Skip to main content
 
 
 
Splunk Lantern

Validating endpoint privilege security with CyberArk EPM

 

Attacks start on endpoints and they end on endpoints. Endpoint privilege security is the cornerstone of an endpoint protection strategy that provides the first and most important line of defense against devastating cyber attacks. Endpoint privilege security controls are foundational but are often missing from the endpoint security consideration and strategy. The continued onslaught of attack of any complexity and an unsatisfactory record of a universally adopted endpoint security stack (including an antivirus, EDR, personal firewall, etc.) proves that endpoint privilege security is no longer a need; it is a must.

CyberArk Endpoint Privilege Manager provides endpoint privilege security by removing local admin rights, enforcing role-specific least privilege, defending credentials, and protecting from ransomware - all while removing friction for the end-user, streamlining their experience, and easing the load on IT Service Desk. You want to report on those activities to ensure that your endpoint privilege security is operating optimally.

Prerequisites

How to use Splunk software for this use case

The CyberArk EPM App offers a diverse array of out-of-the-box dashboards that are designed to help you gain comprehensive insights into your applications. These dashboards facilitate end-to-end visibility of your applications and provide related information to event management, policies applied on the endpoints, and policy audit events.

The Events Management dashboard includes the following panels:

  • The top applications running on your endpoints and applications running over time
    TopApps_Time.PNG
  • A graph of application source types and a source type event summary
    AppSourceType.PNG
  • Top events types
    TopEventsType.PNG
  • An elevations requests summary

The Policies and Computers dashboard includes the following panels:

  • Endpoint type and status over time
    EndpointType_status_Time.PNG
  • The total number of agents installed and version
    AgentsInstalled.PNG
  • A list of policies by time
  • A inventory of computers and their status
    Inventory_Status.PNG

The Policy Audit Events dashboard includes the following panels:

  • Published user statistics and the percentage of policy actions that ran.
    PublisherUsage_Percantage.PNG
  • The number of policies run over time
    NB_Policies.PNG
  • A policy audits table, which lists applications by policy
    PolicyAudits.PNG

Next steps

These additional Splunk resources might help you understand and implement these recommendations:

Established in 2000, Bluechip Infotech focuses on delivering the latest IT products to a wide channel base while maintaining a dedicated commitment to first class service. With Australian offices in Sydney, Melbourne, Brisbane, Perth, and Adelaide we’re able to back our commitment to service through localized support. In addition, Bluechip Infotech:

  • Has been a Splunk Distributor for 15+ years and an Authorised Learning Partner (ALP) in APAC.
  • Has dedicated Splunk Staff­ and a strong, experienced technical presales team.
  • Offers hosted demo environments and partner training vouchers.

Ingeniq, a Bluechip company, is an authorised Splunk training provider. We’ve been working with Splunk to train and enable thousands of customers, partners, and Splunk employees since 2010.

The user- and community-generated information, content, data, text, graphics, images, videos, documents and other materials made available on Splunk Lantern is Community Content as provided in the terms and conditions of the Splunk Website Terms of Use, and it should not be implied that Splunk warrants, recommends, endorses or approves of any of the Community Content, nor is Splunk responsible for the availability or accuracy of such. Splunk specifically disclaims any liability and any actions resulting from your use of any information provided on Splunk Lantern.