CyberArk Endpoint Privilege Manager Reviews

I use the solution in my company since some users need a certain level of activity in EXE files. The tool is used to block certain issues that we don't want in our environment.

The most valuable feature of the solution stems from its ability to delegate admin access instead of giving complete admin access to a single user. It is possible to elevate the product to a single process.

The product is very flexible. I don't feel any difficulties while using the product. Recently, my company moved to the tool's SaaS model from the on-prem version. With the tool's on-prem version, the database used to have some issues. After moving to the tool's SaaS version, we are not facing any issues. The on-prem version of the tool requires improvement.

The turnaround time of the support team is an area of concern where improvements are required.

I have been using CyberArk Endpoint Privilege Manager for four years. I am a user of the tool.

Stability-wise, I rate the solution a ten out of ten.

Scalability-wise, I rate the solution a ten out of ten.

More than 3,500 to 4,000 people in my company use the product.

I have contacted the technical support for the solution. I rate the technical support a nine out of ten.

Positive

The product's deployment part is very easy because only the agent you need to distribute to either via Intune. With Intune, you need to install the tool via automation.

I feel that the price of the product is nominal. It must be around 10 to 15 USD per installation. I rate the product price an eight to nine out of ten, where one is high price, and ten is low price.

CyberArk integrates with WebLogic. There are no issues with integration wise when it comes to CyberArk Endpoint Privilege Manager.

I rate the overall tool a ten out of ten.

Previously, the enterprise EPM was on-premises. Now, it has gone to the SaaS model. So, we have used CyberArk professional services, wherein CyberArk deployed all the agents into our different Unix machines. This deployment is currently underway. The policy changes and the reconfigurations part are pending. In the coming quarter, or by the end of it,  the overall EPM deployment will be completed with this customer.

The kind of services they provide in the vaulting of both the password as well as the SSH keys in their Password Vault is great. The alert mechanism that they have is also provided by their different tools, called PTA, Privileged Threat Analytics. It's a key feature of CyberArk that they have provided.

Now they have also ventured into identity services, where they are also moving ahead from their legacy privileged access management to identity and access management. Therefore, apart from the core component, like the vault, you get privileged access management using the PSM and the password rotation through the CPMs.

There are other core features that they are working at. For example, they have introduced a new feature with a new core overall functionality using the DAP. DAP is a combination of AIM as well as Conjur. And then, you have got an HTML5 gateway with the flexibility to onboard some external partners for a limited period of time, depending upon their usage and availability. When they no longer need it, those aspects can be automatically removed, depending on the policies and approvals. 

The solution is scalable. 

It's stable and reliable. 

A major factor for improvement would be the PAS, although they are improving on that part. Basically, the ease of installation and the configurations could be improved upon and are being adjusted. First of all, with a Windows machine, we have to follow very strict procedures for the installation of different components, specifically for Vault. And then you must just keep in mind all the policies that need to be there. In case there is any kind of limitation with respect to any kind of GPO policy being applied, then you have got different issues that you have to deal with it. You have to be very careful and intelligent. Otherwise, the whole platform might come down. They need to add more automation when it comes to onboarding and configurations so that the process is more practical. 

The installation process is pretty difficult. 

It's an expensive product. 

I'm well versed in the solution. I've used it for four years or so. 

The solution is stable. I'd rate it eight out of ten in terms of reliability. It doesn't crash or freeze and there are no bugs or glitches. 

I'd rate the scalability from eight to nine out of ten. It can expand easily. 

In our company, we have around 500 resources trained on the solution. It's deployed with various customers. 

We usually have support along with the licenses that we purchase. That way, whenever there is any kind of an issue that our technical team is not able to resolve the problem, we raise a ticket, and we have a call with the relevant support.

Neutral

It's a bit difficult to install the solution. I'd rate it three out of ten in terms of ease of installation. I'd rate it just below really difficult. Prior to version 11, it was very difficult. The process has gotten better.

