CyberArk Endpoint Privilege Manager

Customers use CyberArk Endpoint Privilege Manager  to limit the administrative abilities of user accounts on laptops and endpoints. The big issue with Microsoft Windows operating system is a huge difference between advanced privileges that administrators have and simple user privileges that users have. Customers sometimes need something in the middle of those two positions, and Windows doesn't give a user-friendly interface to configure this from the operating system itself.

I have seen a positive impact of CyberArk Endpoint Privilege Manager  for my customers over the years. It's quite a useful tool in the general strategy of a company to work with administrative accounts. Customers can grant appropriate access to laptops for their employees who sometimes need to be granted some higher permissions. It's not a very common use case, but sometimes customers need to work with such types of activities. For example, customers sometimes need to perform backup and test restore data tasks on the laptop, and this operation happens, not so frequently, maybe once a month. There is no need to grant the user administrative abilities because it would be too much for the users. 

CyberArk Endpoint Privilege Manager has helped my customers free up people for other projects or tasks. Companies using CyberArk EPM can hire third parties to perform some support tasks only for a limited time frame. They use some part of administrative privileges, and they granularly configure those privileges for third-party users.

CyberArk Endpoint Privilege Manager has had a positive impact on my customers' security posture. The customer has two options: one option is to grant access to perform some administrative tasks for their employees, and after that, to get these abilities back. In case they use the CyberArk tool, they don't need to perform this task from time to time. They don't need to have a person who manages these activities to grant access and to get it back.

CyberArk Endpoint Privilege Manager helps my customers reduce mean time to detect. Usually, detection tasks go to another security solution. CyberArk can prevent some data breaches and similar issues, but there is a part with Behavior Analytics. If the user does something very different from their usual actions, it can monitor and alert through the administrator's dashboard. It helps to monitor and prevent data breaches as well, making the behavior part the most powerful in terms of detection.

CyberArk Endpoint Privilege Manager's time to value can be seen immediately after the implementation. Customers usually have very clear requirements. They already know what the pain is, and they are clear about the scope of work for the project. So, after the implementation, customers can get all these benefits.

There are many valuable aspects of the product, but the most common feature is working with the privileges. 

The controls of CyberArk Endpoint Privilege Manager influence the visibility into endpoints for my customers. It allows them to granularly manage controls to prevent some malicious activities on the endpoint machine.

Integrating CyberArk Endpoint Privilege Manager with the existing systems is usually very easy. It does not cause any conflict with other solutions.

CyberArk Endpoint Privilege Manager is user-friendly to configure. The initial setup is mostly straightforward. In addition to this, the product has very strong documentation, so administrators can use the documents as well.

While CyberArk Endpoint Privilege Manager is a great tool, I believe the functionality could be wider. If it could work not only with permissions but also involve pure EDR tasks or User and Entity Behavior Analytics , it would be great. It could cover more tasks related to managing endpoint protection solutions.

I have been working with CyberArk Endpoint Privilege Manager for about seven or eight years.

CyberArk Endpoint Privilege Manager is easy to scale. There is just one license for one endpoint, so it's just a matter of calculating the administrative users in your entire organization.

I have not seen many technical support requests, but customers are satisfied with this aspect of CyberArk products. Based on my experience with them, I would rate their support a nine out of ten.

Positive

It's quite easy. It's a user-friendly tool to configure, and you can see what you configure, so it's not complicated to perform this task. It is one of the easiest products. In some cases, customers only buy the license and do the implementation process on their own.

I believe it's quite a reasonably priced solution. It's not very common to use CyberArk because it's a niche solution, but customers who are willing to control administrative accounts are willing to pay this money.

Despite CyberArk giving the ability to control applications and similar tasks, usually, customers also have an EDR or Endpoint Detection and Response solution.

