BeyondTrust Endpoint Privilege Management Reviews

We are an integrator, and we do a lot of Identity and Access Management and Privileged Identity. I am only just getting into this solution. I am not trained in it, but I've been reading about it. I have recommended it for a client based on their requirements and based on what I know about CyberArk versus a couple of others. I have not implemented it yet. I have the agent running on the system where I am actually profiled. I have its latest version.

In terms of use case, it primarily has two things, and you can choose whatever you want in the middle. One side is that you can use it to allow the user to have specific administrative rights and do certain things without having to call the help desk. For example, you can allow users to be able to install certain applications. You can also have a whitelist or a blacklist of things that they are allowed to install, which saves a boatload of money in calling the help desk. The other side is to rein in administrators so that they don't go too far or do something outside of the bounds. The help desk personnel would have different restrictions when they log into a workstation than regular users.

What I liked about this solution is that it can also integrate for tracking malicious use or sending analytics to a host that can process them. I don't know if CyberArk, Centrify, or Thycotic can do that. The analytics was something the client really wanted, and they already had BeyondTrust. 

It is very scalable. The agent on the workstation is very thin, and the processing power required on a server is nothing out of the ordinary. It is also very stable and easy to deploy.

What's bothering me, which is true of all of them, is that sometimes, the error codes that come up don't necessarily get reflected in the searches within their support sites or they're out of date. I would rather search by an error code than type in the text and search for it by text because the error code means that it is programmatic, and it is known. It might not be desired, but it at least is not unexpected. If you don't have an error code, you just get an anomalous error, and if it is lengthy, it can be difficult to search and find the specific instance you're looking for. This is something I would like all of them to improve. BeyondTrust, CyberArk, Centrify, and Thycotic could do some improvements in staying up to date and actually allowing you to search based on the product version. They are assuming that everybody is on their way to release. They put out a new release, but it is not reflected on the support site, which makes no sense to me, especially when they revamp all the error codes. They all have been guilty of this in some way.

I started using it about a month ago when I was doing the appraisal of it, and I put it on a virtual machine. Our work machine is a virtual machine.

It is very stable. I had worked on a competitor's product two years ago, and it was rather buggy. It had issues. Sometimes, it used to hang the machine. Because you're running an agent on the workstation, it could have a memory conflict or an application conflict. It doesn't happen anymore because you've got it pretty much running strictly in Windows.

It is very scalable. 

I used their email support, which is very good.

I didn't switch the client to this one. I recommended this one because it stays under the BeyondTrust umbrella. It also helped them in getting a discount for volume and being a loyal customer and things like that. They also didn't have to add new infrastructure. 

CyberArk is a very good product, and I like it. I've been trained in it, but I have not implemented it. I am not going to ask the customer to install another infrastructure or another platform, especially when the products are fairly equal or equal enough to not be an issue to put on a table. If I had recommended CyberArk, they would have to put in a CyberArk infrastructure and retrain a whole bunch of administrators to administer that. They would also have to train a whole bunch of support people to manage off-hours, holidays, weekends, and things like that. Every time you add another brand, it adds to your soft costs, which can make a solution pretty expensive.

Hard costs are so much fun, and they're much easier. I've seen people get up and just start writing on a dry erase board because they know all the hard costs. It would be good if they would just be honest with themselves and the clients and explain what some of the soft costs are in terms of additional training or a more significant hardware footprint.

It is pretty straightforward to get the agent installed. You install the agent and the server component, and you let the users do whatever they've been doing for the last 10 or 20 years of their life. You also create profiles. For example, I had a developer profile for both Windows and Linux, and I had a profile for a regular user, help desk, and engineering. After you create profiles, an administrator can look at their activities in the log and analyze things like the following:

• Why did he install CCleaner on the machine?
• Why did he install this application?
• Why did he elevate a command prompt to do something? What is he doing?
• Why does he need administrator command prompts?

