specific tools configured and restricted using CyberArk Endpoint Privilege Manager to safeguard sensitive data.
CyberArk Endpoint Privilege Manager enforces various security regulations. It includes a tool for comparing existing system configurations against those regulations and identifying any discrepancies. CyberArk actively ensures its software meets all relevant compliance standards.
CyberArk Endpoint Privilege Manager offers granular control over application access through customizable policies. These policies allow organizations to enforce the least privilege, block access entirely, or grant elevated privileges based on specific needs. Options include no access, least privilege access, and full access, ensuring that application permissions are tailored to individual users or groups and aligned with organizational security requirements.
The endpoint visibility is excellent. CyberArk Endpoint Privilege Manager is a discreet tool that runs in the background, monitoring application usage without impacting user experience. It remains invisible unless an unauthorized application is downloaded and installed. At this point, it blocks the installation and displays a message directing the user to contact IT support for assistance. This ensures that only approved applications are used and provides a clear path for users to request access to new tools.
We can use the discovery tool to identify all endpoints on the computers and compare that list with the computers running the EPM agent. This will reveal any computers without the EPM agent, which we can then deploy using the deployment tool.
CyberArk Endpoint Privilege Manager significantly reduces IT support calls by approximately 30 to 40 percent by preventing users from downloading unnecessary or malicious software. Without EPM, users with full admin privileges often install unauthorized applications, leading to increased support requests and potential virus infections. EPM allows IT to control and push only required software to computers, restricting unwanted applications. Additionally, EPM scans files and applications for viruses, blocking the installation of infected files and further reducing security risks and support calls. Overall, it helps reduce the number of IT service calls and the number of virus incidents by 30 percent.
CyberArk Endpoint Privilege Manager helps organizations meet compliance and regulatory requirements by addressing critical security concerns related to endpoint devices. Specifically, it mitigates the risk of credential theft, a common vulnerability across all endpoints. Additionally, it manages local accounts, a legacy practice where users create accounts directly on devices by rotating credentials automatically. This feature further enhances security by preventing unauthorized access, even if a hacker gains control of a device, rendering the compromised credentials useless.
CyberArk Endpoint Privilege Manager has saved approximately 20 to 25 percent of our time spent fulfilling compliance requirements. However, some areas require minor improvements that will be addressed in the future.
CyberArk Endpoint Privilege Manager significantly reduces the mean time to detect because it scans new objects immediately.
CyberArk helps reduce the number of privileged accounts by limiting privileged permissions on endpoint devices. Only the account used for software installation, such as local admin or domain admin, will have the necessary permissions, specifically for modifying registry settings during installation. This elevated access is required for certain software installations. However, these privileged accounts will not be used for regular login, internet browsing, or daily tasks. They are solely for backend application installation. Consequently, no other accounts will have privileged access to the endpoints.
CyberArk Endpoint Privilege Manager has significantly improved our security posture by preventing virus incidents and restricting users from downloading unwanted applications. This has reduced both virus-related incidents and data-loss incidents.
CyberArk Endpoint Privilege Manager helps reduce costs by minimizing service desk calls related to unwanted applications and virus incidents.
The time to value of CyberArk Endpoint Privilege Manager is evident immediately after deployment.