Openai/695cf919-be54-8012-abfe-890e2495a365

User: EPM on all endpoints or just who needs admin rights? edit

EPM on all endpoints or just who needs admin rights?

At my current we have CyberArk EPM and it’s where I first ever used EPM. We have about 4k endpoints and another 1500 servers.

EPM is only installed on roughly 900 endpoints and no servers. Is this normal?

LAR is removed from all endpoints. EPM is on some of the IT departments like dev, quant, DBAs, and Sys Engineering.

No servers have EPM.

I was just interviewing with a company who is looking to roll out EPM to all 12k endpoints that they have.

Assistant: Short answer: both models exist, but they serve different risk appetites and maturity levels. edit

Short answer: both models exist, but they serve different risk appetites and maturity levels. What you’re seeing at your current place is very common, but it’s also less mature than what the 12k-endpoint company is aiming for.

Let’s break it down clearly.

1. Is it normal that EPM is only on ~900 of 4k endpoints? edit

Yes — very common. This is the “admin personas only” deployment model.

Typical characteristics edit

• EPM installed only on: - Devs - Quants - DBAs - Sys/Platform engineers
• Local Admin Rights (LAR) removed across the estate
• Everyone else runs as standard user
• Servers excluded entirely

Why orgs do this edit

• EPM is seen as an “admin replacement tool”, not a universal control
• Lower: - Licensing cost - Operational overhead - Policy complexity
• Security teams often think: > “If users can’t elevate, why install EPM?”

Downsides (important) edit

• No visibility into: - Credential abuse attempts - LOLBAS usage by standard users - UAC bypass attempts
• Malware still executes as standard user
• You only control who can elevate, not what executes

So yes — normal, but reactive rather than preventative.

2. Is it normal that no servers have EPM? edit

Also very common, but increasingly questioned.

Typical reasons edit

• Servers are: - “Hardened” - Managed via PAM (CyberArk Core, BeyondTrust, etc.) - Considered operationally sensitive
• Fear of: - Performance impact - Breaking services
• Teams rely on: - AD delegation - Just-in-Time admin - Jump hosts / PAWs

Reality edit

• Servers are high-value targets
• Lateral movement often ends on servers
• Many orgs now: - Deploy EPM on jump boxes - Deploy EPM on Tier 2 / app servers - Exclude Tier 0 (DCs, PKI, etc.)

So “no servers” is common, but not best practice anymore.

3. The 12k-endpoint rollout — what model is that? edit

That company is going for “EPM as a security control”, not just an admin tool.

Why orgs do full-estate EPM edit

• Prevent: - LOLBAS abuse - Script abuse (PowerShell, WMI, mshta, rundll32, etc.) - Living-off-the-land malware
• Gain: - Full execution visibility - Forensic telemetry - Consistent control plane
• Enforce: - App control - Elevation only when explicitly approved

This aligns with:

• Zero Trust
• MITRE ATT&CK
• NIST / CIS benchmarks
• Insurance & audit pressure

4. Pros & cons — side-by-side edit

Admin-only EPM (your current place) edit

Pros

• Faster rollout
• Fewer tickets
• Easier policies
• Cheaper

Cons

• Blind spots on ~75% of endpoints
• No protection against standard-user attacks
• Security value capped

All-endpoints EPM (12k rollout) edit

Pros

• Strong security posture
• Full visibility
• Better malware containment
• Consistent enforcement

Cons

• Heavy policy design effort
• More noise initially
• Requires mature: - App packaging - Certificate hygiene - Change control
• Needs strong L2/L3 Cyber involvement

5. What’s “best practice” today? edit

Hybrid, phased maturity model:

Phase 1 – Admin personas edit

✔ What your org has now

Phase 2 – High-risk users edit

• Finance
• Execs
• Developers using unsigned tools

Phase 3 – All endpoints edit

• Elevation mostly disabled
• EPM used for: - Blocking abuse - Monitoring execution - Just-Enough-Admin

Phase 4 – Select servers edit

• Jump hosts
• App servers
• Exclude Tier 0

6. Interview signal (important) edit

The fact that the new company wants EPM on all 12k endpoints usually means:

• They’ve had: - Incidents - Audit findings - Insurance pressure
• They see EPM as endpoint protection, not an IT tool
• They will need: - Strong engineering - Good runbooks - People who understand friction vs security

Given your background with:

• CI/CD signing
• Certificate governance
• macOS + Windows EPM
• LOLBAS awareness

👉 You’re exactly the kind of profile they need, whether they realise it yet or not.

TL;DR edit

• Your current setup is normal but limited
• Full-estate EPM is more mature and security-driven
• Servers excluded is common but slowly changing
• The 12k rollout suggests higher ambition — and higher pain

If you want, I can help you:

• Frame this comparison for interviews
• Design a realistic phased rollout model
• Or draft talking points that show you understand both security and ops reality