After the 9.6 version, they introduced their own CyberArk Cluster Manager, which eased out the cluster deployment, where we have to install the Microsoft Server Cluster. That was a difficult scenario beforehand, apart from the standalone one. So it has gotten easier.

How long the deployment takes depends on the environment you are working in. If you're doing a bare, fresh installation, which has the installation of the basic core component, it should not take more than two to a maximum of four hours.

We have trained resources in-house and were able to deploy everything on our own without outside assistance. 

While the solution is excellent and highly rated on both Forrester and Gartner, it comes at a cost. 

I can't speak to the cost of the exact license. However, the professional services for one eight-hour day would be $1,800.

I'm on the Partner Portal. I'm Defender-certified and using CyberArk's various services for the installation as well as the managed services. I work with a system integrator. 

I have not used the C3M Cloud Control, Enterprise Password Vault yet.

We have deployed to multiple customers.

With CyberArk, there are different certifications, including, Trustee, Defender, Sentry, CCD, and Guardian. Right now, we have around two hundred who are Guardian-certified and around 150 resources who are CCD-certified, CyberArk Certified Delivery Managers. The rest are the operational resources who are certified on Defender.

For those considering the solution, I'd advise them first to consider what their use case will be. However, CyberArk is a great deployment option and the first I'd recommend, depending on the budget.

Holistically, if you have a big enterprise, such as a financial enterprise or healthcare system, where you have got a vast amount of host machines with a combination of Windows, Unix, and your firewall, CyberArk would be the best-suited product that you should deploy in your enterprise to secure your endpoints.

I'd rate the solution nine out of ten. The core testing they perform is great. They also regularly release patches to help enhance security. The ease of communication with the customer is great, and the alerts and notifications they have on offer are very helpful.

We use the solution to secure direct access to servers. Users could open their browsers and access resources. This applies to different teams, such as DevOps, IT services, and development teams. They can no longer use RDP connections directly to the server for their day-to-day tasks. Instead, they must log in to CyberArk with their account and then use a shared account to access the server. Another advantage is using (Privilege Access Management) PAM accounts, which have high permissions but are limited in their access.

CyberArk's infrastructure is extensive. A cloud version has been introduced, when it was fully on-premises. You had to set up a separate environment for CyberArk, which incurred significant costs for the customer. Additionally, maintaining the infrastructure required dedicated resources, including on-call support outside of regular hours. If infrastructure went down, it left everyone in a difficult situation.

I have been using CyberArk Endpoint Privilege Manager as a consultant for three and a half years.

The product is stable.

I rate the solution’s stability an eight out of ten.

The solution is not easy to scale because it needs a separate team to do the capacity management all the time. We cater the solution to enterprises and small businesses.

I rate the solution’s scalability an eight out of ten.

The initial setup is very difficult, but If you follow the correct sequence, then it's fine. The only complex thing is to build the infrastructure and maintain it.
It depends on the whole component and takes a couple of weeks to deploy.

The solution is very expensive. The licensing costs a lot. There is a separate cost for support.

We opted for BeyondTrust.

Three people are required for the solution’s maintenance.

Overall, I rate the solution a nine out of ten.

The primary use case for CyberArk Endpoint Privilege Manager (EPM) is to control applications on work sessions, particularly in environments where users are not supposed to have open rights. It can be utilized to remove local admin rights from work sessions and protect the local admin group from unauthorized modifications. By deploying policies on these work sessions, organizations can restrict users' privileges and prevent them from adding users to the local admin group, reducing administrative privilege risks on endpoints.

Furthermore, it enables the deployment of policies that allow users to elevate application permissions without granting additional user rights. These application policies benefit specific applications without affecting users' overall rights. For instance, developers may require elevated permissions for certain software applications without needing broader administrative rights. However, EPM does not directly improve an organization's response to endpoint threats. Instead, it depends on other policies, such as those designed to prevent ransomware attacks. These policies focus on different aspects of endpoint security, while application policies specifically address the elevation of application permissions for user tasks, such as development activities.