I usually suggest starting with a small Proof of Concept project to see all the abilities and address any concerns. The main concerns generally revolve around whether the solution will conflict with other endpoint solutions. Since it is a very lightweight agent on laptops, there is no conflict with other solutions while performing their main tasks, which alleviates those concerns.

Overall, I would rate CyberArk Endpoint Privilege Manager a nine out of ten.

I work in the financial industry, currently providing services for Banco Colombia, one of the most important banks in Colombia.

Working with various banks, we find that CyberArk Endpoint Privilege Manager increases operational efficiency through solutions that automate processes amid organizational growth. While there might not be free time, the solution allows us to enhance our cybersecurity capabilities and utilize that time for further project maturity.

We use CyberArk Endpoint Privilege Manager to complement a privilege access management solution in order to avoid golden ticket attacks and strengthen services against attacks. 

It serves as a complement to our asset management solution. The architecture of CyberArk Endpoint Privilege Manager is beneficial for integrating with all customer ecosystems; it's easy to deploy, and achieving that level of integration and control is more challenging with other solutions. 

The ability of CyberArk Endpoint Privilege Manager to safeguard our financial services infrastructure is very important, as we need to record actions on privileges in our information systems. 

Regarding the granularity of the managed controls in CyberArk Endpoint Privilege Manager, we have different levels of features to define compensations and capabilities, which help us verify configurations and access, ultimately keeping the safety of rights intact.

Our initial challenge with CyberArk Endpoint Privilege Manager is to comply with Colombian regulations in the financial sector, particularly identifying users and managing password changes and rotations. We needed to certify the identities and provide necessary information for government investigations, if required. CyberArk Endpoint Privilege Manager is very important for helping our organization meet compliance and regulatory requirements.

We have to comply with international regulations such as SOC, but also with local regulations unique to the financial sector, which is crucial for us due to the high risks involved. CyberArk Endpoint Privilege Manager helped us reduce the time for regulatory processes to approximately two to four months, completing the solution and training.

CyberArk Endpoint Privilege Manager has helped us reduce the mean time to detect within our organization. That's our main goal. Regarding MTTD, the solution provides enough information to enhance our overall detection process. We have an 85% improvement in MTTD.

CyberArk Endpoint Privilege Manager helps ensure data privacy through strategies that manage information in real-time. 

CyberArk Endpoint Privilege Manager helps save costs by avoiding risks and future expenses associated with security incidents. It's essential to communicate the value of CyberArk Endpoint Privilege Manager to users, as its controls help improve system security. My role at the company involves service and sales activities.

CyberArk Endpoint Privilege Manager can improve its Identity Governance, which is already working effectively yet could continue to enhance its capabilities. There are areas for improvement, as CyberArk Endpoint Privilege Manager is near the ideal but not fully there yet.

I have five years of experience with CyberArk Endpoint Privilege Manager, and we are using the global solution.

I would rate CyberArk Endpoint Privilege Manager's technical support an eight out of ten. 

My reasoning for this rating is that, despite newer versions and functionalities, CyberArk Endpoint Privilege Manager lacks sufficient knowledgeable support staff, resulting in longer wait times for assistance.

Positive

I don't recall the previous solution we used. The main differences between the past solution and CyberArk Endpoint Privilege Manager are in ease of integration and administration; past solutions were much more difficult to keep operational.

The solution is easier to deploy than other solutions and easy to deploy in the cloud. The initial integration in the beginning may be complex due to the different technologies and architectures involved in preventing attacks. There are some limits in terms of what you can do to customize the solution. 

I consider CyberArk Endpoint Privilege Manager's return on investment to be good since it effectively accomplishes the goals expected from privilege access management solutions. After implementing CyberArk Endpoint Privilege Manager, we saw the time to value after a year.

I currently don't know how CyberArk Endpoint Privilege Manager utilizes artificial intelligence for management.

I rate this solution nine out of ten.

For privileges itself, I, as a Windows administrator, can connect to a laptop or desktop, and I need multi-factor authentication. This is what I am using it for - to authenticate identities and access privileges.

