CyberArk Endpoint Privilege Manager Reviews

My use case involves users who have admin rights and who do not have admin rights. We control the activities of users to stop them from downloading certain things from the Internet. We control their activities via CyberArk Endpoint Privilege Manager. There could be some plugins in some of the applications or some files that are not whitelisted in the infrastructure and could be harmful or disruptive for the organization. Only whitelisted applications are allowed on the end user's laptops, as well as the servers, and we control them via CyberArk Endpoint Privilege Manager.

I am a partner implementing CyberArk Endpoint Privilege Manager on customers' infrastructure. Before deploying CyberArk Endpoint Privilege Manager, users could download anything through browsers. Some applications do not require admin rights to install because they are plug-and-play or portable applications. Such applications could not be controlled by admins or antivirus. After deploying CyberArk Endpoint Privilege Manager, we could control these applications by creating policies to block unwanted files and applications. We have whitelisted applications based on the signatures and other factors. All other applications are blacklisted.

Any new requirements require users to contact the admin team, ensuring applications are not harmful. Previously, when new requirements came related to infrastructure or something else, the users would not contact the admin team or the service team. They would directly deploy or try to run the application on their laptop without informing or taking help from the IT team. After deploying CyberArk Endpoint Privilege Manager, they have to follow the process. They cannot do anything themselves. They have to contact the admin team. We allow them to install the application after verifying that it is whitelisted and not harmful.

It prevents the use of pirated applications, securing company policies. At times, users can get pirated applications, which has an effect on the organization. The company becomes liable to pay money for using a pirated application. With CyberArk Endpoint Privilege Manager, we are able to control such issues because users do not have the right to directly install or run applications.

My organization specializes in IT security solutions for the finance and manufacturing sectors. We use CyberArk Endpoint Privilege Manager as a core component of our endpoint protection strategy, alongside other essential security measures such as network security, security operation center services, vulnerability management, credential management, and identity access management.

The organization's policy dictates what users can have on their laptops. For example, if the organization wants to limit certain applications, they can be blocked. The policy should define what users can have on their computers, such as restricting financial tools and applications to the finance team. These computers would be highly protected, with access to specific tools configured and restricted using CyberArk Endpoint Privilege Manager to safeguard sensitive data.

CyberArk Endpoint Privilege Manager enforces various security regulations. It includes a tool for comparing existing system configurations against those regulations and identifying any discrepancies. CyberArk actively ensures its software meets all relevant compliance standards.

CyberArk Endpoint Privilege Manager offers granular control over application access through customizable policies. These policies allow organizations to enforce the least privilege, block access entirely, or grant elevated privileges based on specific needs. Options include no access, least privilege access, and full access, ensuring that application permissions are tailored to individual users or groups and aligned with organizational security requirements.

The endpoint visibility is excellent. CyberArk Endpoint Privilege Manager is a discreet tool that runs in the background, monitoring application usage without impacting user experience. It remains invisible unless an unauthorized application is downloaded and installed. At this point, it blocks the installation and displays a message directing the user to contact IT support for assistance. This ensures that only approved applications are used and provides a clear path for users to request access to new tools.

We can use the discovery tool to identify all endpoints on the computers and compare that list with the computers running the EPM agent. This will reveal any computers without the EPM agent, which we can then deploy using the deployment tool.

CyberArk Endpoint Privilege Manager significantly reduces IT support calls by approximately 30 to 40 percent by preventing users from downloading unnecessary or malicious software. Without EPM, users with full admin privileges often install unauthorized applications, leading to increased support requests and potential virus infections. EPM allows IT to control and push only required software to computers, restricting unwanted applications. Additionally, EPM scans files and applications for viruses, blocking the installation of infected files and further reducing security risks and support calls. Overall, it helps reduce the number of IT service calls and the number of virus incidents by 30 percent.