CyberArk Endpoint Privilege Manager (EPM) 's most valuable feature is its ability to manage user application privileges and protect against ransomware attacks by controlling access to specific files and applications. Additionally, EPM effectively oversees the local admin group, preventing unauthorized users from adding themselves to it and ensuring tighter security. Moreover, the capability to remove users from the local admin group and rotate passwords for built-in admin groups enhances security measures significantly.

The product's threat protection and defense capabilities need enhancement. While there have been significant improvements in recent months, there's still a need for better identification and handling of real threats versus false alarms. It would be beneficial if the product could accurately detect and respond to genuine threats without generating false positives. This would allow organizations to rely more confidently on the product as a complete tool for application control and endpoint protection.

We have been using CyberArk Endpoint Privilege Manager for four years.

The technical support services are good. Despite occasional delays, the team has consistently provided effective assistance and support.

Positive

The initial setup of CyberArk APM was relatively straightforward, and the platform offers flexibility in deployment methods. Depending on the organization's preference, deployment could be done through various means, including deployment tools or the APM console. The platform provides administrators options for choosing the most suitable approach for their environment, contributing to ease of deployment.

However, there are areas for improvement. One aspect that could be enhanced is moving endpoints between sets within the EPM console. While the capability exists, there can be delays in endpoint movement, which could be addressed to streamline the process and improve efficiency.

Additionally, I recall considering adjustments in the advanced settings of the APM console. Specifically, there's a feature for creating custom advanced settings and targeting specific computers or endpoints. However, it's currently limited to targeting only one computer at a time, which can be cumbersome when dealing with multiple endpoints. The process could be easier.

EPM is not specifically designed for threat protection. While it does a decent job in this area, it generates many false positives. As a result, the primary function of EPM in terms of threat detection is to send events to the security team for further investigation.

As a consultant working with organizations, I've deployed application control features like those offered by CyberArk Endpoint Privilege Manager (EPM) across various environments. Without such controls, organizations would face increased vulnerability to attacks, as granting local admin rights exposes systems to potential security breaches.

I rate it an eight. However, there are areas where improvements could be made. For example, addressing the issue of false positives in events, especially concerning ransomware events, would enhance the platform's usability. Additionally, it requires EPM and PAM solutions to reset passwords for local accounts on workstations. Other products allow this with just the EPM component, whereas CyberArk requires integrating two separate products.

I work with CyberArk Endpoint Privilege Manager for my partners. It is mainly for compliance, managing credentials securely, and monitoring what's going on with those credentials. Also, there's this thing about limiting privileges for certain users in production environments. But it seems like it's not just for big setups, it's also used across all kinds of workplaces.

The feature called PTA, which stands for Privileged Threat Analytics keeps track of what admins are doing and works with Centimeters. If something fishy is going on with a user's credentials, it alerts the security team so they can act fast. Plus, it automates stuff like resetting credentials or blocking users. So, if there's a potential hack, CyberArk can change passwords and lock out users in a snap. It also gives you a heads-up if anything unusual is going on with server activities, like someone creating new users with uncontrolled credentials. 

CyberArk meets clients' need very spot-on. It covers everything customers ask for.

As for improvements, honestly, the feedback's been really positive. I haven't heard any specific areas that need work.

It's designed to be highly available and resilient, so you can always access your targets no matter what.

As for scalability, it's totally on point. With the SaaS option, it's fully scalable. And if you're running components on-premise, you can easily add more to boost performance as your user base grows. They're usually virtual, so it's a breeze to scale up by adding more virtual machines.

I don’t deal directly with customer support, but I've heard good things from my colleagues who do. They usually handle it through certified partners, and the feedback is pretty positive.

Positive

There are two choices, one is the software service option, which is super easy to install and get running. The other is a self-hosted route, which has a more structured setup for better security and performance, though it's a bit more complex.As for deployment time, it varies depending on the project, but on average, you can get it up and running in just a day.