The solution blocks unknown applications automatically. It allows whitelisting. Whitelisted applications have limited access compared to blocked and graylisted applications. Unknown applications that attempt tasks require credential prompts for access. These features are very valuable since they protect me. It safeguards against any unforeseen background tasks.

The main issues I experience are related to deployment, which requires dependency on other solutions like AD or SCCM. These tools need to be defined and synced with the client or agent and master, sometimes needing manual checks. The agent may have problems syncing, which complicates deployment, especially when users leave the organization, however, agents remain licensed since the server still maintains licenses. 

Additionally, compared to other endpoint managers like Thycotic, CyberArk Endpoint Privilege Manager  lacks recording capabilities, which limits its functionality for critical applications. A feature that records activity, even when bypassing CyberArk Endpoint Privilege Manager , would be beneficial.

I have used EPM for three to four years.

In terms of stability, I can provide very positive feedback. When I work with multiple applications as an administrator, I find the stability level of CyberArk Endpoint Privilege Manager to be superior. 

Other tools struggle with stability and require significant improvement. Despite claims of strength, their stability levels are lower than CyberArk Endpoint Privilege Manager's. Once everything is set up, it continues to work reliably.

Scalability-wise, it is good. CyberArk Endpoint Privilege Manager has a distributed architecture not found in other PAM tools. However, there are challenges at the application and database integration levels. Success relies on my knowledge of databases and applications to increase capabilities; otherwise, it becomes challenging. Compared to other tools, CyberArk Endpoint Privilege Manager excels in scalability.

On a scale from one to ten, I give a seven for customer service. 

While support processes have changed, making it more challenging to obtain vendor support, CyberArk Endpoint Privilege Manager's support is still segmented into multiple levels, causing delays. Compared with newer market tools, their lack of segmented support allows for quicker response. However, CyberArk Endpoint Privilege Manager requires a more streamlined escalation process.

Neutral

Our setup process is moving to the cloud, which is very good. It reduces complexity. The cloud makes things simpler.

The implementation is done by a partner. I have traveled to Dubai for two implementations. We also have partners in Bangalore.

I've received feedback that the pricing is high, however, for me, the value it brings is worth the cost. It's really one of the best solutions.

CyberArk Endpoint Privilege Manager has two main competitors: BeyondTrust and Thycotic. Thycotic has integrated with Centrify to become Delinea. While these tools compete with CyberArk Endpoint Privilege Manager, particularly in identity management, they use some backend features from Centrify. Still, CyberArk Endpoint Privilege Manager stands out in other areas.

I rate the solution seven out of ten. 

In terms of stability, CyberArk Endpoint Privilege Manager scores well. Considering scalability, it is good due to its distributed architecture. However, it primarily fits medium to large organizations, especially those with financial ties, which should utilize CyberArk Endpoint Privilege Manager.

I have been using CyberArk in financial services. The specific use case depends on my customer's needs. Sometimes, it is just about securing some departments, and some customers want to have protection against certain threats.

The initial implementation stands out. It was very easy to go to different departments and analyze the software they were using, and so on.

I love the product. It works very well. 

I also appreciate the automatic agent updates, which is a new feature for CyberArk EPM. 

It's good at preventing attacks or threats on infrastructure and data. I can see an incident on the board, and it is clear to analyze what is happening on the endpoint devices. I am able to manage endpoints from a different perspective.

You can scale by department. 

The user interface is quite easy to use.

We did immediately begin to see results when using CyberArk. We were able to manage endpoints and see what is happening right away. 

We've been able to reduce mean time to detect. We can see anything on the report. It's really clear if you need to analyze anything that's happening on endpoints.

It helps with data privacy. We can configure the websites and monitor what is happening inside the application. We can see what is happening and what is being monitored. We can record endpoint screens as well - which the users are aware of.