CyberArk Endpoint Privilege Manager helps organizations meet compliance and regulatory requirements by addressing critical security concerns related to endpoint devices. Specifically, it mitigates the risk of credential theft, a common vulnerability across all endpoints. Additionally, it manages local accounts, a legacy practice where users create accounts directly on devices by rotating credentials automatically. This feature further enhances security by preventing unauthorized access, even if a hacker gains control of a device, rendering the compromised credentials useless.

CyberArk Endpoint Privilege Manager has saved approximately 20 to 25 percent of our time spent fulfilling compliance requirements. However, some areas require minor improvements that will be addressed in the future.

CyberArk Endpoint Privilege Manager significantly reduces the mean time to detect because it scans new objects immediately.

CyberArk helps reduce the number of privileged accounts by limiting privileged permissions on endpoint devices. Only the account used for software installation, such as local admin or domain admin, will have the necessary permissions, specifically for modifying registry settings during installation. This elevated access is required for certain software installations. However, these privileged accounts will not be used for regular login, internet browsing, or daily tasks. They are solely for backend application installation. Consequently, no other accounts will have privileged access to the endpoints.

CyberArk Endpoint Privilege Manager has significantly improved our security posture by preventing virus incidents and restricting users from downloading unwanted applications. This has reduced both virus-related incidents and data-loss incidents.

CyberArk Endpoint Privilege Manager helps reduce costs by minimizing service desk calls related to unwanted applications and virus incidents.

The time to value of CyberArk Endpoint Privilege Manager is evident immediately after deployment.

I have been using CyberArk in financial services. The specific use case depends on my customer's needs. Sometimes, it is just about securing some departments, and some customers want to have protection against certain threats.

The initial implementation stands out. It was very easy to go to different departments and analyze the software they were using, and so on.

Our primary use case for CyberArk Endpoint Privilege Manager is to control privileged access to endpoint machines, specifically managing local administrator access. We also use EPM to rotate local accounts on systems as often as we want, which helps manage what people can elevate into an administrative right through EPM.

CyberArk Endpoint Privilege Manager effectively prevents attacks and threats on our infrastructure and data. The dashboard provides a clear overview of blocked activity, although occasional false positives require manual intervention. While some legitimate installations have been inadvertently blocked, EPM's ability to secure the environment from threats is commendable.

CyberArk offers a wide range of granular controls, allowing for extensive customization. For example, we can enforce multifactor authentication for Team A, while Team B may not require it. Similarly, we can configure Team C to elevate privileges only for a specific application. This level of granularity enables us to tailor CyberArk's controls to each team's unique needs.

The initial setup of diverse policies for various teams within CyberArk Endpoint Privilege Manager required some time, delaying the realization of its benefits. However, after a discovery process and successful policy implementation, we began to reap the advantages of the EPM system.

It is critical for safeguarding our service infrastructure by preventing unauthorized users from gaining administrator rights. Within EPM, access is restricted to those with defined roles, effectively isolating sessions and enhancing security.

CyberArk Endpoint Privilege Manager helps meet compliance and regulatory requirements.

CyberArk Endpoint Privilege Manager helps reduce our mean time to detect credential theft. When detected, the information is sent to our Incident Response team who investigates, responds if necessary, or tells us to ignore it if it's a false positive.

Before using CyberArk Endpoint Privilege Manager, we granted users full local administrator privileges on their machines, giving them unrestricted control. However, with CyberArk, we can now precisely manage user permissions and elevate privileges only for specific tasks. For instance, we can prevent users from running PowerShell scripts with elevated privileges across the company. This granular control has significantly enhanced our security posture.

CyberArk Endpoint Privilege Manager has improved efficiency by automating user access and eliminating the need for manual intervention. Staff no longer need to log in to individual user systems to grant administrator rights; instead, access is managed through Active Directory groups. By assigning users to the appropriate AD group, they automatically receive the necessary permissions. This process is streamlined through a self-service portal, where users can request access and be automatically granted the required privileges. This automation has freed team members to focus on other tasks and projects.

