Removing Administrative Rights to Reduce Cyber Threats

Learn how a Fortune 500 energy & utilities company used Viewfinity to reduce cyber threat vulnerability, after removing administrative rights.

This is a cliff-notes version of a use case describing how a Fortune 500 Energy & Utilities Company with assets over $20 billion, tackled the removal of administrative rights in order to protect its infrastructure against cyber threats. Download the full PDF case study here.

FAST FACTS


Reduce exposure to malware and virus threats by
removing administrator rights

Project scope:

•     8500 desktops concerned with this project

•     Managing ~250 applications that corporate IT delivers

•     Between 6-8K unmanaged applications that end users install on their own.  Ultimately the IT team supports the unmanaged to some extent but not on the service level of the corporate applications. 

•     Laptops / mobile workers constitute ~25% of the user base

•     There are over 100 remote offices spread over Missouri and Illinois


The Challenge:

  • The initiative to reduce cyber threats by removing local administrator rights from users was revived during this company’s Windows 7 roll-out. 
  • From previous attempts to remove local admin rights, the IT team realized there would be additional management involved because business processes and application functionality required administrator level access to the operating system. 
  • They knew they would need a tool to manage end user desktop privileges on a granular scale.

The Solution:

  • Contacted other Energy and Utility companies that had implemented or were in the process of planning Windows 7 migration projects and who were also taking the initiative to remove administrator rights. 
  • Research also encompassed online data, and they looked to Gartner reports and analysts to help further qualify the Privilege Management space.   
  • Other Energy companies had different requirements and goals yet the majority were using Viewfinity and having success with it. 
  • The ability to include the Viewfinity agent as part of the deployment image was instrumental to the project since the scope included rolling out Windows 7 machines and removing local admin rights at the same time.


The Results:

  • The company is continuously improving its cyber security posture with a bonus of greater visibility into its end user client computing environment. 
  • The company can be proactive and respond to endpoint security threats without impacting business processes and applications as the Viewfinity product has the ability to quickly update and push policy changes to client endpoints. 
  • They continue to reduce complexity in their client computing environment, and over time have reduced costs. 
  • The product has increased their visibility through working closely with their end users, providing increased awareness of the applications that exist across the organization, who owns them, and how they are used.
  • End users see benefit from less configuration drift and have a desktop that performs better over its useful life. 
  • Removing local admin rights from end users is a big step in protecting the company from cyber threats. Just this reduction cyber threat vulnerability makes it feasible to reduce the company’s exposure.   


Request a brief consult to learn how Viewfinity can help your efforts to reduce endpoint security vulnerabilities.

Viewfinity Joins FireEye to go Beyond the Breach in Today's Virtual Event

Viewfinity joins FireEye today and tomorrow in a virtual event hosted by FireEye to discuss the evolving threat landscape, best practices in incident response, and how to stop an attack using threat intelligence. 

Viewfinity will showcase the role its endpoint security solution plays with helping organizations deal with security risks. Join Viewfinity alongside other prominent vendors at FireEye’s “Beyond the Breach: Cyber Defense Summit” virtual event. 


Click here to join the conference.



“Unnecessary and excess privileges play a part of every major cyber attack as bad actors seek to gain access to endpoints and systems within an organization by exploiting administrator privileges,” said Grady Summers, vice president of strategic solutions at FireEye.

“By working with Viewfinity, we’re able to combine security information from FireEye with Viewfinity’s application and endpoint access data to surface malicious activity that’s attempting to infiltrate via endpoint access. This endpoint to network security visibility is an instrumental component to stopping advance attacks.”

Viewfinity integrates with FireEye AX and TAP to provide whitelisting/blacklisting functionality and application control on servers and endpoints.

Integration features:

  • Correlates malware alerts from AX and TAP with visibility into server/endpoint data supplied by Viewfinity. 
  • Provides unique information related to the behavior of executables on the endpoint and a timeline of events that offers data which is crucial to TAP analytics. 
  • Identifies suspicious endpoint applications and flags them for submission to FireEye AX for further inspection. 