Maintenance is not a headache. We usually offer manager services to keep everything updated and running smoothly. It's a simple process that keeps things effective.

It's not at the lower end of the market. I think the price is reasonable considering the quality it delivers. It is a top-notch solution at a fair price point.

Once you start integrating this solution with your existing technologies and implementing new processes for accessing targets by administrators, you can see significant progress within two to three months, covering around eighty to ninety percent of your technology integration. With strong engagement, you can expect a substantial return on investment in that timeframe.As for rating the solution, I would give a solid ten.

I'm using it in my company. It helps us manage our endpoints and keep things secure.

The solution is doing what we expect it to do. 

It integrates well with our CI/CD pipeline and Amazon Cloud, which is useful.

We can do both server and endpoint protection. 

It's a stable product. 

The interface has been fine.

It is scalable. 

Technical support is helpful and responsive.

We've sent requests to CyberArk for improvement. We've had issues around migration surrounding legacy to cloud ADs. The implementation process wasn't as straightforward as we had hoped. 

They need much better integration with Azure AD. 

It is expensive; however, it does offer good value compared to the competition. 

I've been using the solution since 2020. 

It is stable. There are no bugs or glitches. I've found the solution to be reliable. It doesn't crash or freeze. 

It's scalable. We can extend the product very easily.

It's great for enterprises.

Technical support is very good. They are helpful. We have no complaints about the level of support we receive.  

We did not use any other solution. 

The initial setup was difficult. We had trouble with legacy migrations and Azure AD. 

The deployment took two years across two phases.

They are not the cheapest. However, what they provide, compared to competitors, it is reasonable. 

We evaluated a different option previously and decided not to go ahead. We went with this solution instead. 

Just make sure all applications and services that need to be migrated can move over. A lot of planning is required.

I'd rate the solution eight out of ten. 

Day-to-day, normally when administrative access is required for a user, they have a UAC prompt that comes up and they have to click yes or no. When we whitelist an application, it automatically elevates, so it's one less click for the user. It's improving efficiency and it's making it easier for them, at the end of the day.

The tool has great functionality in reducing risk in the environment, especially if an endpoint is compromised. It reduces pass-the-hash and same-account harvesting. And if something were to happen, we would be able to report on that right away and let the SOC know.

In terms of removing local admin credentials on the endpoint and the effect on the size of the attack surface in our organization, it has drastically reduced the attack surface for local administrative rights and the chance of escalation of privilege. We've removed, at this point, close to 98 percent of the local administrative accounts on workstations. If there were an incident, it would stop at that point and we'd be able to know.

We have also been able to reduce the number of local admins. We originally scoped out to only have a certain number of licenses for the software and we have reduced it significantly from what we thought we would need, purely based on a policy perspective and who actually really needs some administrative access.

With conventional local administrative access, you have no insight into how users are using that access. With Endpoint Privilege Manager, we have the ability to see how they're using that and then lock down things that aren't appropriate or are not allowed in our company.

At scale, in an enterprise environment, it's very easy to start installing agents on multiple workstations. So if we need to deploy to several thousand more workstations, we will have the ability to do that.

So far, there are a lot of integrations we are using. We are sending logs to a SIEM. We are working with AD to make sure that we are provisioning roles properly at that point. That's where we've left it.

If we look at the Privilege Management Inbox, we get a lot of information on what's happening right then and now. But if we would able to filter it down based on a role group or an AD group to say, "Give me all the actions run by this specific AD group," it would be very easy to scope out access for different roles.

Overall, the ability on the endpoint is very good for the user. It can be used online and offline. As for the administrative console, there's room for improvement and that is something we've already escalated. We've worked with the R&D teams to address those issues.

Scaling is easy. If you want to put it out on more endpoints, if you need thousands of more workstations, it's very easy to do. CyberArk has easy guidelines on how you should be sizing your infrastructure.  

