Desktop Security landscape has been evolving due to multiple different factors: Targeted malware, end user convenience concerns, IT support and operational costs.


 

In the desktop world, there have been two different sets of desktop environments in play. On one hand we have standard users with restricted COE type images (fixed function), while power users with ability to install software on the other hand. This discussion is targetted for COE (Common Operating Environment) deployment.

 

I have listed down the most well known security and operational challenges for a desktop environment.

1.     Malware explosion – Visible increase of number/complexity of malware

2.     Performance – Number of malware signatures impacting on-demand scan in AV.

3.     Operational security – Low outbreak resistance, Zero day and APTs

4.     Proliferation of unauthorized applications in an enterprise.

5.     Behavioral challenges – Freedom of end user vs. need of control by admin

 

Ok, What did McAfee do about it?

 

We at McAfee have tried to focus on these problems and propose a solution through our releases done over the last three years. The solution that we propose is a combination of McAfee’s whitelisting technology product - application control coupled with traditional anti virus.

 

For those who are not exposed to application whitelisting

 

Application whitelisting approach is fundamentally based on the identification of “known good” files for an IT environment and allowing only these “known good” files to execute on the system. The default policy is to deny execution unless a software has been explicitly added to whitelist

Fine, what are the benefits?

 

Let us understand how McAfee’s application control adds value to the traditional anti-virus solution. We start by introducing concept of observation mode.

 

 

  • How do you discover applications/binaries and hence policies in your organization?

 

 

Most organizations, let us admit, have no way to know the right set of software to be permitted for each user, group and hence collectively at the level of enterprise.  Uncontrolled software proliferation is another facet of the same challenge.

 

Application Control offers help here by providing a mode of operation called as “observation mode”. This mode essentially is non-enforcing, monitoring only version of application control. What it does is to let an admin monitor the live (including deemed denied) and stationary inventory without causing any visible impact to user operations.


Admin can see the entire inventory of the organization classified by applications (as the case may be), along with file reputation and other details.

 

Inventory.png

Effectively, policies now get auto-discovered – application control does that job for you by provide specific observations.
Important – AV still remains the primary tool for security here


Admin also gets to see events related to execution of denied applications (notionally denied on the endpoint) etc. on the same central console. This list of events is called as observations in the application control parlance. Observation mode helps a security administrator to keep monitoring his/her IT assets while allowing AV to take care the actual security at the user end points. Effectively this translates into a productive desktop user with enhanced security insights for IT administrators.

BlkAndAsk.png

 

 

 

  • You mentioned “file reputation”, how do you get that information?

 

 

Application control offers GTI enabled file reputation capability. As part of its features, application control offers the ability to pull the entire file inventory list of the end points to ePO.  Pulled up inventory at ePO is now verified against file reputation scores received from GTI (Global Threat Intelligence) server maintained by McAfee centrally. This provides for an offline, offloaded capability to verify files in the enterprise for being malware or otherwise. In case a file is identified as malware, ePO interface offers a single pane of glass to quickly find the location of all instances of such malware across the IT environment.

 

 

  • My infrastructure simply melts during a malware outbreak. What do you do here?


By and large pure AV based security largely relies on signature to prevent a malware. Now once a zero day malware gets in through one system, all systems having the same signature become just porous for the infection to spread swiftly and without resistance.

 

However, in an application control – AV combo, outbreak resistance gets enhanced significantly. This is achieved by moving application control from observation mode to enforced mode and vice versa based on the administrator’s judgment. Moment a malware outbreak is suspected, moving application control to enforce mode effectively freezes the system state across IT Infrastructure, preventing malware to travel further. Coupled with the ability of having file inventory based malware detection at ePO, infected machines could easily be identified and put up for remediation.

 

  • So far so good, tell me how do you solve “behavioral challenge”? End user freedom vs. admin control


 

As we saw earlier, observation mode being a monitor only mode, provide extra control without impacting productivity. The challenge comes when application control gets rolled out in “enforced” mode – which means, from now on denied/unlisted software cannot be executed at the end point.

Request.png

This gets solved through the ability of user to submit requests to allow changes to his/her machine. Essentially the dynamic part of the whitelisting, it is brokered through a well-defined interaction between user and the administrator.

 

 

  • Finally, what else do you have for managing unauthorized applications?


 

A lot more!

 

In emerging markets and also in other places, security context is also defined with the ability to track down unauthorized, unsecure software in an IT environment. In App control since the inventory is available at the ePO level, hence it is very well possible to export this inventory and reconcile with corporate approved and secured software list. The delta of corporate approved software list and inventory list can be used to identify the violations of security policies/licensing requirements.

Concluding Thoughts!

 

Application whitelisting is evolving into a viable primary layer of defense of a class of desktop systems. When complimented with the existing AV solution, it provides a strong defense against emerging threats like APT and targeted malware. It also contributes to reduced operational cost by controlling the sprawl of unauthorized applications. Finally with the ease of administrative features built into whitelisting, system administrators could look forward to a simpler yet secured desktop security model.