Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Top 10 Keys to Successful Least Privilege Adoption Via Application Control


Written by Steve Goldberg

February 15th, 2018

Gone are the days when a security team could select a new tool, turn it on, and expect everyone in the organization to adjust. When security hinders the business, the business fights back. Users now have numerous ways they can work around security tools and policies to get their job done.

Least privilege is a fundamental aspect of endpoint security, but it can’t be enforced without thoughtful preparation for the downstream impact on desktop support teams and business users. Creating a sustainable least privilege strategy means defining requirements and processes that work for your business.

You can eliminate the pain that comes with poorly implemented least privilege programs and choosing the wrong least privilege tools

Based on learnings from successful customer implementations, we’ve put together a list of keys to help you make your least privilege program sustainable over the long term. We hope this eliminates the pain that comes with poorly implemented least privilege programs and the expense and wasted time caused by choosing the wrong least privilege tools.

10 Keys to Successful Least Privilege Adoption

  1. Plan for a discovery phase

Find out which endpoints and users have admin rights and who really needs them, what applications are in use and if they require admin rights to run. Keep in mind, although your software inventory system may have visibility into applications managed and approved by IT, users may have downloaded software or accessed SaaS tools that haven’t made it onto your list.

  1. Create an allowlist of acceptable applications and processes

Add trusted applications to an “allowlist” based on their name, signature, certificate date or other criteria. Once you set up an initial policy, it can apply to all protected endpoints.

  1. Block known “bad” files with a denylist

Systems such as VirusTotal, integrated into sophisticated application control solutions, can provide the latest threat intelligence to block known threats from executing on your endpoints.

  1. Account for the unknown with a restrictlist

A “restrictlist” is a way to sandbox unknown applications so that you can investigate them before allowing users to run them, especially when they require admin rights for certain processes. With a restrictlist, you can elevate an application in a limited way so that users can do their jobs, but not allow them to touch any system folders or underlying OS configurations, isolating the system from malicious behavior.

  1. Set contextual polices

Look for application control tools that allow you to customize policies to match your organizational needs and detect anomalous behavior. If you find that there are applications attempting to run outside of the accepted conditions, you’ll be able to flag potential malware attempts and block them before they cause damage.

  1. Plan for users to change

Some application control solutions that rely on Active Directory and Group Policies are often point-in-time solutions that only consider your organizational structure at the time of implementation. To make changes requires manual checks against multiple systems, which can be time consuming and easily forgotten. Make sure you can easily add and remove users and endpoints from different groups so that your contextual policies are always applied to the latest information.

  1.  Don’t restrict control to domain-controlled endpoints only

Consider your universe of contractors, partners or other 3rd parties. Even though those machines are not joined to your domain, their accounts ARE connected and can be an entry point for threats.

  1. Don’t forget child processes

An advanced application control tool will also let you decide whether to allow child processes, such as executing processes from within a PDF.

  1. Integrate workflow into existing tools

To build awareness of the need for application review and set expectations, you can provide users who are requesting an application with a customized message that explains the requirements and time needed to evaluate their request. So the desktop support team can view and respond quickly to application requests and track response metrics, integrate your application control process into their existing workflow, whether that is through their desktop, with a mobile app, or within their ticketing system.

  1. Demonstrate success

Imagine your CEO wants to know if your organization has been impacted by the latest malware to hit the news cycle. You should be able to pull up a report to show if your endpoints were targeted and, if so, how your policies prevented a full-blown attack. Compare results over time to show trends that showcase your continued progress.

Next steps

To learn more about how least privilege through application control helps to demonstrate compliance and protect your endpoints from attack, read the full eBook, Top 10 Keys to Successful Least Privilege Adoption Via Application Control.