Enforce Least Privilege with the Least Effort: A PAM… | BeyondTrust

BeyondTrust is constantly introducing new features and enhancements to Privilege Management for Windows and Mac that help you achieve least privilege with the least effort required. Whether it’s ease of deployment, streamlined policy refinement, or comprehensive integrations, we’re constantly innovating to make achieving least privilege simple for organizations that often have understaffed and overstretched security teams.

In this privileged access management (PAM) innovation series, we explore how BeyondTrust’s constant innovation helps Privilege Management for Windows and Mac customers secure their endpoints, reduce their attack surfaces, and protect their organizations against threat actors of all shapes, sizes, and creativity levels. Let’s explore our latest release: Privilege Management for Windows and Mac 23.3.

Why do organizations need least privilege?

The concepts of least privilege have remained relevant for the past 50 years. Least privilege was first introduced by Jerome Saltzer in a 1974 issue of the monthly journal Communications of the ACM, and was popularized in 1983 with the release of the first US Department of Defense Rainbow Series of books on computer security standards and guidelines. While not a new security practice, the principle of least privilege has proved just as relevant to the cloud systems and IoT devices of today, as it did to the legacy systems (some of which are still operational) of yester-year.

The difference is that, in 2023, more privileges exist in more places than ever before. With attackers as crafty and relentless as ever, achieving least privilege today is as important to a comprehensive security posture as it’s ever been.

Why do so many organizations still struggle to successfully achieve least privilege?

Many organizations struggle because of the needs of their end users: the people that need to remain productive in order for an organization to operate and succeed. You can’t just remove admin rights to achieve least privilege without the right solution in place to keep your end users productive. That’s where Privilege Management for Windows and Mac comes in.

Introducing Privilege Management for Windows and Mac 23.3

BeyondTrust is pleased to announce the availability of Privilege Management for Windows and Mac release 23.3. Our third release of this product for 2023 includes new features and enhancements that will improve ease of use, reduce operational complexity, and further protect organizations by reducing risk and blocking potential vulnerabilities.

Read on to learn about our new features—like DLL control, which allows you to block six DLLs that Microsoft recommends blocking with the click of a button in the Privilege Management Console.

Role-Based Access for APIs (New Feature)

In release 22.8, we introduced role-based access, a feature that gives you granular control over the access and permissions your users have within the Privilege Management Console. In release 23.3, we’re introducing role-based access for APIs, which allows you to apply that same granular control over access and permissions to the APIs you use in Privilege Management for Windows and Mac.

Now, when you create a new API account in the API Settings page of the Configuration section of the Privilege Management Console, you can select which endpoints you want the API account to have access to. This ensures that each API only has the access and permissions it requires, reducing risk and protecting your organization against potential vulnerabilities.

Elevation of Store Applications (New Feature)

Today, many end users rely on app stores, such as the Microsoft Store or the Apple App Store, to download the applications they need in order to do their jobs. Many of these applications require elevation – such as Windows Terminal, Windows Notepad, WinDbg, Dell SupportAssist, and others – and until now, Privilege Management for Windows and Mac did not offer a seamless way to elevate them.

With release 23.3, Privilege Management for Windows and Mac can now seamlessly elevate applications downloaded from app stores. This streamlines the elevation process and reduces service desk tickets for IT and security teams. It also provides end users with more flexibility to download applications from the trusted source of their choosing.

Add to Policy in Analytics v2 (Beta Feature)

Last year, in release 22.10, we unveiled the first stage of Analytics v2, an upgraded beta version of the analytics functionality within Privilege Management for Windows and Mac. Since that initial release, we’ve been introducing more and more functionality to the Analytics v2 beta. In release 23.3, we’re launching a new feature in Analytics v2 that enables you to more efficiently refine your policies.

Users can now action policy changes directly from Analytics v2 thanks to the introduction of the Add to Policy functionality in release 23.3. This means that instead of navigating between Analytics and the Web Policy Editor to implement a change to policy based on Analytics data, that policy change can be actioned directly from Analytics v2, streamlining the process for IT and security teams as they refine policies and react to user behavior.

Analytics v2 is built on entirely new technology, which provides improved scale and performance so you can get the data and insights you need to monitor your estate and improve your least privilege posture fast. You can enable the Analytics v2 beta via the Analytics v2 toggle in the top-right corner of the Analytics page.

The full release of Analytics v2 is on the roadmap for mid-2023.

DLL Control (New Feature)

DLLs (Dynamic Link Libraries) are files that contain code and data that can be used by multiple programs at the same time. They are commonly used by Windows operating systems and applications to improve performance and reduce disk space usage. However, DLLs can also be used by attackers to inject malicious code into legitimate programs, leading to a range of security threats.

With release 23.3, you can now block six DLLs from Microsoft’s recommended block list with the click of a button in the Web Policy Editor. If you navigate to the Policies section in the Privilege Management Console and then choose the policy in which you’d like to block DLLs, you can then select Security Enhancements from the dropdown menu. You’ll then click a toggle to enable blocking the six DLLs Microsoft recommends that you block. If you’d like to customize your approach further, you can use the table below to change the allow/block status of each individual DLL.

The Essential Eight, a set of eight security strategies recommended by the Australian Cyber Security Centre (ASCS) to help organizations protect against cyberthreats, states that application control should be one of the eight key pillars of an organization’s security posture, and that control of software libraries (including DLLs) is vital to achieving effective application control. With DLL Control, you can now enhance your organization’s security posture by blocking six risky DLLs at the click of a button.

Next Steps: How to Start Leveraging the Improved Security and Productivity Benefits across your Windows and macOS Estate

BeyondTrust is constantly innovating Privilege Management for Windows and Mac to help our customers improve their privilege management and endpoint security, and to help protect their organizations from constantly evolving cyberthreats. Privilege Management for Windows and Mac enables you to achieve and dynamically enforce the principle of least privilege while improving end user productivity and administrator workflows. The new features and enhancements introduced in release 23.3 are dedicated to improving ease of use, reducing operational complexity, and further protecting organizations by reducing risk and blocking potential vulnerabilities.

If you are ready to learn more about the best solution for achieving and dynamically enforcing proven endpoint security policies, like least privilege, contact us today! Or, if you are already a BeyondTrust Privilege Management for Windows and Mac customer, here’s how you can get started with version 23.3.

Be sure to stay tuned to our PAM Innovation Series to keep up-to-date as we continue to make the feature updates and enhancements that matter most to our users!