Protecting Endpoints from Malware using Deny-First Whitelisting

By RJ Gazarek

Malware is on the rise, and shows no signs of slowing. According to the AV-TEST Institute:

• Through September 2016, nearly 600 Million different types of malware exist
• Over 140 Million new types of malware are created every year
• Over 11 Million new types of malware are discovered every month

Traditional anti-virus and anti-malware solutions rely on comparing a file’s digital signature or hash to a list of known applications that are reported as malware or viruses. However, at the alarming rate that new types of malware are being created, it’s becoming nearly impossible for these signature databases to stay ahead of the problem.

Additionally, if your system happens to be the first one infected by a new type of Ransomware, an anti-malware solution might not recognize that it’s a problem until it’s too late.

Recently, a new version of the Locky Ransomware has been reported online, using a .ODIN extension. Because this extension was not registered in the anti-malware programs, a lot of companies had their files encrypted, with a demand to pay a fee to have them decrypted. (a quick google of “Odin Ransomware” will show you just how pervasive this threat was).

Unfortunately, those that weren’t forward thinking enough to have extensive backups or an advanced application control solution in place, could face significant downtime as they attempt to recreate the lost files and systems (since most businesses would never pay the Ransom).

That’s where the concept of Deny-First Whitelisting comes into play – a policy implementation done through some sort of advanced application control solution.

The concept of Deny-First Whitelisting is that every application and process is denied from running on a network, unless it’s on a list. This is the strictest method of whitelisting, offers the most control, and the highest level of security and protection. It prevents nearly every malicious application from being able to run, since nothing runs unless it’s on an approved list.

However, this level of security can come with a tremendous trade off in terms of productivity. Whenever an employee needs to run a new, and valid application or process, they would have to go through the process of having to: submit a ticket or request, allow time for IT to evaluate the software, and have IT add the application or process to the approved/allow list.

That’s where flexible whitelisting, or “graylisting”, comes into play. By leveraging a solution that can offer the power of whitelisting, while also still allowing applications to run by either:

• Comparing the application to a 3rd party reputation database, and developing threshold based policies on whether an application can run
• Isolating or Sandboxing an application to run, so that in the event that it is malicious, it would be isolated from any critical systems.

Application control solutions provide very strong malware protection by following a simple mantra:

At the endpoint, run only what is required and trustworthy, and at the lowest possible privilege and access.

In contrast to anti-malware solutions, application control solutions assume everything is bad, or at least suspicious, unless proven otherwise. Application control solutions focus on restricting the execution of applications. Yet, an application’s rights are tied to the privileges of the user executing it since most attacks require elevated privileges to do major harm and to hide well. Removing privileges from users makes these deeds harder. When organizations deploy application control correctly and take care to mitigate residual risks, it is one of the strongest endpoint security controls.

Application control’s strength as an endpoint security technology is also widely published. According to Gartner’s ‘Market Guide for Cloud Workload Protection Platforms’ they recommend “… [to] use application control and whitelisting as your primary server protection strategy.”

Thycotic recently released its newest product called Privilege Manager for Windows. It is an Endpoint Security and Application Control Solution that proactively protects an organization’s network by securing valuable endpoints, controlling application access, and protecting privileged accounts. Privilege Manager for Windows is integrated with Thycotic Secret Server and is the easiest to use and manage, Application Control and Privilege Management Solution available in the market – by far. Users will be amazed at how fast they get real value from the product.

How does it work?

Privilege Manager for Windows operates on a simple 3-step policy driven process.

1.) Application Starts: Once an application starts, the installed agent on the endpoint recognizes the process and begins to search for a matching policy.

2.) Policy is Evaluated: Each policy in Privilege Manager for Windows consists of 4 main components:

• Identifying the Application (this is photoshop.exe).
• Inclusion Filters (contextual situations that the policy should apply in “The user running it is a standard user”, “the application is running on a public network”, or “the application was downloaded from adobe.com”).
• Exclusion Filters (Rules for who this policy shouldn’t apply to “this policy doesn’t apply to any admins”).
• Identifying the Target (What type of machine is this application attempting to run on “Application is running on a Windows Server 2008 machine”).

Once the policy is evaluated, and it’s determined if the policy matches the existing scenario – then actions are applied

3.) Action is applied: Once the agent accepts that the policy applies to the situation, it begins to go through the actions list.

• A few possible actions include, “Elevate this application with administrative privilege” “Isolate this device in a sandbox environment” or “Send a message and request reason for access”

With this extremely simple process, IT Admins can protect their endpoints from malware while still allowing employees to run the applications they need to.

Start your FREE Trial of Privilege Manager for Windows today.

Source:: Thycotic