A category of products referred to as “application whitelisting” place stronger controls around what code is allowed to execute on each computer. Instead of the “default allow” policy of antivirus software, these products can be configured allow only approved software to execute. One of the leaders in this market is Carbon Black.
Jesse Törzs, Enterprise Systems Engineer at Carbon Black, demonstrated Carbon Black Enterprise Protection (formerly known as Bit9). “I like to call it Change Control because of how dynamic it is,” she explained, “File Integrity Control and File Integrity Monitoring is bundled into the product, as well as Removable Device Control. The product allows you to reduce the attack surface by only allowing trusted change to occur – this allows for signature-less protection because we don’t need to know that something is bad ahead of time in order to block it from executing.”
The product consists of a server (installed on Windows 2008 or 2012 with a Microsoft SQL database) and agents installed on Windows, Mac, and Linux systems. The server is typically installed on the corporate network, but organizations using it to protect mobile workers may also deploy it in a DMZ.
As one would expect from an enterprise-class product, protected systems can be grouped in a variety of ways, including by leveraging Active Directory groups. Carbon Black Enterprise Protection can then apply different policies to different groups.
When initially installed, each agent performs a scan of the system to take inventory. Unlike anti-virus products, subsequent scans are not required. Software changes are monitored and only authorized changes are allowed to occur.
“Updaters” such as SCCM, or other software deployment mechanisms, and known good software that automatically updates itself can be allowed. Digitally signed software from trusted publishers can be automatically authorized. Trusted directories can also be configured. This allows administrators to place software on, for example, a file share. Since Carbon Black Enterprise Protection uses a hash to track approved software, once software is placed in a trusted directory the identical software can be installed and executed regardless of source.
Custom rules also allow precise control over which processes are allowed to make changes and where. In a typical exploitation scenario, a hostile file exploits an application vulnerability and installs persistent software on the victim system by writing .dlls or other files. Carbon Black Enterprise Protection is capable of stopping this. It is also possible to allow specific applications without trusting all software from the vendor. For example, the Chrome web browser (including its self-update mechanism) can be allowed without authorizing all software signed by Google.
Carbon Black Threat Intel provides additional information on known software. Trust ratings from one to ten are determined based on contextual and historical information about the file such as age, source, prevalence, and publisher. The Reputation Approval mechanism can be configured to allow execution of files that achieve or exceed a specified trust rating.
Implementing execution controls can be a daunting task for a large enterprise. Creating software execution and update policies for servers is usually straight-forward. Desktops and laptops are more complex. To meet these challenges, Carbon Black Enterprise Protection offers three enforcement levels.
Low Enforcement level essentially provides visibility and only blocks software that has been explicitly blacklisted.
Medium Enforcement level applies policies applicable to the system, but if the user tries to install unapproved software they will be prompted and have the ability to approve the software for the individual computer. Each prompt and response is logged so users are held accountable for their decisions.
High Enforcement level fully enforces the policy. Only software that has been trusted or introduced by a trusted mechanism of change is allowed to execute; everything else is blocked by default.
Törzs explained the process, “Right before you deploy a High Enforcement policy, you’ll put it into what we call High Enforcement Report Only mode.” This simulates the policy and reports events that would have been blocked. “You leave it in Report Only mode for a bit to fine tune the policy and make sure that the policy is not blocking things that you want to allow.”
For those wishing to integrate, the product also provides an open and extensible API. It also integrates with Microsoft SCEP and will send events to a SIEM using syslog.
Carbon Black Enterprise Protection is not the only product in its category, but it clearly demonstrates the art of the possible when it comes to preventing malware and enforcing software execution and change control policies.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…