Integration benefits:

  • Further leverages the investment made in FireEye technology by extending security mechanisms to endpoints.
  • Provides more protection and helps reduce the footprint should a breach occur.
  • Saves time and resources by flagging which files are malicious and need to be blocked on all servers/endpoints.
  • Proves to Cyber Risk Insurance providers that additional measures have been taken to protect their
server/endpoint environment – ensuring prompt response and reduced risk during litigation.

 


USGCB and FDCC

Does anyone remember the days of the US Government Configuration Baseline (USGCB) or its predecessor the Federal Desktop Core Configuration (FDCC)? 

I am fairly certain that with all the announcements about the Chinese breach affecting 4 million federal workers this mandate is going to be revisited seriously by many agencies. 

Simply stated, the Federal Desktop Core Configuration and U.S. Government Configuration Baseline constitute a list of security settings recommended by the National Institute of Standards and Technology for computers that are connected directly to the network of a United States government agency.  In 2010, the USGCB was issued as a replacement to the Federal Desktop Core Configuration (FDCC) and provides the baseline settings that Federal agencies are required to implement for security and environmental reasons.  One of the key principles of these security configuration guidelines is removing the local user as a direct Administrator of the computer.  

For departments that currently lock down desktops, or who are in the process of meeting these governmental guidelines, Viewfinity offers government agencies the ability to manage administrative rights so that the settings mandated by the USGCB and FDCC security list are not compromised due to functionality needs.

Viewfinity Privilege Management features offer IT departments new methods for enforcing USGDB and FDCC compliance policies on all its PC assets regardless of the endpoint client’s location or connectivity status.  Both officially supported applications and those installed by end users can be better managed and provisioned.  Upon installation, they automatically become part of the pool of applications that are managed according to your predefined policies. Administrators can be assured that no matter what end users might be doing while working offsite, all established USGCD and FDCC compliance rules are continuously enforced.

IT departments only have so much to spend, thus being informed about all available technology is imperative.  Our endpoint security software eliminates gaps that are left exposed by anti-virus software.  We align closely with the USGCB guidelines by removing admin rights and monitor all applications installing and running in an environment.  Our technology can then identify possible threats based on a file’s origin, history tracking and forensic analysis.   

There are more details to the use case but suffice to say, any company, not just government agencies, should be closing down the security loophole and vulnerabilities associated with local administrator rights.

Start here by downloading our free tool that allows you to discover user accounts and groups that are members of the local “Administrators” built-in user group on computers in your Windows domain.

 

Officials: China Suspected of U.S. Data Breach Affecting Millions

OFFICIALS: China Suspected of U.S. Data Breach Affecting Millions

Source:  NBC News

“The Obama administration is scrambling to assess the impact of a massive data breach, suspected to have originated in China, involving the agency that handles security clearances and employee records, U.S. officials said Thursday.”

Richard Burr, R-North Carolina, chairman of the Senate Intelligence Committee, agreed, saying, "We cannot continue to look the other direction."

“Our response to these attacks can no longer simply be notifying people after their personal information has been stolen," Burr said. "We must start to prevent these breaches in the first place."

----------------------------------

The statements above seem to have brought the IT Cyber Security issue full circle. At some point during the last 12 months, there was a shift in thinking among IT security experts that “prevention” was not the primary focus any longer when looking to combat security breaches.  More discussion has been focused on detection and incident response.  Technology solutions have followed suit.  But the reality is, organizations still need to come at it from all angels:

Prevention – Detection – Response

While details of the FBI’s investigation will not be conclusive for some time, and no single IT security solution will be able to handle every exploit that hackers have at their disposal, the quote from Richard Burr validates the importance of multiple levels of security. 

But anyone reading this blog knows this.  The challenge exists in budget allocation.  Companies and CISOs only have so much to spend.  Mike Rothman from Securosis defended this challenge quite well in his blog, Hindsight FTW (https://securosis.com/blog/hindsight-ftw).

So then is the best defense is a good offense?  Perhaps.  I would interpret “a good offense” as ensuring IT security professionals do their best to educate themselves about all available technology and then choose what provides the broadest coverage, even if it is just for a specific platform, such as endpoint defense.

Viewfinity can help.  In regards to prevention, we approach this via removal of administrative rights and default-deny whitelisting on endpoints and servers.  Detection is done via application monitoring that blocks unclassified applications or restricts their access to corporate resources.  And response/remediation is accomplished through our file history & forensics capabilities.

