Privilege Management for an Unpredictable World

October 03, 2019

Jason Everson | Senior Product Manager | Ivanti

David Murray | Product Manager for Endpoint Security | Ivanti

Is it possible to remove admin rights without losing user productivity? Admin accounts are the “keys to the kingdom.” Attackers use them for full access to information and systems. We all know that a least-privilege approach is a security best practice, but removing admin rights can result in disgruntled users and lost productivity. In this webinar, we’ll show how you can get the balance right between security and productivity.

Transcript:

David Murray:                 What is Privilege Management and why is it important? Jason, maybe you can take that up for us. Jason are you there? Yeah, I can hear you now.

Jason Everson:                 Yeah.

David Murray:                 Just asking for some definitions to start with. What is Privilege Management and why is it important?

Jason Everson:                 Yeah, no problem David. Yes. Privileged Management refers to the process of managing who or what has privileges on the network. [inaudible 00:00:42]accounts, for example, allow access to all areas and functionality within an operating system on a computer and such as charging system settings, check creating other user accounts, getting passwords. Standard user accounts on the other hand, have many restrictions enforced by the operating system. So user can't do these things. If a local administrator accounts are compromised, and the attacker has the privileges [inaudible 00:01:09] havoc.

Jason Everson:                 Phishing is one the most common forms of attack these days. Here, the aim is to get an end user to inadvertently download and run some Malware. If it runs on a computer with local administrator access, then that Malware will be able to do almost anything at once. If it runs on a computer with standard access, then the Malware will have less options on what it can do, So reducing its attack surface. In addition, the Malware will find it more difficult to copy itself to other machines on the network, which impede it spread. The most recent Microsoft vulnerabilities report revealed that 81% of all critical Microsoft vulnerabilities discovered in 2018, could have been mitigated if admin rights were removed. As you can see David, controlling up privileges is important to reduce your security risk.

David Murray:                 Okay. I guess one of the other terms that I hear a lot in the context of this is the term least privilege. In cyber security, what is this principle of least privilege?

Jason Everson:                 Okay David. Least privilege is the practice of limiting access rights for users to the bare minimum permissions that they need to perform their work. This ensures that end users a productive while maintaining a high level of security. In the context of end users with standard user accounts, this means allowing them to only run certain applications with administrative privileges rather than any they want or to only access certain parts of the OS that are protected by administrator purchase rather than complete access. For example, a developer may need to run Visual Studio with admin privileges and be able to stop and restart certain Windows services.

David Murray:                 Okay. Along the way there you mentioned phishing, and the fact that cyber attacks often start with a phishing attack. Let's just look at some of the stats around this from the latest Verizon Data Breach Investigation Report. I'm sure many of you out there will be familiar with the DBIR essential reading. What I saw on this report was that during 2018, about one thirds of all security breaches involved phishing.What was also interesting about that was, the report actually takes a look back five years to see how things have changed. So rolling back five years from 2018 to 2013, back then in 2013, 17% of attacks involved phishing. Come from 17% to over 32%, more or less doubled in that time frame. In terms of attack techniques, what was highlighted in the report is that phishing represents the biggest change, over the past five years, the biggest growth. Now you can also see on the slide the report also shows that 3% of recipients in any phishing campaign will click. It's just simply a numbers game. The more you phish, the more you catch. All it takes is just one person to click.

David Murray:                 If the user clicks on it, that attack causes Malware to run, if the user is logged in as an administrator. Now that Malware runs with admin level credentials and can do a whole lot more damage than if it's actually running with standard level of credentials. There was some good news in the report that's the click rates are actually going down. The results of years of phishing in this area, but it's still represents a numbers game. All it takes is one person. Something else we saw on the report was that 29% of breaches in 2018, involve the use of stolen credentials. Obviously that's a major issue in and out of itself. But again, if these stolen credentials provide admin level access, that's an even bigger problem. Phishing continues to be a preferred attack vector. We've seen that from the DBIR report.