It doesn't affect operational efficiency. If you set everything correctly, the user doesn't notice that it is in the background. 

The management of Privilege Access is not satisfactory. The company also suggests different software, and they seem to want to push me to buy additional software. 

The agent user interface doesn't have too much information. Without knowledge, you are not able to find some items as they are really hidden within the UI.

Some features provided in the self-hosted version of EPM are not supported in the software as a service version, like connection to some analysis applied by Palo Alto. Some connections to third-party analyzing engines, like Palo Alto and others, which can check hashes and similar functionalities, were working in the self-hosted version of EPM yet are not supported in the software as a service version. I'd like to see more connections to third-party analysis engines.

I have been using CyberArk for about a year and a half.

Right now, the product is primarily provided as software as a service, and it works very well.

The scalability is fine. I can divide my deployment by location. One administrator can manage specific departments, while someone else can manage others. 

When I need to contact CyberArk, I usually work with level one support, and sometimes their knowledge is lacking compared to mine.

Neutral

I've used other solutions as a user, not an administrator. I have more experience with EPM and therefore prefer using it. 

The initial setup is easy for me. The deployment took us one month from start to finish.

The initial setup could be done by one person.

There is some maintenance needed after deployment. You might have some incidents, or you may need to check for disconnected agents. 

I don't have any knowledge of pricing aspects. 

It's important that EPM can safeguard our financial infrastructure. Every endpoint is like a door to the company. Any user using an endpoint can accidentally grant access. It's integral to have something like EPM to manage the endpoints and protect the company.

Overall, I would rate the product seven out of ten.

We are selling CyberArk and doing some deployments. We have a CyberArk partner.

My use case involves users who have admin rights and who do not have admin rights. We control the activities of users to stop them from downloading certain things from the Internet. We control their activities via CyberArk Endpoint Privilege Manager. There could be some plugins in some of the applications or some files that are not whitelisted in the infrastructure and could be harmful or disruptive for the organization. Only whitelisted applications are allowed on the end user's laptops, as well as the servers, and we control them via CyberArk Endpoint Privilege Manager .

I am a partner implementing CyberArk Endpoint Privilege Manager on customers' infrastructure. Before deploying CyberArk Endpoint Privilege Manager, users could download anything through browsers. Some applications do not require admin rights to install because they are plug-and-play or portable applications. Such applications could not be controlled by admins or antivirus. After deploying CyberArk Endpoint Privilege Manager, we could control these applications by creating policies to block unwanted files and applications. We have whitelisted applications based on the signatures and other factors. All other applications are blacklisted.

Any new requirements require users to contact the admin team, ensuring applications are not harmful. Previously, when new requirements came related to infrastructure or something else, the users would not contact the admin team or the service team. They would directly deploy or try to run the application on their laptop without informing or taking help from the IT team. After deploying CyberArk Endpoint Privilege Manager, they have to follow the process. They cannot do anything themselves. They have to contact the admin team. We allow them to install the application after verifying that it is whitelisted and not harmful.

It prevents the use of pirated applications, securing company policies. At times, users can get pirated applications, which has an effect on the organization. The company becomes liable to pay money for using a pirated application. With CyberArk Endpoint Privilege Manager, we are able to control such issues because users do not have the right to directly install or run applications.

The most valuable feature is the ability to control users with admin rights. Even if developers and senior folks maintain their admin rights, we can still manage their activities. For example, despite having admin rights, we can control what applications they can run on their laptops with their admin rights. This is the main feature provided by CyberArk Endpoint Privilege Manager. We do not need to notify them that we are modifying their admin rights. We can create and push a policy from the backend. This access control is significant for us.

We also get reports on what kinds of activities are performed and which applications are launched from users' laptops.

There are many features that are currently missing. A customization option is required for certain policies. For instance, if we need to stop PowerShell scripting, we have to create a different policy for that. Being able to create a sub-level policy within a top-level policy would be good. 

