Closing the Gap: Identity Security Modernization with CyberArk and Merlin Cyber

As cyber threats increasingly target endpoints, it is clear the security perimeter has expanded well beyond the traditional network edge. Identity security controls are the new linchpin, and for federal agencies, a major security gap persists at the endpoint.

At Merlin Cyber, we are proud to partner with CyberArk to help government agencies modernize their identity security posture by extending Privileged Access Management (PAM) to the endpoint with CyberArk Endpoint Privilege Manager (EPM). By extending identity security controls to the endpoint, agencies can prevent cyber threats targeting user identities at the common point of entry. Specifically, EPM delivers critical detection and prevention capabilities that thwart threats like EDR bypass and ransomware execution, delivering comprehensive risk reduction across the agency.

The Endpoint: An Expanding Identity Attack Surface

Endpoints are among the most common entry points for attackers. Whether through phishing, credential theft, and especially exploiting unmanaged local privileges, threat actors often gain initial access via endpoints. Attackers then embed themselves within target systems through privilege escalation and lateral movement to dwell and exfiltrate critical data.

Agencies that rely solely on Endpoint Detection and Response (EDR) tools to detect malicious activity may think they are protected. However, EDR is a detective and oftentimes reactive security control that alerts you of a threat or other indicator of compromise (IoC), often after the fact. EDR inadequately prevents the initial compromise or abuse of identity-based privileges on the endpoint.

Why EDR Alone is Not Enough

EDR solutions provide real-time monitoring, threat detection, and response, making them critical for identifying cyber threats, however, they are reactive by nature. Threat actors are evolving their tactics to bypass EDR solutions and compromise local administrative privileges and exfiltrate data. To fully protect mission-critical data, federal agencies need a comprehensive cybersecurity framework that proactively prevents attacks and safeguards EDR capabilities by eliminating unauthorized privilege escalation and lateral movement.

Detective security controls like EDR insufficiently address the required identity security measures needed to provision user identities across all endpoints on an agency’s IT systems. This security gap highlights the need for applying both EDR and identity security controls on the endpoint.

Sophisticated adversaries are adept at bypassing traditional EDR mechanisms using techniques like:

• Fileless malware and code injection attacks
• Side-Loading DLLs
• Indirect System Calls
• Living-off-the-land binaries
• Credential theft, privilege escalation, and lateral movement

CyberArk EPM automatically blocks the above attack vectors, acting as a preventive complement to EDR that neutralizes identity-based threats before they can escalate.

Extending PAM to the Endpoint with CyberArk EPM

Traditional PAM solutions are essential for provisioning administrative user identities and securing access to critical infrastructure and IT systems. However, they fail to govern local administrative accounts on the endpoint.

CyberArk Endpoint Privilege Manager (EPM) extends PAM capabilities to the endpoint, enabling government agencies to:

• Remove local admin rights without disrupting productivity.
• Enforce least privilege across all identities and endpoints.
• Control application access and script execution.
• Block ransomware and other unknown threats pre-execution.
• Automate policy creation and management to allow, restrict, or enforce just-in-time privilege elevation.

By granularly governing user access, privilege elevation, and applying policy-based controls, EPM stops malicious behavior before it happens and shifts security posture from reactive to proactive.

Identity Threat Detection and Response (ITDR) and Automation

ITDR is a growing focus in modern identity security best practices. It brings visibility and analytics to identity activity, especially helpful in identifying sophisticated attacker tactics, techniques, and procedures (TTPs) such as abuse patterns, credential misuse, and other identity-related IoC afflicting endpoints.

By scaling PAM to the security perimeter with CyberArk EPM, ITDR becomes more actionable. Automation capabilities in EPM enable rapid response to identity threats:

• Plants deceptive credentials to lure attackers, triggering a high-fidelity alert when the decoy credentials are used – indicating that an attacker has bypassed security controls.
• Automatically revoking access or isolating endpoints upon anomaly detection.
• Enforcing granular, just-in-time privilege elevation only when needed.
• Streamlining and standardizing remediation workflows for security and IT teams through integration and automation.

By leveraging automation and treating identity as the new security perimeter, federal agencies can eliminate attacker dwell time and accelerate mean time to remediation (MTTR) to prevent cybercriminals from enrooting themselves within systems and exfiltrating critical data.

Identity + Endpoint = Holistic Cyber Defense

Modern cybersecurity best practices demand a defense-in-depth approach where identity and endpoint security work in tandem. With EPM/PAM as a preventive control and EDR as a detective control, agencies can effectively:

• Prevent malware and ransomware execution at the source.
• Stop lateral movement by limiting privileged access.
• Reduce the impact of breached credentials.
• Accelerate incident response and recovery.

This multi-layered cybersecurity strategy aligns with Zero Trust, where “never trust, always verify” applies across users, endpoints, systems, and workloads.

Future Proofing Identity Security with CyberArk and Merlin Cyber

As identity emerges as the new security perimeter, modernizing identity security is paramount. By extending PAM capabilities to the endpoint with CyberArk EPM, agencies can close an increasingly exploited security gap, prevent identity-driven attacks, and proactively strengthen their overall security posture.

Merlin Cyber is committed to partnering with federal agencies to implement practical, effective identity security modernization strategies in alignment with mission objectives and regulatory requirements. Let’s work together to secure the mission, from identity to endpoint.