David Murray:                 Microsoft also analyzes and scans in Office 365 more than 470 billion email messages every month for phishing and for Malware. That provides analysts with considerable insight into attacker trends and techniques. From their report on this, what they found was the share of inbound emails that were phishing messages increased 250% between January and December of 2018. Very much an upward trend. You're probably reflecting the fact that education has gotten better in this area users are clicking less, so you need to fish more to be successful. Okay.

David Murray:                 We had another Webinar last week focused on how to build a solid security foundation.We looked in some detail at the different security frameworks from around the globe. I'm not going to spend a lot of time on these today, but as you can see on this slide, the top five controls from the Central for Internet Security. These five controls provide you with the cyber hygiene, that foundation level of security. What you see on this slide is that Privilege Management, Controlled use of administrative privileges is listed as one of the top five coming in at number four on the list. If you switch over to Australia, they have the ASD Top 4, the Australian Signals Directorate and more recently they've expanded this to the Essential eight. But just focusing on the Top 4, as you can see from the quote from the ASD down below, just focusing on that Top 4 provides mitigation against at least 85% of the techniques used in cyber attacks.Again, we see Admin Privileges as one of these key tag key defenses, Restricting Admin Privileges.

David Murray:                 Over in the UK, the National Cyber Security Center and their framework called Cyber Essentials. The terminology used on the Cyber Essential website is a little bit different to other frameworks, they've simplified down the language, they've avoid using jargon. For example, instead of Vulnerability Management or Patch Management, which is a term that you typically hear in the industry, they just keep it simple and say, keep your devices and software up to date. In the case of Privilege Management, here they're recommending that you control access to your devices Sorry, you control access to your data and services. When you dig into what that means on the website, they state further that to minimize the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them.

David Murray:                 The website then goes on to talk about administrative accounts and reflects that accounts with administrative privileges should only be used to perform administrative tasks. Very much, you're controlling access to your data and services maps very well into Privilege Management. Looking at each of these national frameworks from around the globe, you see that while there might be some slight difference in the overall messaging and the priorities between each of the different frameworks, Privilege Management appears in the top four or five in each of them, Controlled use of administrative privileges, Restrict Admin Rights, Controlled access to your data and services.

David Murray:                 Clearly Privilege Management is pretty important. On this slide, I've included the quote there from the Center for Internet Security, The Misuse of Administrative Privileges Is a Primary Method For Attackers to Spread Inside The Target Enterprise. Everybody should follow a least privilege approach, but we know that not everybody does. Jason, what are the challenges with implementing Privilege Management?

Jason Everson:                 Okay, David. To implementing least privilege, can impact end user productivity as they [inaudible 00:09:44] from carrying out their role. It needs to be done in a balanced way while minimizing the impact to end users. Know that users that can't get their work done, will call the help desk more and even go around IT, [inaudible 00:09:59] and that introduce risk in the environment. I spoke to an IT security administrator recently and was asking him about his role. He told me that his job was being visible. It was a legal firm, and any impact productivity was really costly. His job was to ensure that the systems are secure, but to try and assure that nobody knew he existed. Because of this, many organized [inaudible 00:10:21]local admin rights as the easier option. However, they are leaving [inaudible 00:10:26]a high risk of a security breach.

David Murray:                 Okay. We know that end user computing teams and information security teams don't always agree on end user enablement. Your end user computing team, they're responsible for enabling end user productivity and information security. These guys are responsible for reducing risks, end user productivity, probably not so much. The one thing that both of these teams, the end user computing and information security teams agree on absolutely is the removal of end user admin rights.

David Murray:                 Where the battleground really exists is between IT and the end user. If you simply take away admin rights and users can't do their job, they're going to get frustrated. As you said Jason, they will call the help desk more and very often this results in a situation where users get admin rights actually restored or sorry, where admin rights actually get restored to end users creating security risks. If a security solution is impacting an end user business productivity as we all know, very often ends up getting removed. Clearly there's a problem here, you have this issue between IT wanting security, end users wanting productivity and simply taking away their credentials isn't going to cause it. Jason, how do we solve that problem?

