Application White-listing With Bit9 Parity

Application White-listing With Bit9 ParityK.PADMAVATHII. IntroductionAntivirus is a adoptment for a legion of compliance standards and is championed to be a faultfinding component for both trade protection baseline (PCI-DSS 3.0-5.1). A recent google take c are for Cyber Security Breaches in Google News shows 16,700 results in Google News. Even NIST has stated that that AV is non an adequate control. The basis for this argument is that AV, even with heuristics, looks for methods or signatures that are known to the specific AV vendor. Bit9 Parity goes a step get along and restricts the execution of whatever executable or applications to those only e precise(prenominal)owed by the harvest (Bit9 Datasheet, 2013). Parity has a host of benefits as well as some(prenominal) signifi adviset drawbacks, but with proper and careful implementation, a positionment of Parity eject be successful. Parity has multiple methods to manage and control an environment. Parity is deployed wit h a host, selective informationbase and console to control and manage Parity Agents. The deployed brokers are a mail boat of executables and configuration files that contain a kernel module that sits on the hardware layer and proxies the raw system c all in alls from the user layer to those re ascendants. For this reason it makes use of fairs and services of the agent from the user layer very difficult. There is also a way console to manipulate the server that controls all agents on endpoints.II. Pre-DeploymentDuring pre-deployment, the introductory thing that must be square upd is where it leave alone be deployed. Bit9 would urge that the product be deployed on all systems in an environment. However, this is not workable as the cost of the product and the complexity of most environments makes 100% ready deployment difficult. Parity takes a default deny onset (Bit9 Data Sheet, 2014). This is a good method for protection but croup make deployments difficult. To spot wi th this situation it is a good idea to deploy the product in homogenous environments first.Therefore, in planning deployment it is take up to identify and group environments by their similarity and their levels of diminutiveity. The most critical could be where the protection needs to go first. However an additional risk of deploying the product in critical environments is that by description they are critical to the business. So the product must deployed with care, proper planning and testing.III. To Protect the Environment (Client-side)Protection and prevention is absolutely sample when it comes to deployment of Parity. When working with dynamic and non-homogenous environments the product should be deployed in this mindset. An excellent environment for deploying to protect would be a desktop or laptop (client side) environment.IV. To defy the EnvironmentIn order to protect an environment administrators and security strength must control andunderstand their environment. Howeve r methods of deployment dismiss differ with these underlying goals in mind. Deploying to control should be applied in specific environments that have strict change control and a low level of change. This would be server environments or other systems that are running on end-of life operate systems, such as Supervisory Control and Data Acquisition (SCADA) systems, as well as some Point of Sale Systems (POS).V. DeploymentAfter finale making what environment to set about, it is condemnation to build out the Parity Server and console. jibe to the Bit9 generalization guide, the server should have a SQL server visible(prenominal) or a new SQL server database, either 2005 or 2008 deployed and assembled preceding to installation. (Parity 6.0 Deployment Guide, 2013) The server get out also need .net framework 3.5 and a host of other web application Microsoft requirements. All should be included with a current version of Server 2008. Prior to installation ensure that all servers me et local hardening procedures.VI. ConfigurationAfter the server has been installed, it should be simple to browse to the https//localhost which leave behind direct to the Parity console if put down on locally. Browsing from some other system to https//server name which will direct the administrator to the Parity console. The default credentials should be username admin and word of honor admin. As always, best practices, change immediately.VII. Bit9 Knowledge BaseAnother critical component is the Bit9 knowledgebase. The Bit9 knowledgebase is one of the single largest collection of known good executables available commercially. This will require outbound connectivity to the Bit9 knowledgebase servers on port 443 from the Parity server. It will also require a license from Bit9 knowledgebase. There is an open API to research the data through a restful API. (Script attached Appendix B) The knowledgebase tail assembly be assemble in the Administration tab Licensing Parity Knowled ge Activation.VIII. early(a) System AdministrationOn the system administration tab in that respect are a host of other setup actions that can be accomplished on this tab as well. On the mail tab, the SMTP settings for alerts can be assemble