You can then add things like this to your blacklist, and you can create a profile that will allow or disallow that.

I would rate BeyondTrust Endpoint Privilege Management a nine out of ten. 

I was part of the project, I collaborated with a Privileged Access Management consultant and incorporated it with their existing password safe from BeyondTrust. This allowed for a comprehensive approach to security within the designated area of focus.

When it comes to FSO security, a prevalent objective is the removal of admin rights for users and many security teams aim to transition users from admin to standard status, even while ensuring the seamless operation of critical business applications. Challenges arise as some users find it difficult to complete their tasks without admin rights. Avecto Defendpoint addresses this by allowing specific business applications to run with elevated privileges through the Advantage Token. Striking a balance, it empowers users in standard mode to run essential business applications with the necessary admin rights, while maintaining a secure posture.

The notable aspect is its ability to capture the application's behavior comprehensively and this thorough analysis is crucial for effective policy management. During troubleshooting, the event capture feature, known as PG capture, proves invaluable. By leveraging this functionality, administrators can quickly identify processes through Windows Event Viewer. The obtained insights from these events can be utilized for immediate problem resolution. Furthermore, the reporting feature facilitates the seamless addition of policies based on the gathered information, making it a standout and practical feature. In the event of attackers attempting to execute malicious files that require admin privileges, it intervenes at the initial stage, blocking such attempts outright. The incorporation of a chat feature and the adoption of BeyondTrust's Trusted Application Protection further enhance security measures. Organizations often opt for implementing policies from this application suite, safeguarding fundamental applications like Office, Adobe, and browsers.

When working with the on-premises installation, the reporting process posed challenges, requiring the installation of SQL. The differences between EPO reports and the reporting console were observed, prompting a desire for equivalence, especially in specific report types critical to customer evaluation. Aligning these features across platforms would enhance the overall reporting consistency and user experience. A valuable enhancement could be the capability to deploy agents directly through the console. While it might not currently fall within the scope of the product, having the ability to uninstall or install agents seamlessly through the console would be a beneficial feature.

I have been using it for six years.

It is notably stable, especially evident through its tamper protection feature. Even attempts to tamper with the product, such as through registry settings, proved unsuccessful in our testing, attesting to its robustness.

The ability to seamlessly uninstall or install agents through the console would be highly advantageous. Presently, dependency on SSE for scalability and deployment tasks involves setting up groups and pushing tasks to endpoints, including the configuration of policies for certificates.

Their support was excellent, providing valuable responses within a few hours. However, during the transition period, typical of major changes, responsiveness slightly declined, taking a day or two to receive a response. Fortunately, things have improved, and we now receive prompt responses.

CyberArk is a significant rival, offering a multitude of features, some of which may not necessarily align with the fundamental needs of the customers. Avecto Defendpoint, on the other hand, caters to the precise requirements articulated by the customers. This thorough comparison involves not only feature sets but also financial considerations and other pertinent aspects.

The initial setup is straightforward, requiring the fulfillment of certain prerequisites. This includes setting up ports and, if opting for reporting through SQL, configuring the SQL server along with the necessary accounts. When all these prerequisites are in place, the implementation process is smooth and not overly complicated.

The process involves several steps, starting with initial discussions to understand the existing infrastructure and identifying the necessary knowledge about the current state. Subsequently, approvals need to be obtained from relevant workflow departments based on the proposed changes. Once the groundwork is established, the next phase entails getting the servers up and running for it. The decision-making process then extends to choosing the appropriate deployment model, whether on-premises or in the cloud. For customers with the Password Safe, considerations regarding the Password Safe console come into play. This comprehensive approach ensures a thorough understanding of the client's requirements before making informed decisions about the deployment. Our process typically involves progressing from Proof of Concepts to real-time production deployment. The entire timeline for this transition spans approximately three months.

By consistently reviewing and adjusting policies, and implementing stringent measures, this product can provide enhanced security, ensuring a substantial return on investment.