Jason Everson:                 Okay, David. Privileged Management can function in two different ways. Either users are given standard accounts and any privileges they're required to do their job is given to them just for the things they need to do. Obviously we are talking about least privilege earlier. This [inaudible 00:12:13] least privilege and it's the industry best practice. However, there does exist another option as well. Here users retain their existing admin accounts and privileges that they don't need are restricted. This is typically quicker to implement than the previous option and will offer much better protection than doing nothing. This could also be used as a stepping stone to adopting your least privilege methodology. Most end users that have admin accounts, are untrained as a kind of CIS adds to admins. These users have the [inaudible 00:12:48]their own machine, other users machines and potentially servers or they [inaudible 00:12:53] things they don't understand. The infographic on the right of the slot goes into the risks that these users pose. We'll come back to this in a little bit later. For now, the main point is the employing one of these approaches will reduce the risk.

David Murray:                 Great. Probably enough slide ware for the moment. Let's actually go and look at a decent practice. You want to take us through a demo?

Jason Everson:                 Okay, David. How do I grab the [inaudible 00:13:19]?

David Murray:                 Let me stop sharing here. You can go and share from your perspective.

Jason Everson:                 Okay, perfect. Okay, hopefully everyone can see my screen. What I've got is I've got three [inaudible 00:13:37]security controls. One [inaudible 00:13:40] and the other two are endpoints. One of those endpoints has an admin user active on it and the other has a standard user account active on it. What we'll do is we'll consider the security controls and get that [inaudible 00:13:54] first. This is the homepage of security controls. As you can see it contains Patch Management and Application Control all in one single interface. Obviously we're interested in Privilege Management today, but I think there's a few things that we just need to go through in terms of Application Control as a whole. Just to give you a quick outline of the things you'll see in the demo. One of the things we need to show you is [inaudible 00:14:21] control configurations. Now this contains all the settings for Application Control, and it's downloaded to each of the endpoints and works in conjunction with the Application Control Software on each of the endpoints. That enforces settings that you apply. One of the things that we need to mention as well is Agent Policies. The Agent Policy will contain [inaudible 00:14:46] control configuration, and it's the Agent Policy that gets deployed down as an entity to each of the endpoints.

Jason Everson:                 What we need to do to configure Application Control on any endpoint, is we need to create a policy, which we've got one here called demo, and we need to create an Application Control configuration. I've got one here because we've got two demos in this webinar. We've got one called demo one and demo two. One of the things I'm just going [inaudible 00:15:13] at the moment is I'll open up the policy and as you can see the fourth one down here since the settings is actually the Application Control. All you can do within the policy is choose which Application Control configuration you want to be part of the policy. As we can see, we've got demo one here.

Jason Everson:                 One other thing to note out is this [inaudible 00:15:33] minutes. It's currently set of 480 minutes which is the default setting. What this actually tells us is every 480 minutes, the end points we'll check with the Ivanti Security Control Server and get any updated config, if you make any changes to config it will download at that point. There is a mechanism within security controls do it immediately as well, but typically that will be the way it will be implemented. If I closed down the policy for example and go into, okay, Application Control. If I open up, yeah and I show you one of the things I wanted to draw your attention to was the events.

Jason Everson:                 In Application Control configuration, you have the option of capturing events. The typical way to do this is to capture them centrally within the security controls database. To do this, we turn them on here and also as well... Is because we were interested in Privileged Management, what we're actually interested in is the 930 events there, that has been ticked as well. If I closed that down for now and then we'll move over to the endpoint machine VMs. If I start off with the admin well, let me show you is the fact that if we have a command shortcuts, we're going to consider what happens when you try and elevate applications as an admin. You can do this really easy with anything by just running as an administrator as you can see. And it lets you run it [inaudible 00:17:28] the reason we change to command prompt because it's easy distinguished for here by giving you the term administrative when it runs in administrator. When it doesn't run as administrator, it doesn't display the administrator in the title bar.

