Application White-listing With Bit9 Parity

Application White-listing With Bit9 Parity K.PADMAVATHI I. Introduction Antivirus is a requirement for a host of compliance standards and is championed to be a critical component for any security baseline (PCI-DSS 3.0-5.1). A recent google search for â€Å"Cyber Security Breaches† in Google News shows 16,700 results in Google News. Even NIST has stated that that AV is not an adequate control. The basis for this argument is that AV, even with heuristics, looks for methods or signatures that are known to the specific AV vendor. Bit9 Parity goes a step further and restricts the execution of any executable or applications to those only allowed by the product (Bit9 Datasheet, 2013). Parity has a host of benefits as well as some significant drawbacks, but with proper and careful implementation, a deployment of Parity can be successful. Parity has multiple methods to manage and control an environment. Parity is deployed with a server, database and console to control and manage Parity Agents. The deployed agents are a package of executables and configurat ion files that contain a kernel module that sits on the hardware layer and proxies the raw system calls from the user layer to those resources. For this reason it makes manipulation of the agent from the user layer very difficult. There is also a management console to manipulate the server that controls all agents on endpoints. II. Pre-Deployment During pre-deployment, the first thing that must be decided is where it will be deployed. Bit9 would recommend that the product be deployed on all systems in an environment. However, this is not feasible as the cost of the product and the complexity of most environments makes 100% immediate deployment difficult. Parity takes a default deny approach (Bit9 Data Sheet, 2014). This is a good method for protection but can make deployments difficult. To deal with this situation it is a good idea to deploy the product in homogenous environments first. Therefore, in planning deployment it is best to identify and group environments by their similarity and their levels of criticality. The most critical could be where the protection needs to go first. However an additional risk of deploying the product in critical environments is that by description they are critical to the business. So the product must deployed with care, proper planning and testing. III. To Protect the Environment (Client-side) Protection and prevention is absolutely ideal when it comes to deployment of Parity. When working with dynamic and non-homogenous environments the product should be deployed in this mindset. An excellent environment for deploying to protect would be a desktop or laptop (client side) environment. IV. To Control the Environment In order to protect an environment administrators and security personnel must control andunderstand their environment. However methods of deployment can differ with these underlying goals in mind. Deploying to control should be applied in specific environments that have rigorous change control and a low level of change. This would be server environments or other systems that are running on end-of life operating systems, such as Supervisory Control and Data Acquisition (SCADA) systems, as well as some Point of Sale Systems (POS). V. Deployment After deciding what environment to start, it is time to build out the Parity Server and console. According to the Bit9 installation guide, the server should have a SQL server available or a new SQL server database, either 2005 or 2008 deployed and configured prior to installation. (Parity 6.0 Deployment Guide, 2013) The server will also need .net framework 3.5 and a host of other web application Microsoft requirements. All should be included with a current version of Server 2008. Prior to installation ensure that all servers meet local hardening procedures. VI. Configuration After the server has been installed, it should be simple to browse to the https://localhost which will direct to the Parity console if logging on locally. Browsing from another system to https://server name which will direct the administrator to the Parity console. The default credentials should be username admin and password admin. As always, best practices, change immediately. VII. Bit9 Knowledge Base Another critical component is the Bit9 knowledgebase. The Bit9 knowledgebase is one of the single largest collection of known good executables available commercially. This will require outbound connectivity to the Bit9 knowledgebase servers on port 443 from the Parity server. It will also require a license from Bit9 knowledgebase. There is an open API to query the data through a restful API. (Script attached – Appendix B) The knowledgebase can be configured in the Administration tab > Licensing >Parity Knowledge Activation. VIII. Other System Administration On the system administration tab there are a host of other setup actions that can be accomplished on this tab as well. On the mail tab, the SMTP settings for alerts can be configured to send alerts for status of systems. The advanced options has the ability to back-up the database, configure automated updates, log out times for the parity console, file uploads configuration, old computer cleanup, software rule completion, and certificate options. Most of these options are not of much concern, however the cleaning up of old agents should be configured. IX. Policy Configuration Designing the policies in Parity is absolutely critical to having a successful deployment. The default policies that come with the product are a good place to start. â€Å"Default Policy† which is designed for the agents to go to once the agent is initially installed. The â€Å"Local Approval Policy† which is designed to approve any running executables on the system. The â€Å"Template Policy† which is designed to be copied and configured for new policies. Initially four new policies need to be created for management of agents. â€Å"Lockdown Policy† must be created to replace the Default Policy and to be the final stop for agents during configuration. â€Å"Lockdown Reporting† policy which will be configured on systems to report as if they were in lockdown without actually blocking, and a â€Å"Monitoring Policy† to start hashing and collecting execution information on systems. â€Å"Disabled Policy† should also be created to for the installation of the agents, and removal of the agents if necessary. X. Deploying Agents After all the agent configuration policies have been created and some basic software rules like the .net software rule, it is time to start deploying agents. The agents can be downloaded from https://parityserver/hostpkg/. It is best to start with an agent disabled policy.Installing the agent can be done on all systems through multiple methods, GPO, software packaging and through scripting. Scripting is beneficial, because it can be scheduled and the output can be collected for error checking. See appendix B for an example installation script. Installing the agents is a slow process which requires getting a list of all devices, verifying in the Parity Console the assets are available and the communication level of the agent. Something to consider is that any Windows version after Server 2008 and Windows 7 should deploy the agents without the need for a reboot. However older versions will require a reboot. If the agents are not communicating with the Parity Server ensure that agents can reach the server on TCP port 41002 or reboot the system if necessary. XI. Locking Down the Agents After ensuring that all agents are deployed it is time to start locking down agents. This can be accomplished by selectively moving agents into the â€Å"Monitoring Policy†. This step in the installation process has the most impact on the system therefore it is best to move agents into this policy during times of less usage and only move a few agents at a time. XII. Policies and Procedures Before moving any systems into lockdown (other than testing systems) it is time to ensure there is a process for addressing blocked executables that users/administrators need to run on the systems. It is likely that any organization that is going to deploy Parity will have methods and processes for IT workflow. This is an ideal method for dealing with end user issues with Parity blocks of potentially useful and needed executables. This should be communicated with the user population to ensure that users know where to go in case they have Parity block. XIII. Operational Uses for Parity There are many other uses for Parity other than just to protect the environment. It is an excellent source of information showing exactly what is running in an environment. By querying the data in Parity, a Security Analyst could research to find if a downloaded malicious file actually reached the endpoint system or not. An Analyst could also upload a hash from doing analysis on another system to Parity to block across the install base. The server actually has a very simple SOAP API utilizing JSON that can be called very simply from web posts. XIV. Conclusion When evaluating any technology technologist and security practitioners should carefully analyze with due care the technologies, especially those that will require employee time and energy as well as significant capital expenditure. Bit9’s Parity will take significant time, funds, and energy to deploy. It will take a concerted effort from senior leadership to decide on the product and then organizational push to deploy it. The approach that Application-White listing takes is a simple one, trust only what is known and all other executables and binaries are not trusted and are not allowed to run. If an organization believes that they may be targeted by an advanced actor then the advanced protection provided by an approach like Application-White listing should be evaluated. The decision is a risk decision, the protections Parity offers are significant. If deployed properly, malware will not be able to gain a persistence on a network, as well a huge number of other attacks will be mitigated. If an organization deems that they need the level of security, the costs and energy that Parity takes to deploy are well worth the efforts.