It is relatively more cost-effective compared to the competing product.

When evaluating this product, it's more effective to base the assessment on your specific use cases rather than comparing it to other products. If the product aligns with ninety percent of your use cases and meets your needs, it would strongly indicate that proceeding with this product is a favorable choice. Overall, I would rate it eight out of ten.

There are three components for BeyondTrust. Password Safe is where we privilege the accounts like server accounts, domain accounts, local accounts, or custom third-party applications. We use the application to monitor and fix the recordings of third-party applications. You can also use it for Cisco integrations and multi-factor authentication.

I find the solution’s features like section management, password management, and analytics valuable.

There are three types of endpoints. If we need to use them in the solution, then we need to purchase the licenses separately. The tool needs to improve its licensing.

I have been using the solution for four and a half years.

The solution is stable.

The solution is scalable. There are around 10,000 users for the solution in our organization.

The tool’s setup is straightforward compared to other products. The solution’s deployment depends on remote databases. We should also install a challenge-response code. For Password Safe, we need to install the EPM database, challenge-response code, etc.

The product’s licensing is different for Windows, Linux, and Mac. The tool’s licensing is yearly.

I would rate the solution an eight out of ten. You can deploy the solution to Azure, AWS, or on-premises. This solution will be very helpful for organizations for security purposes. The tool is very user-friendly. The solution’s graphic user interface is also very easy compared to other products.

There are three use cases that you can target. The first use case is the fact that some of your users may need admin rights for launching custom applications, such as Visual Studio, or they may want to install something on their machine on their own, or they may want to start, stop some services, change maybe system font, if the need arises, or install a custom font or change the driver, update the driver. Also, instead of giving full blanket admin rights, we can give selective admin rights using EPM in order to protect the company and the infrastructure from abuse. This is the first major use case.

The second use case is where we implement application blacklisting and whitelisting. If I don't want Adobe applications to run within my company, I can create a policy around that. Or, for example, if I have Adobe licenses, and those are only valid for version two to version three. Anything below two, I don't own and anything above three, I am not allowed to upgrade. Therefore, whitelisting based on version control also can be implemented. 

The third use case, which not popular in my region, is where cyberattacks can be mitigated or zero-day attacks can be mitigated, by making sure we whitelist only the browser and only Outlook. If the browser tries to invoke a script or if Outlook launches say Excel or PDF as an attachment, and from there, if a script tries to launch, we will be able to block it. Therefore, making sure that the entry point of the malware itself is blocked is possible. That said, having said that, it has zero intelligence in checking whether the script is legitimate or bad. It's going to block everything. It blocks all and later you can enable it, if the need arises.

The solution can scale.

It's relatively straightforward to set up, especially if you are deploying to the cloud.

Technical support has gotten more responsive.

At the moment, they don't support Linux. For this EPM, they have a different product for EPM, for Linux.

The same company needs two different products for EPM. One works with Windows and Mac and the other solution is mainly created for Linux. They can try to merge these two and make one product. That would be an improvement. Being a policy administrator, I have to create, or maybe monitor, two different admin consoles for the policy due to the separation between the OS.

They have a troubleshooting utility or a quick start utility, a quick start policy. They need to come up with better integrative options which should be customer-centric. At the moment, it is from their point of view. A quick start policy is something that helps customers to remove admin rights on day one.

I've been dealing with the solution for the last eight years. 

The solution is definitely stable. That's why within the last eight years, we are able to satisfy the most demanding customers in the world. It supports 10 users. It supports 10,000 users or even 100,000 users. It's scalable.

I'm not sure how many people collectively are using it in our company. I happen to have one specific area within my control. There are other technicians who will be implementing this from my own company.

I've used technical support in the past. 