Jason Everson:                 Okay. That's pretty much showing you that for an admin account, you can do that. Let's go into our standard user account and do the same thing. As you can see here, now we have the UAC dialogue being displayed. This requires you to enter admin privileges to be able to continue. This effectively blocks you from being able to run it as an administrator. If we suspend belief at the moment and imagine rather than just command prompt, it could be any application we're dealing with here, this is the situation you'll get yourselves into if you just immediately turn your administrator accounts into standard accounts.

Jason Everson:                 A lot of your end users will have config issues around not being able to carry out their function. For this reason, it makes sense to employ some Privilege Management software and will show you what security controls can do in this regard. If we switch back now to security controls, the one thing I want to show you as well is Application Control events. But before we do that, I mentioned before that we had 480 minute delay before endpoints check-in. One way around that is we can view our machines that we have. We currently got two machines attack and the test admin one, we actually ran the command prompt as an administrator. If we gather the events now immediately by using this function and just waiting a couple of seconds before it completes, then we'll have the events gathered. This means that we can go in and actually I can show you the events that were being captured. You can bear with me a second.

David Murray:                 Well, this takes longer than the general Jason.

Jason Everson:                 Doesn't it David? Yeah. That's completed now. Yeah. What I want to show you now is if you go to view Application Control events, Okay, the one thing to note here is, there are a number [inaudible 00:20:18] types of filters on this that give you different types of events. Our protection control has a wide range of events. We're just interested today within the privilege discovery events, so we'll select that one. We're interested in events over the last 24 hours we'll re-run that query. Let me just clear that command for you first. As you can see, a number of events have been run have been elevated.

Jason Everson:                 We're interested in the command prompt ones, if I actually sought them by time raise, oh yeah, as you can see at the bottom, we have a command [inaudible 00:21:12] event that's just been raised. The one nice thing about this is the event[inaudible 00:21:23] allows you to then gather data on your end users when they're actually running as admins to see what applications that they're elevating. I mean, if you do this for a certain duration of time, you can gather that data and create rules that would allow them to do exactly the same functions when you put them over to standard users. [inaudible 00:21:45] this way, it should be a seamless approach of converting those users over to that that least privileged approach.

Jason Everson:                 What we're going to do now, is we're going to show you as well one of the nice things that security controls can do. What it can do is it allows you to use the event data and take that data and generate rules from it. We're going to show you that now. If I open up security controls configuration, I'm going to do this in the everyone group under [inaudible 00:22:24] Management. You could [inaudible 00:22:26] any other group that you want to apply this to but for now we're going to just choose this to apply to everyone. Under here, we're going bring up the event zero again. Then all you need to do, is to drag it into the [inaudible 00:22:45] config. Then it gives you a choice of a number of different types of rules to apply.

Jason Everson:                 Now, I'm not going to go into the details of all these needless to say that we're going to choose file name [inaudible 00:22:58] What that allows you to do is it just populates the file name. For example, the other one was path and or a file hash. That's just a different piece of data to generate a different type of rule item. As we can see, it doesn't just populate the properties of the file name. If you go into the metadata, you can see that it populates other pieces of data as well. They haven't been selected, but you could choose any of these to include it within the rule to make it more fine grains.

Jason Everson:                 Okay. Now we have our rule. We want the policy to be built in elevate because we want to elevate it for our standard user. And now if we save that and deploy it out, we'll have to wait again, I'm afraid for a couple of seconds for that to go out to the endpoints. But yeah, that's what we're trying to do, we're actually deploying on new conflict now to those endpoints with those changes we've just made. As you can see, that's just [inaudible 00:24:08]. If we switched across now to our standard user and now what happens if we double click on command prompt, you can see that it immediately launches in administrator. This would apply to any application. It's not just command prompt, but it demonstrates the fact that using events of security controls we can give per application, control over what applications are allowed to run with admin privilege.