Contact us if you’d like to setup a brief discussion to understand more about our security technology coverage capabilities.

Viewfinity and Checkpoint – Better Together

Earlier this spring Viewfinity announced our latest network security integration, this time with Check Point Anti-bot Blade. This integration brings the ability to remediate threats across all endpoints within a network, something previously impossible. The advanced remediation, successful due to this integration, allows Viewfinity to provide a full circle threat management solution which can also reduce costs by eliminating the need to reimage infected computers.

We’re running a 20 minute sneak preview demo on Thursday 5/14 – reserve your seat today.

Here’s a quick overview of how the collaboration works to accelerate remediation within any network:



If you’d like to learn more, be sure to attend our 20 minute demo.

Viewfinity Makes the List – 35 Companies Solidifying Massachusetts as a Cyber Security Hub

Cyber Security Ventures, a R&D firm out of Silicon Valley just released its latest report on the top cyber security firms around the world. Not only did Viewfinity make the list, it landed itself in the top 3rd of companies, and in the top 20 for Massachusetts.

Learn more about what landed Viewfinity on the list.

Viewfinity, along with 34 other innovative companies have made the Boston-area the 3rd largest cyber security hub in the US, just behind Virginia and California, respectively.

On their website Cyber Security Ventures explains a bit more about this list,

“The Cybersecurity industry is growing from $71 Billion in 2014 to $155+ Billion in 2019, according to consolidated estimates by IT research firms and analysts cited in the Cybersecurity Market Report, published quarterly by Cybersecurity Ventures. There are many new entrants as well as M&A, investment and IPO activity, that is constantly changing the vendor and service provider landscape. The Cybersecurity 500 creates awareness and recognition for the most innovative cybersecurity companies – ranging from the largest and most recognizable brands, to VC backed start-ups and emerging players, to small firms with potentially game-changing technologies, to solution providers poised for growth around productized or vertically focused services.”

Viewfinity is thrilled to be announced as one of the top global cyber security firms, especially in the wake of our latest product innovations. Viewfinity offers advanced endpoint protection that focuses on lessening the impact of IT security breaches before, during, and after an attack. Our core capabilities aim to reduce the attack surface and proactively deter advanced persistent threats by:

1.       Managing administrative rights once local admin rights have been removed from users machines

2.       Monitoring and controlling all applications being installed or run within an environment (can be used as a precursor to default deny)

3.       Accelerated detection, incident response, and remediation efforts via threat management capabilities that collaborate with network security sandboxes and firewalls, reputation database services, and SIEM.

RSA Recap – Pescatore Proves Data Breach Prevention Possible

Year after year RSA has no trouble creating buzz, as industry experts share knowledge and innovations related to IT security theories, trends and facts. However, above and beyond this year, a favorite story comes from John Pescatore of the SANS Institute. In the wake of so many data breaches over the past few years, organizations are losing faith in the ability to stop these infiltrations. Despite the pessimison, at RSA John Pescatore explained, measure by measure, that data breach prevention is possible and that organizations should not give up.

During his talk, Pescatore stressed the importance of having a strong security portfolio which takes on security from various angles. He used real-life examples of organizations who have been able to successfully prevent data breaches using a multitude of approaches.

One of the organizations which Pescatore featured in his talk was the Australian Government’s Department of Defense. According to Pescatore, this governing body was able to realize a number of measurable reductions in “the rate of successful malware execution by nearly two-thirds by layering three security technologies” (Shea, 2015). These three security technologies included Application Whitelisting, adding least privilege users access, and OS patch management.

Here is a quick breakdown on the results which they saw:



We’ve long been speaking about the top 4 mitigation strategies that the Australian Government has been implementing for a long time now, and it’s great to see that they have realized some strong measurable results. Clearly a layered security approach which handles management of both users and applications is a key factor in preventing these data breaches.

Viewfinity offers the only solution to combine the strength of both privilege management and application control within the architectural integrity of one single agent. If you’d like to find out more, join us on Tuesday, April 28th at 2pm ET for a live webcast event: Advanced Endpoint Protection: Full Circle Prevention-Detection-Remediation Based on a single Agent.