to send alerts for status of systems. The pass on options has the ability to back-up the database, configure automated updates, log out times for the parity console, file uploads configuration, older computer cleanup, software rule completion, and certificate options. Most of these options are not of much concern, however the cleaning up of old agents should be configured.IX. form _or_ system of government ConfigurationDesigning the policies in Parity is absolutely critical to having a successful deployment. The default policies that come with the product are a good place to start. Default Policy which is designed for the agents to go to once the agent is initially installed. The Local Approval Policy which is designed to approve any runnin g executables on the system. The Template Policy which is designed to be copied and configured for new policies. Initially four new policies need to be created for management of agents. Lockdown Policy must be created to replace the Default Policy and to be the final stop for agents during configuration. Lockdown Reporting policy which will be configured on systems to report as if they were in lockdown without actually blocking, and a monitor Policy to start hashing and collecting execution information on systems. handicapped Policy should also be created to for the installation of the agents, and removal of the agents if necessary.X. Deploying AgentsAfter all the agent configuration policies have been created and some basic software rules bid the .net software rule, it is time to start deploying agents. The agents can be downloaded from https//parityserver/hostpkg/. It is best to start with an agent disabled policy.Installing the agent can be done on all systems through multiple methods, GPO, software packaging and through scripting. Scripting is beneficial, because it can be scheduled and the output can be collected for erroneous belief checking. See appendix B for an example installation script.Installing the agents is a slow process which requires getting a list of all devices, sustain in the Parity Console the assets are available and the communication level of the agent. Something to consider is that any Windows version after Server 2008 and Windows 7 should deploy the agents without the need for a boot. However older versions will require a reboot. If the agents are not communicating with the Parity Server ensure that agents can reach the server on TCP port 41002 or reboot the system if necessary.XI. Locking Down the AgentsAfter ensuring that all agents are deployed it is time to start locking down agents. This can be accomplished by selectively moving agents into the Monitoring Policy. This step in the installation process has the most impact on t he system therefore it is best to transport agents into this policy during times of less usage and only move a few agents at a time.XII. Policies and ProceduresBefore moving any systems into lockdown (other than testing systems) it is time to ensure there is a process for addressing obturate executables that users/administrators need to run on the systems. It is likely that any giving medication that is going to deploy Parity will have methods and processes for IT workflow. This is an ideal method for dealing with end user issues with Parity blocks of potentially useful and needed executables. This should be communicated with the user population to ensure that users know where to go in upshot they have Parity block.XIII. Operational Uses for ParityThere are numerous other uses for Parity other than just to protect the environment. It is an excellent source of information showing exactly what is running in an environment. By querying the data in Parity, a Security psychoanalys t could research to find if a downloaded malicious file actually reached the endpoint system or not. An Analyst could also upload a hash from doing analysis on another system to Parity to block across the install base. The server actually has a very simple SOAP API utilizing JSON that can be called very simply from web posts.XIV. ConclusionWhen evaluating any technology technologist and security practitioners should carefully analyze with due care the technologies, especially those that will require employee time and energy as well as significant superior expenditure. Bit9s Parity will take significant time, funds, and energy to deploy. It will take a concerted effort from senior leadership to decide on the product and then organizational push to deploy it.The approach that Application-White listing takes is a simple one, trust only what is known and all other executables and binaries are not trusted and are not allowed to run. If an organization believes that they may be targeted by an advanced actor then the advanced protection provided by an approach like Application-White listing should be evaluated.The decision is a risk decision, the protections Parity offers are significant. If deployed properly, malware will not be able to gain a persistence on a network, as well a huge number of other attacks will be mitigated. If an organization deems that they need the level of security, the costs and energy that Parity takes to deploy are well worth the efforts.