Application Explosion

How to manageproductivity vs. security

Mel Beckman Chris Merritt David MurraySenior Director of Senior Product

Technical Director Solution Marketing ManagerPenton Lumension Lumension

Agenda

• Application vulnerabilities

• Key application control points

• Application identification trickiness

• Application control flow

• Microsoft’s default tools: SRP & AppLocker

• AppLocker limitations & gotchas

• Free application security controls

• Attributes of commercial application control

• The value of integration

Application Vulnerabilities

What Weʼre Up Against1. Undesired Applications 5. Bloatware

Social networking, VoIP, Installed along with legitimatechat, shopping, games software, such as Adobe ReaderTwitter, Skype, eBay, WoW Adobe DL Mgr, Google Chrome

2. Unauthorized Packages 6. Ad/Spy/Scare/ZombiewarePersonal utilities, hacking Apps users want that havetools, unlicensed software ulterior motives

iTunes, WireShark, PhotoShop WeatherBug, SystemFix, Gator

3. Liability Software 7. Malware, Bots, and TrojansPeer-to-peer, copy cracking, Malicious code out to stealnetwork scanners contacts, data and identitiesLimelight, freeme2, nmap Qhost, ZeuS, Trojan-BNK

4. Resource Hogs 8. Rootkits and Back Doors

Distributed computing, file Programs that modify the OSsharing, streaming media to permit future hacker re-entryseti@home, bittorrent, NetFlix TDSS, StormWorm, Stuxnet

Key Application Control Points

• Software installation- .msi, .msp, .zip

• Binary program execution- .exe, .com

• Scripts- .bat, .cmd, .jar, .js, .jse, .mdb, .pif, .ps1,.scr, .vb, .vbe, .vbs

• DLL & ActiveX- .dll, .ocx

Key Application Control Points

• Control approach: default permit or deny?- There are an infinite number of applications

that you don’t want to authorized- Only a finite number of applications you do

• Default deny is the only viable approach- Explicitly permit specific positively identified

applications- Vulnerabilties are resilient** so it’s critical that you

don’t let them in in the first place!- Anti-virus blacklists known threats, but AC rules

primarily specify which applications are permitted,they are collectively termed a whitelist

• But there are exceptions- Privileged users (e.g., local admin)

- Subdirectories- Trusted publishers

**Secunia Yearly Report, February 14, 2012http://secunia.com/company/2011_yearly_report

Application Identification Trickiness

• How to reliably identify an application?- Name? File Size? Path? Contents? Source?

- What about changes: patches (good),hacking (bad)

• Known application identification methods- Path (including name)

- Hash (numeric signature of contents)- Publisher (via digital signing)

- Source (during installation)- Registry paths

- A combination of the above

• A single application can exist within a userpopulation in dozens of variations

Application Control Flow

Whitelist

Inventory Audit

Enforce

ApplicationControl Assess

AutomationTools

Microsoft’s default tools:SRP & AppLocker

• Software Restriction Policies (SRP)- Windows XP, Windows 2003, Windows 2008, Vista,

and Windows 7 below Ultimate- Implemented via Group Policy Objects (GPO)

and registry path restrictions- Simple rule structure

• AppLocker- Window 7 Ultimate & Enterprise only

- Also uses GPO- Built into Windows 7 kernel

- Extended rule structure (e.g., exceptions)(but no registry path restrictions)

- Whitelist wizards (default and analysis)

• SRP & AppLocker are mutually exclusive(when AppLocker rules exist, they supercede SRP)

AppLocker Control Flow

AppLocker Limitations

• Capability limitations- Supports only Win7 Ultimate & Enterprise- Computer-based, rather than user-based

• Security limitations- Local admin can circumvent (e.g., stopping appld srv)

- Scripts vulnerable to exploitation

• Reliability limitations- Application updates break rules

• Usability limitations- Generated whitelists are large and complex

- Default rules too permissive- DLL filtering impacts performance

- Event logs exist only on local machine(Logs\Microsoft\Windows\AppLocker)

- Limited reporting

AppLocker Gotchas

• Can inadvertently lock user out of Windows• DLL filtering can break applications in mysterious

ways (ergo, it’s off by default)

• \Windows\Installer\ objects can execute even whenunsigned

• \Windows\Temp is world write-able, world-executable

• Inadvertently grant permissions by crea5ng anexcep5on to a Deny rule

• LOAD_IGNORE_CODE_AUTHZ_LEVEL exploit- http://tinyurl.com/LOAD-IGNORE

• SANDBOX_INERT exploit- http://tinyurl.com/SANDBOX-INERT

Free Application Security Controls

• Open source and free tools- Ad Hoc blocking of installed apps

- Application inventory• OCS Inventory NG (ocsinventory.sourceforge.net)

• CFEngine Nova (cfengine.com)

• Open PC Server Integration (opsi.org)

• Uranos (uranos.sourceforge.net)

• Example: Windows Application Blocker( http://tinyurl.com/winappblocker )

- Per-application password lock- Must be manually configured

- No central administration

Free Application Security Controls

• Uranos open source: software inventory only

• No application control capability

Attributes of Commercial App Control

• Full Windows spectrum:- XP, Vista, 2003, 2008, all Win7 editions

• Cohesive whitelist generation- Driven by site-wide application discovery

- Automatically optimize rules

• Flexible whilelist policy structure- Multiple filter types

- User-based policies for consistent desktop and laptopenforcement

- Extend coverage to local admin user

• Ability to approve trusted patches and identifypatched applications

• Situational awareness- Centralized event monitoring

- Comprehensive reporting

The Value of Integration

• Application control is anendpoint problem

• Other endpoint problems- Network Access Control (NAC)

- Antivirus remediation- Patch management

• Integrated endpoint tools have frameworks that:- Deliver a consistent, cohesive user interface

- Consolidate client enumeration and agent tracking- Provide a centralized database for objects and events

- Streamline auditing and reporting

• Integrated tools deliver better overall protection- Event correlation provides early warning of trouble

- Situational awareness provides defense in depth

The story so far...

• Bad application are a prime source of endpointvulnerabilities in the enterprise

• Applications must be controlled at installation, andthen by positive identification

• Applications come in many forms and changefrequently, making them hard to identify reliably

• Application control has a procedural flow

• Microsoft’s SRP & AppLocker don’t do the job

• Free security tools are not enterprise-grade

• Select commercial tools based on key features

• Integrated endpoint security tool sets ultimatelydeliver more capability and are easier to administer

More Information

17

•Overview of Lumension® Intelligent Whitelisting™ » http://www.lumension.com/Resources/Demo-Center/Overview-Endpoint-Protection.as

px

•Application Scanner Tool» http://www.lumension.com/Resources/Security-Tools/Application-Scanner-Tool-2-0.as

px

•Whitepapers» Think Your Anti-Virus Software is Working? Think Again.

• http://www.lumension.com/Resources/WhitePapers/Think-Your-AntiVirus-Software-Is-Working-Think-Again.aspx

» Intelligent Whitelisting: An Introduction to More Effective and Efficient Security• http://www.lumension.com/Resources/Whitepapers/Intelligent-Whitelisting-An-Intr

oduction-to-More-Effective-and-Efficient-Endpoint-Security.aspx