Application White-listing With Bit9 Parity

Application White-listing With Bit9 likenessK.PADMAVATHII. IntroductionAntivirus is a requirement for a host of compliance standards and is championed to be a circumstantial component for each security baseline (PCI-DSS 3.0-5.1). A recent google search for Cyber Security Breaches in Google News shows 16,700 results in Google News. Even NIST has stated that that AV is non an adequate control. The basis for this argument is that AV, even with heuristics, looks for rules or signatures that atomic number 18 known to the specific AV vendor. Bit9 coincidence goes a step further and restricts the execution of both execu lozengele or applications to those only all(prenominal)owed by the product (Bit9 Datasheet, 2013). Parity has a host of benefits as hearty as some signifi usher outt drawbacks, but with fitting and careful implementation, a deployment of Parity can be successful. Parity has multiple methods to manage and control an environment. Parity is deployed with a boniface, entropybase and console to control and manage Parity Agents. The deployed agents are a package of executables and configuration rouses that contain a kernel module that sits on the hardware social class and proxies the raw system calls from the user layer to those resources. For this reason it makes manipulation of the agent from the user layer very difficult. There is besides a management console to manipulate the emcee that controls all agents on endpoints.II. Pre-DeploymentDuring pre-deployment, the first thing that must be decided is where it will be deployed. Bit9 would recommend that the product be deployed on all systems in an environment. However, this is not executable as the cost of the product and the complexity of most environments makes 100% immediate deployment difficult. Parity takes a default deny approach (Bit9 Data Sheet, 2014). This is a satisfactory method for protective cover but can make deployments difficult. To deal with this situation it is a good i dea to deploy the product in homogenous environments first.Therefore, in planning deployment it is best to identify and group environments by their similarity and their directs of criticality. The most critical could be where the protection needs to go first. However an additional peril of deploying the product in critical environments is that by description they are critical to the business. So the product must deployed with care, proper planning and testing.III. To Protect the Environment (Client-side) defense and prevention is absolutely ideal when it comes to deployment of Parity. When working with dynamic and non-homogenous environments the product should be deployed in this mindset. An excellent environment for deploying to protect would be a desktop or laptop (client side) environment.IV. To Control the EnvironmentIn order to protect an environment administrators and security personnel must control andunderstand their environment. However methods of deployment can differ wi th these key goals in mind. Deploying to control should be applied in specific environments that have rigorous change control and a low direct of change. This would be server environments or other systems that are running on end-of life operating systems, such as Supervisory Control and Data Acquisition (SCADA) systems, as well as some Point of Sale Systems (POS).V. DeploymentAfter deciding what environment to start, it is time to build out the Parity Server and console. According to the Bit9 installation guide, the server should have a SQL server functional or a new SQL server database, either 2005 or 2008 deployed and configured prior to installation. (Parity 6.0 Deployment Guide, 2013) The server will also need .net framework 3.5 and a host of other web application Microsoft requirements. All should be included with a current version of Server 2008. foregoing to installation ensure that all servers meet local hardening procedures.VI. ConfigurationAfter the server has been ins talled, it should be simple to browse to the https//localhost which will direct to the Parity console if logging on locally. Browsing from another system to https//server name which will direct the administrator to the Parity console. The default credentials should be username admin and password admin. As always, best practices, change immediately.VII. Bit9 Knowledge BaseAnother critical component is the Bit9 knowledgebase. The Bit9 knowledgebase is one of the single largest collection of known good executables available commercially. This will require outbound connectivity to the Bit9 knowledgebase servers on port 443 from the Parity server. It will also require a license from Bit9 knowledgebase. There is an open API to query the data through a restful API. (Script attached Appendix B) The knowledgebase can be configured in the court tab Licensing Parity Knowledge Activation.VIII. Other System AdministrationOn the system administration tab there are a host of other setup actions that can be accomplished on this tab as well. On the mail tab, the SMTP settings for alerts can be configured to send alerts for status of systems. The advanced options has the ability to back-up the database, configure automated updates, log out measure for the parity console, file uploads configuration, experienced computer cleanup, software rule completion, and certificate options. Most of these options are not of much concern, however the cleaning up of old agents should be configured.IX. polity ConfigurationDesigning the policies in Parity is absolutely critical to having a successful deployment. The default policies that come with the product are a good place to start. Default Policy which is designed for the agents to go to once the agent is initially installed. The Local Approval Policy which is designed to approve some(prenominal) running executables on the system. The Template Policy which is designed to be copied and configured for new policies. Initially four new po licies need to be created for management of agents. Lockdown Policy must be created to replace the Default Policy and to be the final stop for agents during configuration. Lockdown Reporting policy which will be configured on systems to depict as if they were in lockdown without actually burying, and a monitor Policy to start hashing and collecting execution schooling on systems. Disabled Policy should also be created to for the installation of the agents, and removal of the agents if necessary.X. Deploying AgentsAfter all the agent configuration policies have been created and some basic software rules like the .net software rule, it is time to start deploying agents. The agents can be downloaded from https//parityserver/hostpkg/. It is best to start with an agent disabled policy. put in the agent can be done on all systems through multiple methods, GPO, software en typeface and through scripting. Scripting is beneficial, because it can be scheduled and the output can be collect ed for error checking. See appendix B for an example installation script.Installing the agents is a slow process which requires getting a list of all devices, verifying in the Parity Console the assets are available and the communication level of the agent. Something to consider is that any Windows version after Server 2008 and Windows 7 should deploy the agents without the need for a reboot. However older versions will require a reboot. If the agents are not communicating with the Parity Server ensure that agents can reach the server on TCP port 41002 or reboot the system if necessary.XI. lock Down the AgentsAfter ensuring that all agents are deployed it is time to start locking down agents. This can be accomplished by selectively moving agents into the Monitoring Policy. This step in the installation process has the most impact on the system therefore it is best to move agents into this policy during times of little usage and only move a few agents at a time.XII. Policies and Pr oceduresBefore moving any systems into lockdown (other than testing systems) it is time to ensure there is a process for addressing blocked executables that users/administrators need to run on the systems. It is likely that any organization that is going to deploy Parity will have methods and processes for IT workflow. This is an ideal method for dealing with end user issues with Parity blocks of potentially useful and needed executables. This should be communicated with the user population to ensure that users know where to go in case they have Parity block.XIII. Operational Uses for ParityThere are many other uses for Parity other than just to protect the environment. It is an excellent source of information showing exactly what is running in an environment. By querying the data in Parity, a Security Analyst could research to find if a downloaded malicious file actually reached the endpoint system or not. An Analyst could also upload a hash from doing analysis on another system to Parity to block across the install base. The server actually has a very simple SOAP API utilizing JSON that can be called very simply from web posts.XIV. ConclusionWhen evaluating any technology technologist and security practitioners should carefully analyze with due care the technologies, especially those that will require employee time and energy as well as significant capital expenditure. Bit9s Parity will take significant time, funds, and energy to deploy. It will take a concerted effort from senior leadership to decide on the product and then organizational push to deploy it.The approach that Application-White listing takes is a simple one, trust only what is known and all other executables and binaries are not trusted and are not allowed to run. If an organization believes that they may be targeted by an advanced actor then the advanced protection provided by an approach like Application-White listing should be evaluated.The decision is a risk decision, the protections Pari ty offers are significant. If deployed properly, malware will not be able to soak up a persistence on a network, as well a huge number of other attacks will be mitigated. If an organization deems that they need the level of security, the costs and energy that Parity takes to deploy are well worth the efforts.