The product was initially developed by Avecto. Then BeyondTrust purchased that company and they both merged together. Initially, the team was quite small. The company itself was small, and its support was not that good, in terms of response time. However, when they used to come online, their technical expertise was at par. It was way beyond our expectations. The only trouble was to bring them on a call, as the company was slightly small.

Fast forward six years, seven years. Now, the strength of BeyondTrust being a larger organization, we have better access to the technical team. Today, we raise a support ticket and someone will definitely assist by tomorrow. That's progress.

However, technical expertise becomes a challenge sometimes. Not always. Just sometimes. Any big organization will not assign an L3 person on day one. That's the architecture problem. Not the company's problem.

I may scream at the top of my lungs that I don't think this is something that an L1 can handle and they will not believe me. They would like to go through L1, and L2 and then eventually reach L3. That's the only issue with any big organization. It's an architectural problem. 

The ease of deployment depends on your requirement and your setup. If you are handling the cloud, then it's fairly easy. You simply download the agent and install the agent. The reporting is inbuilt. Policy management is inbuilt. If you consider other deployments, there is some friction, depending on the architecture.

The licensing is paid on a yearly basis. I can't speak, however, to the actual cost of the solution.

We are a partner and we sell and support this EPM solution to other customers.

We use both cloud and on-premises deployment options. 

I'd suggest new users go slow. Instead of going bold. It's a powerful solution. If I create a beautiful policy, the product will behave beautifully. However, if I create an ugly policy, the product will show its ugly face to you, as it's just a brainless bull running around. You have to give it a direction. Otherwise, it can harm you. 

Overall, I would rate the solution an eight out of ten.

It's mainly for privilege management when you log in to any Windows system, so you'll be able to execute only what you have to and can.

Everyone in the company uses BeyondTrust Endpoint Privilege Management—about 3000 to 4000 in South Africa and another 1000 in the UK.

One of the valuable features is the absence of any local user in a unique system. All users are defined in the AD; communication is only between Unix and AD. When you log in, there are no local users on any unique system you access.

Another valuable feature is privilege management, where only the command steps needed to be executed given to the user, and they cannot execute more than that.

There is always room for improvement. One thing that would be helpful is if it was easier to define which commands can be used. Currently, we use a program to automate all of this, but it's not a default feature of BeyondTrust Endpoint Privilege Management. It can be a bit more difficult if we're not using our own script. We have a script that checks the day from the AD group to see if any users have certain privileges, and we execute it to make any necessary changes. We've automated the process by creating our own script. We run it four times a day.

In the future release, I would like to see it easier to configure without adding all the scripts. It would be helpful if it had a user-friendly manual that allows you to change things easily. It would make BeyondTrust Endpoint Privilege Management a lot easier to use.

I've been working with it for a long time. It's the latest version.

We started with AD Bridge about four years ago, only AD Bridge, and then we added the privilege management about two years after finishing the credit bridge.

I would rate stability a seven out of ten. Sometimes we lose the connection to the domain, but just the domain joins and resolves the problem.

It is a scalable product. We have over 1000 systems that we scan every day. We check every day if the system is not there in full. If it has been more than twenty days, we take it out of the assets. If there is a new system, it will join the asset. We have a contract running four times a day that checks for all this. If there is a user that left the company and was deleted from the database, it's all automated.

The customer service team is okay. I've had a few issues with them, but they were reasonable. However, I have one issue that has been ongoing for a year, and they have not been able to solve it yet. It could be a difficult issue, I'm not sure. I managed to resolve it myself with my own programs that check and solve it automatically, but it persists after over a year. They are unable to identify or replicate the problem.

We need two to three people for solution administration. We have a big configuration and complicate it with the script that we are running. These scripts are very complicated, and it took us quite a few times to wind it to this case. But now that it is automated, we need half a person to do it. But in the beginning, we needed a lot of people.

And now that it is running and automated, every user has been added automatically without any intervention.

Before, we had a division where we had to add local users all over the systems. But now we are using BeyondTrust Endpoint Privilege Management. All are controlled by the privilege management, and we don't have so many problems.