Jason Everson:                 Okay. One of the other things we need to consider is there were [inaudible 00:24:52] elevating applications without being privileged, but we also need to consider the other side of the coin, which is, there are a number of operating system pieces of functionality that are hidden behind that being privileged, and you're restricted from being able to access those if you don't have it. Ivanti Security Controls does allow you to access most of these as well. Say for example, we had the date and time here, if I try and click on there, it requires an app being privilege.

Jason Everson:                 Let me go back into security controls and then we can create a rule in there that will allow us to access it. Bringing up security controls again and opening up our Application Control configuration. We'll stay within the everyone group and Privilege Management. But now we're going to the components tab, and then we'll add a component and this will be the date time component. We still want the VM policy to be built and elevate here. We'll continue with that, and we'll say that again and deploy it out. This then does the same operation as we did before and deploys out a newly updated config out to those endpoints. Okay, that's complete. Let's move across now to that standard user endpoint again. Now if we click the change date, time setting, okay, as you can see, we now have access and that completes the first demo, David.

David Murray:                 Super. In this scenario, you've taken your admin user, you've made them a standard user, but you've put in some rules to elevate things that they need to do their job, which is the best practice approach for this, right?

Jason Everson:                 Correct, David.

David Murray:                 Okay. Let me go ahead and share my screen, Jared if you can make me presenter again. Great. We'll just carry on to a little bit more of a slide ware. Okay. We've seen the standard user approach and earlier on we saw this nice infographic on the slide just before the demo, 9 Ways Privileged Users Create Security Risks. Let's dig into this scenario a little bit more. And really what we're talking about here, Over-privileged users. These are privileges these users probably don't need to do their jobs. Jason, maybe you can talk a little bit more about this and how these users might create risks. They're still admins in this scenario but there's a lot of other things they can do, that they don't need to do.

Jason Everson:                 Yeah, no problem, David. We start with the Install Apps one. Okay. Ivanti advises that all end users, including those [inaudible 00:28:12] accounts, employ User Account Control. Microsoft does state on its website that User Account Control helps prevent Malware from damaging a PC and helps organizations deploy a better managed desktop. With UAC, absent tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator level access to the system. UAC, this is the important point, can block the automatic installation of all unauthorized apps and prevent inadvertent changes to system settings. For this reason, UAC should be [inaudible 00:28:46] machines. Steps should really be taken to prevent end users from changing it.

David Murray:                 Okay.

Jason Everson:                 Yeah. Move on to the next one. Deactivate Security. This is concerned with the Microsoft Management Console and that's the framework that end users with an interface for management and configuration of the operating system. It allows the end user to load snap-ins and each snap-in is a tool to manage a particular Windows feature. For example, the services snap-in provides a tool to manage Windows Services. Now this can be very powerful for [inaudible 00:29:22] the services snap-in. An end user with admin privileges can stop services. If the stop service was part of your antivirus software, it could disable the antivirus scanning on any downloads, increasing the threat from Malware.

Jason Everson:                 Moving on to Override GUI restrictions. Windows supports some alternative ways to interact with the operating system by issuing specific commands via Command Line Interpreters or by Executing scripts. The former is used for management purposes and the latter is typically used for automation. The Command Line Interfaces that come with Windows are the Command Prompt and Windows PowerShell. Also, included with the operating system, is the Windows Script Host that can be used to run scripts in a variety of scripting languages. Anyone with admin privileges connects your commands or scripts, and this provides an alternative method in many cases for end users to do things that they probably shouldn't.

Jason Everson:                 Moving on to the next one, David. That's Uninstall protection software. Ivanti Security Controls work through an agent that is installed on your end points to protect them. I mentioned that earlier. This agent could be uninstalled by an end user with admin privileges causing that protection to be lost and that's not just for Ivanti Security Controls. Other protection software could be affected in the same way.