After setting up CyberArk Endpoint Privilege Manager and defining roles for various teams, users can request access through a self-service portal. Upon approval, they are automatically added to the relevant group, either temporarily or for a specified duration. This automated process eliminates the need for manual intervention, freeing administrators from tasks like monitoring user activity or logging into their systems while empowering users to manage their access.

CyberArk Endpoint Privilege Manager has freed up analysts and administrators for other tasks, saving us money.

Integrating CyberArk Endpoint Privilege Manager with our existing systems was reasonably straightforward.

I have worked on multiple projects for our clients. The day-to-day use case involves checking in CyberArk Endpoint Privilege Manager to see if there is any elevation request. I also create incidents for tracking purposes. We create accounts for different types of platforms and onboard the accounts. We check if any user has any issues with reconciling accounts or verifications. We track all that with the tickets.

For a project in the UK, the user raises the request for an application, and we will go and check the application to see whether the user has given a correct justification or not and why and where the user needs to download that application. After doing various checks, we decide whether to add that application to the trusted policy or not. Otherwise, we will require higher approval for whitelisting that application.

Additionally, we manually upgrade computers and handle onboarding, offboarding servers, and account monitoring.

We have created automation. If a user is getting an issue, it will automatically give us a pop-up mentioning the platform where the issue is happening. We can then look at the platform to see what is happening there. We are looking into how to reduce password verification failures and reconciliation failures. These failures are not related to CyberArk. They are related to internal usage.

We have not had issues with CyberArk. It works very smoothly. We can do many things with CyberArk. It helps us to see exactly what is happening. For example, if a user is out of their account, we can see what exactly is happening. For such issues, we use CyberArk and follow the recommendations.

We have improved our system upgrades from a month to just two weeks for around 10,000 computers. Automation implemented by our senior team also provides timely notifications of issues, improving our response time and operational efficiency.

We primarily use the solution on our endpoints. 

We are using pretty much everything there. Basically, what we are trying to do, is when the end user connects to machines, the actual Window servers, Linux servers, et cetera, everything is run through CyberArk. We haven't got into the Application Identity Management part yet, using CyberArk APIs. 

That said, we are using CyberArk whenever somebody wants to access a remote server or any server, for that matter. Our infrastructure is basically set up so that access is given through CyberArk.

The solution is good for controlling access. 

I have always found that CyberArk is a very tight, foolproof product compared to most other products available.

It is quite stable. 

The solution is used for:

Rotating local administrator passwords: EPM can be used to rotate the passwords of local administrator accounts on endpoints, which helps to prevent attackers from gaining unauthorized access to these accounts.

Revoking access to privileged accounts: EPM can be used to revoke access to privileged accounts when users no longer need it, which helps to reduce the risk of unauthorized access.

Monitoring privileged activity: EPM can be used to monitor all privileged activity on endpoints, which helps to identify and investigate suspicious activity.

Auditing privileged access: EPM can be used to audit all privileged access to sensitive systems and data, which helps to comply with security regulations.

We were able to reduce the number of privileged accounts by 50%, which helped to simplify our privileged access management environment. 

We were able to automate the process of rotating privileged passwords, which saved us 100 hours of manual work each year. 

We were able to detect and block a number of unauthorized access attempts, which helped to prevent data breaches. 

We were able to meet the requirements of the PCI DSS, which helped to protect our customers' data.

With the solution, we met regulatory requirements. CyberArk has helped us to meet specific regulatory requirements for privileged access management. For example, CyberArk has helped us audit all privileged access to sensitive systems and data,

I use the solution in my company since some users need a certain level of activity in EXE files. The tool is used to block certain issues that we don't want in our environment.

The most valuable feature of the solution stems from its ability to delegate admin access instead of giving complete admin access to a single user. It is possible to elevate the product to a single process.