When looking across the enterprise, the greatest security vulnerability your organization has is your internal workforce. I cringe when I walk into an enterprise and workers are granted full administrative access to their endpoint. Think about it…that worker has full control of their endpoint from installing software to deleting key files. Imagine this scenario: John is surfing Facebook, sees what he thinks is a cool video and decides to click on it! Little did John know that the url he clicked on performed a ‘drive-by-download’ installing CryptoLocker on the system resulting in a ransomware attack – a CISO’s worst nightmare! And without whitelisting, that nightmare reoccurs daily in many organizations.
This brings up a few critical questions- do workers need full administrator rights? Is the benefit of complete freedom for the workforce outweighing cost? With RES ONE Workspace, the answer is NO! There is a better way where you can still give workers the freedom to work how they want to work, while controlling what they have access to.
In addition to RES ONE Workspace’s core competence around context awareness, RES ONE Workspace offers two key capabilities to mitigate this need: application whitelisting and privilege management. Gartner defines these as follows:
- Application whitelisting: In this technique, only known good applications are placed on an approved list and allowed to run.
- Privilege management: In this approach, most applications run with standard user privileges. Applications run with administrative rights only on an exception basis, as permitted by policy.”
In this blog, I am going to focus on Application Whitelisting and breaking through the myths that these whitelists are too hard and costly to maintain. In future blogs, I will focus on Privilege Management.
Application Whitelisting – Building That Initial Whitelist
The hardest part of building an initial whitelist is compiling a list of the known good files along with their file hash information. What are the sources of truth? How many “gold images” do you have? The key to building a whitelist is to list out all the possible places known good files exist. Places like your “gold images”, custom endpoints, Microsoft SCCM, BigFix and fileshares. Imagine you have thousands of known executables and you need to not only secure and capture the file information but also the hash information. Now the hard part… getting all the possible hashes into a central whitelist. In the past, this task would be done manually, making it very labor intensive and extremely error prone. Whitelisting seems daunting and without the proper solution it is, but luckily RES has a solution!
Introducing File Hash Monitor
RES ONE Workspace File Hash Monitor is a companion tool to RES ONE Workspace that can be downloaded from the RES Success Center. RES ONE Workspace File Hash Monitor eliminates the need to manually configure Authorized Files and file hashes in the RES ONE Workspace Console for any distributed applications, as it allows you to scan then automatically import and update these in your RES ONE Workspace environment. RES ONE Workspace File Hash Monitor simplifies security whitelisting through key integrations with Microsoft System Center or IBM BigFix, or if you deploy them manually by storing them on a file share.
You can set up RES File Hash Monitor to import hash files on an interval:
You can set up RES File Hash Monitor to scan local directories, UNC paths, Microsoft SCCM and IBM BigFix software distribution folders and “gold images.
RES File Hash Monitor has the ability to integrate with any file extraction tool and automatically extract, scan and import the file hashed within a compressed file.
You can set up RES File Hash Monitor to hash various file types:
Once the setup is completed, you click ‘OK’ and your whitelist will be built automatically. The benefit to RES File Hash Monitor is it will continuously scan directories for changes and continue to add new file hashes. This is important if you use a tool like Microsoft SCCM because you can ensure anything deployed is whitelisted and deemed safe. With RES you now have a self-maintaining file hash based whitelist saving your organization hours in maintaining all while ensuring you are giving users access to the files they need while blocking out the bad.