Jason Everson:                 Moving on. Bypass centrally managed policies. The Windows [inaudible 00:30:51] is concerned with this one. That's an important feature because it stores vital information about Windows endpoints and its configuration, as well as information about all application program [inaudible 00:31:02] are installed. By offering the ability to directly access and change registry keys, admin privilege allows end users to navigate around the central management policies whenever they choose and change the settings.

Jason Everson:                 A firewall is a network security device that monitors traffic to or from your network and allows or blocks traffic based on as a fine set of security rules. Now firewalls make it more difficult for malicious software to spread throughout a network. So they're a good thing. But if you're using Windows Defender Firewall, then administrators can disable it or change its settings.

Jason Everson:                 Now Changing the Date and Time. Administrators can change the date and time, which may sound like a small thing, but it could have some profound effects. If the date or time is wrong, then many applications could behave in [inaudible 00:31:56]. Furthermore, any log in will have incorrect timestamps, which potentially invalidates auditing or makes troubleshooting much more difficult. Another reason to restrict this, is that some people may try to use this to get around license restrictions and keep using the same trial license over and over again by setting the clock back.

Jason Everson:                 Terminate processes. End users with an admin privilege can terminate running processes. For example, using task manager or by choosing end task within that program or by running process Explorer [inaudible 00:32:33] within that program. These represent another way that end users could disabled protection software. Adds another element of [inaudible 00:32:41]. I think finally, end users with admin privilege can launch any application with elevated privileges. Now some of these applications, for example, email and browser applications can introduce Malware to an end point. Typically, these applications do not run elevated. This isn't a major threat. But a user with admin privilege, could elevate it on purpose or even accidentally and that could introduce a serious security risk.

David Murray:                 Okay. A lot of different things that Over-privileged users could do to create risks. They probably don't need these to do their jobs. Ideally we just make them standard users and elevate them as you showed in the last demo but sometimes that's not feasible. We need to leave them with their admin level credentials. But what we can do, is restrict them back and I guess eliminate some of those risks that you just outlined. Do you want to show us how we might approach that?

Jason Everson:                 Yeah. Okay David. So let me share my screen again.

Jared:                                As you're loading that up guys, we have a question from Bill. He's wondering back to the first demo you did Jason. If you can make it so it just allows the user to answer the UAC prompt with yes, instead of automatically just opening as an admin?

Jason Everson:                 So the software [inaudible 00:34:10].

Jared:                                Can you do that?

Jason Everson:                 Yeah, this is what is [inaudible 00:34:14] if the enhancement request that has been on the agenda, but isn't currently something that the product does at the moment. Okay. Let me... Bear with me for a second while I get into, yeah. Going back into security controls, let me just swap over now. The Agent Policy to using the demo to config. While that's happening, let me switch back across the admin account. Okay. As you can see here, we discussed this last time about the date and time. For admins, this is obviously accessible but as we discussed in the slides a moment ago, and the second approach is that we could take admin accounts and restrict them. This demo is really about showing that functionality within the security controls product. As you can see here, an admin can actually access this. What we'll do now is we'll go into security controls and we'll create a role in there. As you can see, that's finished now. What we'll do in here, is we'll go into demo two. Figuration.

Jason Everson:                 Now what we'll do is, we'll do this the administrators' group, because it applies to administrators. Now you could create your own administrators groups as well as I outlined earlier. This is completely granular in what you can actually do and apply these [inaudible 00:36:16] but we'll concentrate on[inaudible 00:36:20] on just the built in administrators group. What we're going to do here is we're going to go to the components again like we did last time, we'll select the date and time, but unlike last time, we'll rather than having built an elevate, what we'll do is we'll change the policy to build and restrict this time and we'll save that out and deploy it.

