Protecting Against Data Breaches: Managing Software And 'Whitelisting' Applications
*This post originally appeared on the AppSense blog prior to the rebrand in January 2017, when AppSense, LANDESK, Shavlik, Wavelink, and HEAT Software merged under the new name Ivanti.
By John Pescatore, Director of Emerging Technologies, SANS
In response to recent changes in the CIS Critical Security Controls, a new focus has been placed on managing software across networks to prevent malicious data breaches.
Here we will highlight the importance of this focus when it comes to controlling applications and whitelisting software.
- Actively controlling applications
CIS Critical Security Controls Version 6.0 says actively controlling applications is important because “Poorly controlled machines are more likely to be either running software that is unneeded for business purposes (introducing potential security flaws) or running malware introduced by an attacker after a system is compromised. … Managed control of all software also plays a critical role in planning and executing system backup and recovery.”
- Actively managing executables
Actively managing which executables can run on a PC or server presents a high barrier to malware is a positive approach to endpoint security because only authorized software can run unhindered, while unauthorized software is either prevented from running or can run only with security policies applied.
Note that “actively managing” means more than doing a simple lockdown.
Lockdown is where IT dictates which applications users can run, and users have no ability to install executables. While lockdown sounds like the most secure approach, the realities of today’s business environment mean that lockdown invariably causes business disruption, leading to users bypassing lockdown through rogue or shadow IT efforts or to corporate management dictating so many exceptions to lockdown that the effort fails.
A step up from lockdown is “whitelisting,” where IT approves a set of applications that users can run, consistent with licensing constraints. The success of whitelisting depends on the percentage of business-justified applications that are contained in the whitelist and how quickly IT can evaluate and add requested applications to the approved list. Keeping the approved list accurate and responsive can require high levels of IT staffing.
To address the operational difficulties caused by whitelisting, an alternative approach is to base each allow/block decision on file properties rather than a hash or signature of the executable. With this technique, a list of approved publishers and file owners is maintained, and all files from those sources are trusted.
The file ownership is managed by the operating system, with the result that executables introduced into the system by users and other non-trusted sources cannot be executed, with the exception of executables signed by trusted publishers. Because a trusted publisher could produce a compromised executable, the list of trusted publishers should be minimal and restricted to highly trustworthy organizations.
- Application control
Application control adds the ability to support a “gray list,” where applications that are not on the whitelist (or blocked by simple blacklist approaches such as antivirus software) are allowed to run with security policies automatically applied to them. These policies can limit connectivity, privilege levels, times of use, etc. to reduce risk while allowing business needs to be met. This added flexibility has helped balance security, business demands and staffing levels.