Sources

Shea, S. (2015, April 23). Pescatore on security success: Breach prevention is possible. Retrieved from Tech Target: http://searchsecurity.techtarget.com/news/4500244894/Pescatore-on-security-success-Breach-prevention-is-possible

 

 

60 Minutes Revisits the Sony Breach and the Investigation Sony Performed to Find the Culprit

The week before RSA, 60 Minutes dug in a bit deeper into the hack which effected Sony last fall, revealing the tactics taken related to the incident.  FireEye, a renowned IT security company, had its newly acquired company, Mandiant, share what they learned through their forensics investigation.   

If you missed the segment, you can view it online here: 
http://www.cbsnews.com/news/north-korean-cyberattack-on-sony-60-minutes/

What is most revealing about this report is that the hackers didn’t focus on stealing credit card or social security numbers and personal data, they exposed a different type of vulnerability.  This cyberattack almost had an “an eye for an eye” feel to it; the North Koreans were embarrassed by a film that Sony would soon release, so they wanted to embarrass Sony in retaliation. 

Because emails containing scandalous gossip were also made public as part of this breach, causing deep embarrassment for the authors and the persons of subject, FireEye reports that this hack has scared CEOs in a new way.  “Now every CEO is walking around saying, how do I feel if my email is out on the internet?”  CISOs are now having a new kind of dialog with the board of directors because of this twist on “breached data.”

The report goes on to state that a hacker only needs to break into one machine and then he’s inside your infrastructure, followed by a screen capture of passwords being stolen.  It’s cited that even an unsuspecting routine activity like an Adobe Flash updater is all it takes for an infiltration – it’s that one machine that it uses as a passageway.  “Every corporation's network is only as strong as its weakest link.”  That’s all it took to get going, and the hackers took off from there. 

This is a real-life, compelling use case for why admin rights need to be removed from your endpoint devices and all advanced endpoint security solutions need to be evaluated for how effective they can be in preventing, detecting and responding to these advanced persistent threats.

Viewfinity is helping a lot of companies manage least privilege environments as well as integrating endpoint forensics with network security vendors.   Viewfinity is at RSA.  Stop by our booth #1046 in the South Hall. 

Viewfinity Releases a New Version of its Endpoint Security Solution

This week Viewfinity announced the release of version 5.5 for Privilege Management and Application Control GPO solutions. This latest release brings together an easy to manage policy GUI, powerful forensic tools, and threat management and remediation via collaboration with network security vendors.

This release continues Viewfinity’s model to provide a full circle prevention-detection-remediation solution based on the architectural integrity of a single agent.

The latest release includes:

Viewfinity will be previewing this latest release next week at RSA. Stop by booth #1046 in the South Hall to see new capabilities first hand, or contact a Viewfinity representative today for a private demo.

Cyber Criminals Target Healthcare and Insurance

Last week Lysa Myers, of We Live Security, published an article highlighting the increase in breaches targeting medical based organizations. Premera Breach: Healthcare Businesses in the Crosshairs discusses some of the most high profile data breaches so far this year, affecting millions of records. Myers cites the high quantity and high value of medical records as a driving factor in many of these advanced attacks.

Read how Viewfinity works with healthcare companies to offer advanced endpoint protection.

Myers stresses the importance of risk mitigation as part of a solid security strategy; understanding security must be approached from various angles to achieve comprehensive protection. Myers uses the article to call out and explain the top strategies that organizations should employ to mitigate risk:

  • Regular and timely software updates / patch management
  • Two-factor authentication of sensitive data
  • The principle of least privileges
  • Comprehensive data encryption
  • Layered security: anti-malware + firewall + etc.

In line with Myers’ suggestions, Viewfinity offers advanced endpoint protection that focuses on lessening the impact of IT security breaches before, during, and after an attack. Our core capabilities aim to reduce the attack surface and proactively deter advanced persistent threats by:

  1. Managing administrative rights once local admin rights have been removed from user machines.
  2. Monitoring and controlling all applications being installed or run. This can be used as a precursor to default deny.
  3. Accelerating detection, incident response, and remediation efforts via threat management capabilities that collaborate with network security sandboxes and firewalls, reputation database services, and SIEM.

Found out more here.