Jason Everson:                 Give that a couple of seconds to be pushed out. Okay, that's completed now. Let's stop over now, back to our admin user. Now what we should see is that when we click on here and we should be blocked, an Application Control does indeed block that operation now. As you can see in this way, we're locking down the abilities of the admin users.

Jason Everson:                 One of the other things I just wanted to finish on really with this demo, is in the region of Restricting applications. As we did last time, let's consider the command prompt again. What we can do here is we can at the moment, we can run it as administrator. You can see it launches with admin privilege but what we can do is we can go back into security control and open up the configuration again and back into Privileged Management. Under applications, we can create a new rule under here like we did last time. I type it in there, command.xe and at that rule, and then change the policy to restrict, then this will have the effect of restricting that file from launching as an administrator.

David Murray:                 You can do that for any of the files that you might want to restrict and as we go around those nine items that we saw earlier, you could pick off each of these and say, well, this user doesn't needs to be able to do these, perform these specific tasks. Even though I'm leaving them as an administrative user with admin privileges, I'm going to shut off certain tasks so that they can't perform certain functions. They can still do their job but now, there are certain things, which administrator could normally do and they can no longer do them.

Jason Everson:                 One of the things point out, David as well in this is that the white paper does actually detail some of the config that can be used to actually protect against these things, those nine items I listed previously. Probably everyone's pretty well worth getting that and having a read at that.

David Murray:                 Okay. We had a link to that white paper on one of the earlier slides, but we can probably shoot that out to everybody as well just to get a sense of what each of those items are and how they would approach them. If I can switch back to demo, let me share my screen or switch back from demo, I guess to the slides. I'll share my screen again. All right. We had talked about the two different approaches.

David Murray:                 The first demo that you did Jason, was that security best practice is to convert your admin users to standard users and then provide them with elevations, those specific privileges they need to do their jobs. Then what we've just seen in the demo is situations where that isn't possible either for practical reasons, but very often just for political reasons. That battle sometimes is just too hard to fight. You can, at least in the short term, you can say, okay, we're going leave you with the admin account, but we can restrict back what your users can do. Over time, you can essentially meet in the middle and realize that, well, actually these users don't need to be admin accounts. They can be standards accounts. Well, but basically with either approach, I guess as we're showing on the slide here, rather than having the end user and the IT admin fighting with each other [inaudible 00:40:59] end up meeting the needs of both of them and ending up with smiling users in IT.

David Murray:                 One of the things that we do at Ivanti, is we combine Privileged Management together with Application Control. You've seen that in the demo as Jason went through it. There's a one configuration containing both Application Control and Privilege Management. We focused on the Privilege Management aspect of that. Yeah, we don't just do that because security frameworks like there at Center for Internet Security recommends using both of them. There's good reasons to combine those together and it's usually because they work well together. I've borrowed a graphic here from Gardner, from our report that they did back a couple of years ago. In their report, they outlined that Privilege Management is an effective means for managing end-user privilege but removal of admin access alone doesn't necessarily prevent malicious applications from running.

David Murray:                 In fact, it's application that doesn't require administrative privilege could well run with standard user access. That's where Application Control comes into play. Application Control prevents attacks by providing visibility and control over what applications can execute in your environment. Together, the technologies are better able to contain attacks at the end point. In their report, Gardner used this term Enterprise Privilege Management and these technologies combine Application Control and Privilege Management to determine first, whether an application can run and under what privileges it can run. That combination really enables organizations to remove local admin access, what also have minimal impact on end users and keep them productive. That's the reason really, that we combine the two of those together to make that successful.

David Murray:                 Jason used the term security controls a lot earlier on in his demo and just to reflect on what a security controls is, if anti security controls is the product that we introduced earlier on this year containing Application Control, and Privilege Management and also Patch Management in there. All three of those, when you look at those different security frameworks you see these different technologies, these different defenses appearing right across whether it's in the UK, as far away as Australia or in the US. All three of those providing that layered modular or defense in depth security suite.

