Skip to main content

 

How to Conduct a Lightweight Policy Review

Continuing on from nixi’s How to Conduct a Comprehensive Policy Review, this week we’re looking at suggestions on conducting a lightweight policy review. Lightweight policy reviews help maintain environment hygiene and ensure that updates—whether from BeyondTrust’s QuickStart recommendations or changes in the software—are accurately reflected in the policy.

 

Lightweight vs Comprehensive Review

First things first, let’s make sure a lightweight review is the best option versus the comprehensive review.

The lightweight review should be sufficient if:

  • There haven’t been large changes to organizational structure, such as handoffs to new teams to manage the policy.
  • A comprehensive review was completed within the past year, and you don’t anticipate much drift in policy since then.
  • There haven’t been major structural changes to the policy that haven’t been through a comprehensive review.

 

If you find yourself meeting these criteria, excellent! Off to the lightweight review we go!

 

General Guideline

The following are the general steps that are recommended; the frequency is up to each customer. A quick note for this review is that this is typically to document and understand changes that may need to be made to the policy, or prompt an investigation if things are out of place. It’s your read-only Friday recommendation as we never, ever, recommend implementing changes to Production without first testing! 

  1. Collect the last review
  2. Validate if the policy, or policy assignment has changed since the last review
  3. Validate changes to policy
  4. Validate hygiene
  5. Validate analytics data
  6. Check Release Notes for QuickStart changes
  7. Plan Remediation Steps (If Required)

TIP: Seriously, don’t test in Production. Reviews are to highlight areas of improvement, not to accidentally cause an outage if a mistake is made.

 

Step 1: Collect the Last Review

The reviews should be compiled in a document that’s password protected with restricted access noting when the last review took place and the findings at that time. Comparing this review with the last review(s) can help highlight trends of changes in the policy. Sometimes this can highlight common errors that occur, such as creating duplicates, c:/users definitions, or higher risk filename only definitions.

With On-Prem BeyondInsight, these documents may provide the only method of understanding changes as BeyondInsight does not maintain a revision history of the policy as it’s updated directly to the database.

If this is a first review, start a document highlighting the latest version number, the version number assigned to computer groups, the date of the lightweight review, and any notes that come from the policy review. Encrypt the document with a password and save the password to a password manager. Save the document in a location with restricted access.

 

Note: Excel is not a password manager. If that’s the route you’d like to go down, please talk to your account manager. We’d be happy to show you alternatives.

 

Step 2: Validate if the policy or policy assignment has changed since the last review

If there are no changes, and you’ve documented your last policy review for this revision, then happily continue along to Step 4. Finding the change date for either policy or its assignment can help ensure that the changes are well structured or reveal any unexpected changes to the environment that warrant further investigation beyond the policy scope. 

In EPM-Cloud

  1. Validate the policy update times
    1. Open Policies tab
    2. On the desired policy, select the three ellipses on the right-hand side
    3. Select View Policy Details
    4. Select Revisions
    5. Denote the version number and Created Date
    6. If this has changed since the last lightweight review, then review the policy.
    7. If there was no expected change to the policy however it has indeed changed, then use the information provided to investigate the policy change.
  2. Validate revision assigned to the computer groups
    1. If there isn’t a change to the computer group assignment but a change to the revision number, validate the policy only
    2. If there’s a change to the revision number assigned to the computers, and there is an expected change management ticket associated, validate that a proper change has occurred.
      1. If no proper change has occurred according to your organization’s policy, investigate the process violation

In BeyondInsight On-Prem

  1. Validate the Policy update time
    1. In Configuration, select Endpoint Privilege Management Policies in the Privileged Desktop Management tile
    2. Validate Policy Version time
  2. Validate if smart rules have been changed that cover policy assignment
    1. In Smart Rules, look for Last Updated

 

Step 3: Validate changes in policy

For the changes in policy, we’re performing a quick check for higher-risk items

  1. In EPM-Cloud, use Compare Policy to find the quick difference between the last version reviewed and the current version
    1. Open the Policies tab
    2. On the desired policy, select the three ellipses on the right-hand side
    3. Select View Policy Details
    4. Select Revision Comparison
    5. If required, change Base Version: the previous version number and select Compare
    6. This will give information about where the changes occurred to validate that the changes are as expected
  2. EPM-Cloud: Validate Policy Assistant
    1. Open the policy in read-only mode
    2. Expand Utilities
    3. Select Policy Assistant
    4. Note, Policy Assistant will also give details about the recommendation
    5. Mark any recommendations made to either note as “known” or to be remediated
  3. EPM-Cloud and On-Prem: Policy Review: Workstyle Filters
    1. Validate that the workstyle filters are as expected
    2. Note, sometimes there can be 100+ workstyles with some deployments. If that’s the case, this might be better suited for a comprehensive review.
    3.  Mark any changes that are high risk as a recommendation to remediate
  4. EPM-Cloud and On-Prem: Policy Review: Filename only definitions
    1. In the application groups that aren’t acting as a default catch-all, such as (Default) Any Applications, validate that scripts and executables have more than one match for allowed actions.
    2. In EPM-Cloud, Policy Assistant will typically pick this up. However, there’s no method for searching on “is blank” – sorting by Publisher to get blanks will go a fair ways in reducing the noise to validate.
    3. Mark any definitions that are high risk as a recommendation to remediate
  5. EPM-Cloud and On-Prem: Policy Review: High risk sudo (EPM-M)
    1. If changes to application groups or workstyles have been made, validate if there have been any high-risk changes to the sudo commands, such as allowing our recommended blocked sudo commands,
    2. The list of recommended blocked commands are in the Block -  Blocked Apps in the Mac QuickStart policy
    3. Mark any definitions that are high risk as a recommendation to remediate

 

Step 4: Validate hygiene

A full hygiene review is recommended in the Comprehensive Policy Review, however a hygiene review can be completed if there are known changes in the environment.

  1. Check if there are application definitions for known decommissioned, or end-of-support software
    1. Mark these down as recommendations to remove
  2. Check if there are workstyles that no longer fit their use case
    1. Mark these down as recommendations to remove
  3. Check if a workstyle should be made more granular (e.g. high flex only to move to high/medium/low flex)
    1. Mark this down as recommendations to consider
  4. Check if there are assigned application group definitions with no entries
    1. Mark these down as recommendations to remove

 

Step 5: Validate analytics data

Validating analytics data can help determine if there are new items that are candidates to be added to policy. Such items to review are:

  1. Changes in (Default) Any Applications, or other “catch-all” rules to see if there’s a trend of new software attempts
  2. Common request reason in elevation, to see if there has been a change in software that people are using
  3. Any major trends (e.g. 200% increase in ‘elevation’ actions) as typically the week-over-week trends tend to be rather consistent in steady-state deployments.

 

Step 6: Check Release Notes for QuickStart changes

Occasionally a new version of EPM will come with a new version of QuickStart that will document what has changed. For security updates, there will be an accompanying KB article detailing the change and recommendations for implementing this in your policy.

  1. Go to our Release Notes page
  2. You may need to refresh the page while clearing the cache (e.g. Shift+F5) to have the page show the most recent information

 

Step 7: Plan for remediation

With your review document, decide on a plan for remediation. This may require policy changes and testing, or you may have found no required changes. If no required changes are found, it’s also recommended to document such so that the next person reading the document understands the review has completed.

 

Additional Resources

The following may be helpful:

KB0017838 - Best practice for policy rule creation (application & On-Demand)

KB0020878 - Endpoint Privilege Management Analytics FAQs

 

Happy Security Review!

Tasha Clowater

Sr. Technical Account Manager

Love this!!! 🔥


Reply