Overall, I would rate technical support at seven out of 10. We have had some major issues with the tool, but we have worked with the R&D teams and we have worked with support. There is room for improvement, especially on response times. But they're working on it and they're doing the best they can.

We did not have a previous solution. However, we knew that there is a large attack surface in the event that we were to be compromised or fished. We knew that there was a vulnerability and we said, "Okay, we want to get it in front of this so we're not Equifax or CapitalOne or something like that."

It was a pretty straightforward setup. CyberArk does support the documentation for it. We did customize it a little bit more for high-availability. If a server were to go down, we can automatically switch. So overall, it's quite easy to set up, but you can always customize a little bit more.

I don't think I could quantify ROI, to be honest. Reducing risk is always something that is going to cost you. But when it comes to share price, stock price, etc., if a breach were to occur that would have huge implications.

If you're going to implement Endpoint Privilege Manager, don't just give everybody EPM and think you're done with it. Spend the time, engineer it, think about it from a project perspective, and deploy it with the concept of least privilege. Really spend the time to make sure it's deployed correctly and all the processes are established so it's smooth sailing from there on in.

Overall, I would rate this product at 8.5 out of 10. The product does exactly what we need it to do. However, we do need a little bit more action and response time with regards to support.

In terms of the effect working with CyberArk has had on my career, it has really put my name on the map with regards to the whole CSO world and IT security, as well as from our company-wide, holistic perspective. People come to me; they know me as the person who will solve problems. Usually, things are very difficult, but at the end of the day, we'll find a solution and implement it. From that perspective, it's giving me a lot more opportunities.

Because we are dealing with personal health information, we have had to setup up a security broker for admin access in and out of the accounts.

They wanted to have a break-glass solution in case there was a problem with the multi-factor authentication or any other issues.

We chose to use CyberArk for their failover abilities. If the Multi-factor authentication fails then you can still log in and it has a second factor that authenticates.  

It gives them the break glass option that they needed.

The most valuable feature is that it does lifecycle management and that it will change to whatever the end target is. For example, you can go into Azure AD, a backup directory, or a set of Google cloud platforms.

It will do lifecycle management on the keys. It makes it so that you won't have to ever have a standard key. 

It's generating dynamically keys and you can enforce policy easier.

As you start adjusting your key lengths and everything further, you can adjust them all in a single day.

It's an old product and has many areas that can be improved.

They are having to purchase Centrify to get a Linux client session that is authenticated against Active Directory. 

If you wanted to log in and use your ID credentials into Linux boxes, the solution that worked was not CyberArk, it was Centrify. They had to purchase two different products to do the same thing.

The interface is not great, but good.

In the next release, I would like to see a Linux Client added.

I have been using CyberArk Endpoint Privilege Manager, since the early 2000s.

We are using the latest version.

It's a stable solution.

CyberArk Endpoint Privilege Management is scalable.

We have 1200 users in our organization.

Technical support is fine, they are better than what they used to be.

The initial setup is complex because you are dealing with federated credentials across multiple authentication protocols.

We did not use a vendor or reseller. I am there as a consultant.

I think that it was in the range of $200,000  that had to get approved. That may have been for the whole three to five years for the project length.

I basically am trying to drive their digital transformation and do the overall build a mass data network for their data strategy. Building out different APIs and different things. 

Building out a blockchain security framework to allow HIPAA compliance where you can go in at the portability of their data to pull in and out without creating an issue with the payers.

I would recommend this solution depending on what the business needs are. I'm a big proponent for keeping things simple and trying to avoid unneeded complexity.

The company demanded certain things and only wanted to do it one way, and the way they wanted to do is what we got stuck with.

The API mobilities are there, they exist and they are okay, but as a framework and in total is worrisome because it's not a stateless application.

It doesn't appear to be moving forward. It's still a type of software-oriented architecture instead of moving to microservices, where it could be stateless. If it were stateless, and it failed during a password change, you would see it as a failure and go back to the original password.

I think that they have a lot of work to do to get there.

I would rate this solution an eight out of ten.