David Murray:                 `Within Ivanti, we've been bringing together the best in breed from across our portfolio into this single platform. Part of that was about these different layers, but part of it also was about workflow and making sure that we had solutions that were easy for our customers to use and also lender themselves to being automated. Everybody's trying to do more with less. Allowing automation as well was really important. Last but definitely not least, as part of our development and creation of the Ivanti Security Controls platform, making sure that we balanced security with user needs. That idea that no single easier way to get rid of a [inaudible 00:44:35] technology is if it impacts on end user or business productivity making sure that we're, we're light on the end point from a performance perspective and also supporting our users being productive.

David Murray:                 Just to finish up next couple of slides, if you're interested in finding out more about Ivanti Security Controls, you want to get a demo, got a link there on the slide for you to go ahead and request the demo. We do demos every week. I think with one of our sales engineers, we'll jump on the call with customers. You can [inaudible 00:45:15] a demo, They'll get on a call, go through a detailed demo, some of the stuff that Jason showed today. We're going into Patch, Application Control and Privilege Management, full demo of the product, you get the chance to ask questions and get those questions answered. If you want to go further than that and conduct a trial, we've got two links here.

David Murray:                 Some of you on the call may already be using Patch for Windows, which evolved into Ivanti Security Controls. You may be an existing Patch customer and you want to add on the Application Control capabilities. There's a link there in that case if you want to do that or if you're not using the product at all today and you just want to go and try it out. There is a separate link there and Jared will share those links on the chat so that people can take them [inaudible 00:46:07] them off the screen there.

David Murray:                 If you want to learn some more, we're doing a webinar series at the moment. This is the second of those. As I mentioned earlier on, we did have a webinar last week where we looked at how to build a solid security foundation. Today it was all about Privileged Management. Next week we have one, we've included a registration link. Therefore, Application Control is it a maintenance headache or is it a manageable solution? Hopefully, next week if you want to join in on that, we'll show you how you get a manageable Application Control. Then finishing up on October the 17th, plug-in your patching holes with Ivanti Security Controls. We've a strong heritage in the area of applying patches for all types of different environments. Come along, learn about that as well.

David Murray:                 Additional resources that may be of interest, many of you may already be familiar with our Patch Tuesday webinar, which happens on the second Tuesday or actually the Wednesday after the second Tuesday of the month. You can go and register for that on the Ivanti website. More recently, we've added something called a Threat Thursday. The fourth Thursday of every month, we have a webinar. Next one that's coming up on October 24th. Then we have a blog or a Threat Thursday as well. Also noting, if you want to join our Cyber Security Virtual Events, we have a virtual event and no need to travel anywhere. You can go and register for that and hear some experts spot within Ivanti and from third parties or just talking about cyber security and different aspects of that.

David Murray:                 That brings us to the end. I saw there was a question earlier that we had around the UAC prompt and whether we could interact with that directly, rather than implementing it the way we have. Jared, were there any other questions that the commend that you'd like us to answer?

Jared:                                No, none other questions. That's it for now. If you have a question, you can get it in the next minute. Go ahead and post it in the Q&A. If not, David and Jason any final notes to make as we try and collect any other questions?

David Murray:                 Just to reiterate really that, Privilege Management is recommended by all of those different security frameworks. I mentioned that Privilege Management is typically bundled together with Application Control for the reason that they do work very well together. But if you want to take a look at one first versus another, probably take a look at Privilege Management initially, maybe the reason we put them in this order in the webinar series. It is an easier implementation. Next week we're going to talk about Application Control. It is a little bit more complex. We've done a lot to simplify it and we'll talk about what we've done there next week. But Privileged Management, it is a relatively easy, technology to adopt. Go ahead and take a look.

Jared:                                All right, no additional questions. Once again, we will be sending out a link to the recording and the slides. You'll have in your inbox here in a few hours. David, Jason, thank you so much and we'll see everybody on the next webinar.

David Murray:                 Okay, thank you.