Currently, no user-based policy option is available inside the EPM console. We can only create computer-based policies. The database is available, but there is a drawback in not being able to create local groups on the EPM console. We only have to depend on Active Directory. This limits infrastructure security as we depend on the Active Directory team to manage user groups. If they remove any users, we lose control. If we could create groups locally and block them or set specific policies, we would have more control. Local endpoint management is missing from the EPM site. 

Moreover, there is an issue with policies not running as expected when we make enhancements. We have to find multiple ways to whitelist applications or enhance policies.

I have used the solution for the last seven years.

It is very stable. CyberArk Endpoint Privilege Manager offers multiple options for creating and stopping policies. We have a separate set, like a container, to manage policies. If a policy is not working properly, we can shut it down or disable it. Downtime is rare, and challenges usually occur when individual policies impact a user. That is the only time any downtime is required. 

Windows 10 and 11 are stable operating systems, and we are not facing issues, unlike with Windows 7 when bugs were prevalent. 

I would rate it a nine out of ten for stability.

Scalability is excellent because it is SaaS-based. It is accessible from everywhere. I would rate it a ten out of ten for stability.

It is being used at multiple locations and multiple departments. As a partner, we have deployed it for multiple clients and multiple businesses globally. 

Our clients are small, medium, and large enterprises. One of them is a pharmaceutical company with about 1,500 licenses of CyberArk Endpoint Privilege Manager. Another client has more than 200,000 endpoints. We also have a client with 120,000 endpoints. It is very easy to manage them via the console. All of them are using the cloud.

I would rate their customer service as eight out of ten. Over the past six to seven months, support has been difficult to get due to increased customers. Earlier, we received support for normal tickets within a day, but now it takes one or two days to resolve issues. It also depends on the engineers assigned to a particular ticket.

Positive

I previously worked with Symantec and McAfee antivirus solutions. However, they are not the same as CyberArk Endpoint Privilege Manager, which is a broader endpoint security tool.

Earlier, it was on-premises, but in 2020, CyberArk moved to the cloud, so we migrated from on-premises to the cloud.

Its deployment was easy. Migration to the cloud was also easy.

CyberArk supported us at the time of the deployment and migration. It was very easy to migrate from on-premises to the cloud.

Maintenance is handled by the CyberArk team, who upgrade it from the backend. They send emails about operation activities, so we only need to monitor the system afterward. Once they upgrade the infrastructure, we check the release notes. After the upgrade, we have to push the EPM agent ourselves. We use the SCCM tool and patch management tool to push the EPM agent on larger networks. That is the only activity required from our side.

In terms of ROI, deploying CyberArk Endpoint Privilege Manager has secured the infrastructure, which saves money, time, and resources.

Resources do not have to spend time monitoring screens and checking logs of events on user laptops to capture any malicious activities. Decreased manpower reduces costs. It also reduces the need for monitoring solutions. CyberArk Endpoint Privilege Manager has reduced costs and manpower. It has saved 20% to 30% of resources after implementation.

Although I do not deal directly with the pricing, CyberArk Endpoint Privilege Manager is costly compared to other solutions. However, it offers beneficial features.

We did PoC with BeyondTrust and CyberArk. BeyondTrust is good, but because we also use CyberArk PAM, staying with CyberArk Endpoint Privilege Manager gives us multiple advantages. We can achieve multiple functions through both, solidifying the choice.

Every company has unique requirements. Based on ours, we chose CyberArk. We recommend it because it allows multiple policies and customization levels. The solution also offers benefits not available with other EPM solutions. Customers should conduct a PoC and evaluate requirements against other PAM tools. Some organizations might not be able to go for CyberArk due to its cost.

Overall, I would rate CyberArk Endpoint Privilege Manager a nine out of ten. One point is removed due to its higher cost. However, the company continues to enhance its offerings, justifying the expense.