Ensuring Compliance and Simplifying Support with BeyondTrust Endpoint Privilege Management


Company workforces are more dispersed than ever. Enterprises have discovered the benefits of letting employees work from home, and many are adopting full-time remote or hybrid business models. But not all companies have been able to support this shift from on-site to off-site, and many others are no longer able to retain an on-site IT presence at all locations. IT managers have to figure out how to secure endpoint systems while providing workers access to the apps and tools they need to do their jobs, wherever they are.

At a time of shrinking budgets and changing priorities, IT managers need to do more with fewer people and resources, which requires streamlining security and support procedures. They must also empower their end users to understand the increased security risks of remote working, ensuring users do not defer those important updates while adhering to the company’s IT policies, access permissions, and security measures.

IT managers need to do more with fewer people and resources, which requires streamlining security and support procedures.

As the Endpoint Services Director at an aerospace and defense company, I provide central IT services to several U.S. and European operations that are part of a global manufacturing business. My team keeps our Windows workstations across the company and around the world up to date. We maintain all the monthly patching and software updates, deploy software and group policy objects, and manage endpoint security solutions including antivirus and privilege management tools.

I started with the company in 2015 as part of a rotational Graduate Development Program, moving cross country from Iowa to New York to Washington DC before landing in Dallas in 2018. As part of that program, I had the opportunity to work closely with the leaders of several business units and learn how our portfolio of different companies operate. This helped prepare me for my current position, as my job is to ensure every endpoint system adheres to the same security measures while enabling every user with the required access to the company resources commensurate with their job. 

Seeking DFARS Compliance and Solving a Historic Problem

Shortly after completing the Graduate Development Program, I helped launch our Defense Federal Acquisition Regulation Supplement (DFARS) compliance initiative. DFARS contains cybersecurity requirements that US Department of Defense (DoD) suppliers and contractors must follow in order to retain and be awarded new DoD contracts. After our initial gap analysis, we went out to market to find scalable DFARS-compliant solutions that we could deploy across our international operations. To satisfy several controls related to application allow listing and privilege management, we issued an RFP against our requirements and thoroughly reviewed and scored four vendor submitted proposals. 

We initially selected and procured Avecto's Defendpoint solution, with our second scoring choice being BeyondTrust's PowerBroker for Windows. It was fantastic to see both solutions shortly thereafter collectively become known as BeyondTrust Endpoint Privilege Management (EPM), effectively giving us the best features of both products. EPM was the perfect solution to achieve compliance while substantially improving our security posture. It enabled us to granularly allow or deny access to individual applications while also removing local administrative rights from non-IT users altogether, which was a long-standing problem within the company. 

Our end users include highly technical software developers who often need admin rights to perform daily job functions. EPM allowed us to give them the flexibility they required without compromising security of the entire system. The BeyondTrust solution accomplishes this and enforces least privilege by elevating privileges for applications, without actually giving elevated privileges to the end user. We gave our developers access to everything they needed to do their work without granting them full admin permissions over their machines.

Championing and Piloting BeyondTrust

We felt strongly about the solution's capabilities and aimed to deploy it to all systems, regardless of compliance requirements as not all businesses were subject to DFARS. But deploying EPM across our worldwide operations was a massive undertaking, so we used a priority approach to focus on the offices which had the compliance requirements. We first piloted the solution at smaller physical sites, knowing it would be easier to roll out a solution to a hundred people opposed to a thousand. 

We asked local leadership teams to nominate champions from every business function, including HR, engineering, business development, sales, and manufacturing, as we knew this solution could potentially change the everyday user's experience when accessing certain applications. We then funneled project communications through these single contact points, who were subject matter experts within their departments regarding the business-critical applications used on a daily basis. This way, we could sample each different class of users to understand the apps they most frequently used and the permissions they needed. 

Within a few weeks, we had rolled out EPM in a largely audit mode to observe how our various applications would interact with the solution, using our champions to identify any immediate issues. We then worked closely with BeyondTrust's professional services teams to create a company policy using our audited events and their Quick Start configuration policy. This saved us hundreds of hours by establishing a baseline on which we could build our production policy. It took about three months to complete the pilot exercise, and then we began deploying the solution across the wider organization.

Using EPM, We Can Navigate Changes with Ease

Not only do our software developers and engineers have the flexible permissions they need to do their work, but we also allow any company user to update many other trusted applications without involving IT. EPM has robust event auditing which grants us a much deeper visibility into our user behaviors. This allows us to safely allow what we know, investigate what we don't know, and block what we don't want to allow. 

Robust event auditing allows IT to safely allow what they know, investigate what they don't know, and block what they don't want to allow.

Another great feature is the EPM challenge and response code authorization. My small team has been responsible for administering workstations across the globe but for several years, we couldn't have full remote admin privileges on systems in opposing regions due to export control reasons. With the challenge and response code feature, we can talk users through an issue and generate codes that authorize us to perform admin-level tasks when we can’t take control of remote machines. 

The COVID-19 pandemic threw everyone for a loop, but BeyondTrust EPM proved to be a business-critical solution to help us through it. Some of our business functions, like manufacturing, had to continue to operate on-site while most office workers including IT went to work from home. EPM was a solution we could count on to help us remotely administer systems no matter their location, which let us focus on more complex remote working issues.  

Empowering Users While Improving Our Security Posture

Getting buy-in from the business was critical for the success of our deployment. Because EPM integrates with every application, it touches everyone. An improper rollout could break the business, so it was vital to open the lines of communication with internal teams and get their input to help us achieve our goals. 

It’s vital to open the lines of communication with internal teams and get their input to help achieve IT goals.

We have simplified our endpoint security by restricting unfettered administrative access to our systems. If a user's workstation is compromised, an attacker is limited by our policy's permissions. An intruder can elevate trusted applications and permitted functions on that one machine, but cannot infiltrate our network or other servers, thus restricting the lateral movement and damage they can do. If we need to modify permissions company-wide to counter an emerging threat or block a known malicious application, we can roll out the changes with a few clicks. With EPM, updating our security posture takes minutes, not days or weeks.

Partnering with BeyondTrust has saved my IT teams and our end users tremendous amounts of time. By putting rules in place and saying, “We trust you to install and update these applications on your own,” we give our users more control over their IT needs while freeing ourselves to work on more important IT improvement projects. We have successfully adapted to a more remote working environment, sparing ourselves the unnecessary effort of physically or remotely accessing users’ workstations to perform menial tasks. It’s a win-win for everyone, and we are stronger and more secure for it.