I suggest starting with AD Bridge and implementing it properly before installing the privilege management. Doing them together will be very difficult. First, enable the AD Bridge fully and make it available to all users, and then install Privilege Management.

I would rate it around eight out of ten.

It is straightforward. It is a good technology, and it is made to do one single thing.

They are doing good for now, but they should start to consider tight integration with Mac solutions. There should be more integration with Mac. There should be Active Directory (AD) Bridging. Thycotic and Centrify have it currently because they merged and joined forces, and it was a feature available in Centrify. So, basically, they joined forces to create a kind of perfect product. If you have a hybrid or mixed environment with Windows and Mac, your Active Directory can only manage or enforce policies on Windows, but what about your Mac devices? How do you control them? So, AD Bridging will act as a bridge to bring all your Mac devices into your Active Directory. This way you have full control over your entire environment.

I have been selling this solution for three years.

It is stable. 

It is scalable.

I never had a problem for which I needed their technical support. The product is simple and easy to use. Our team is also capable of solving all the problems.

It is easy to deploy. The deployment duration depends on how many servers or routers you have, what kind of IT stuff you need to grant access to, and how much stuff you have. I am referring to the entire environment with all the customers and all the users. If you have five routers, five firewalls, it might take up to two to three days to deploy the entire solution. It also depends on the number of administrators you have.

Price-wise, it is very competitive. In our area, government entities and banks don't go for the monthly payment. It is a headache even for us in terms of finance and procurement to go for monthly payments. Quarterly might be more logical and reasonable, but the minimum that we go for is one year, and sometimes, we even try to compile and give one offering for three years.

It is mainly deployed on-prem. About 95% of the sales that I do are on-prem solutions. That's because we're talking about security.

It is a good technology. I would definitely recommend this solution. I would never sell it if I can't recommend it. I would give it an eight out of 10.

The solution's least privilege enforcement has helped us ensure access is given to only the required people.

Sometimes, it's difficult for other users to understand how accounts and servers are mapped, which is complex. How the accounts are presented in the solution's UI can be improved.

I have been using BeyondTrust Endpoint Privilege Management for five to six years.

I rate the solution an eight out of ten for stability.

I rate the solution an eight out of ten for scalability.

I rate the solution an eight out of ten for its ease of deployment and integration with our infrastructure.

On a scale from one to ten, where one is cheap and ten is expensive, I rate the solution's pricing a seven out of ten.

The solution is doing a good job of enhancing the endpoint security posture by managing the overall application life cycle and helping us block unwanted applications. The solution's scanning feature helps identify the unmanaged accounts within the console itself. We do not have to do a DNA scan like CyberArk separately, which is a separate license.

The solution's least privilege enforcement has helped us ensure access is given to only the required people. It is easy to maintain the solution.

The solution helps identify the unmanaged accounts and then develop a plan for managing those transferred accounts, which were used as service accounts in multiple critical applications.

Users should have an in-house person to manage the environment. If they completely depend upon the vendors, they might be unable to do things at the right pace.

Overall, I rate the solution an eight out of ten.

We are using the solution to access the servers remotely.

The solution's most valuable feature is its ability to publish the application remotely instead of logging into the server. You can just run the software from the remote server. 

The solution's features for customizing access for the engineers, creating forms, and establishing workflows need improvement. Also, they should provide integration with VDI solutions. It would be great to run it from the Citrix Storefront or VMware Horizon.

I have been using the solution for three years.

The solution is stable.

The solution's technical support is good.

Positive

The solution is easy to deploy. However, it is complex in terms of configuration and customization. The process takes nearly two weeks to complete.

We implemented the solution with the help of two or three executives and an integrator.

The solution's pricing is high.

The solution's enterprise features align precisely with our organizational focus. I advise others to evaluate it and compare, considering the variations in each environment.

Overall, I rate it seven out of ten.